Solve proxy_set_header via Traefik

Solve proxy_set_header via Traefik

I ran Zammad under a subdomain via Traefik.

After the first login, no further logins are possible, the message "CSRF Token verification failed" always appears

According to the Zammad forum: https://community.zammad.org/t/fresh-install-3-2-x-csrf-token-verification-failed/3080/17
or
https://community.zammad.org/t/fresh-install-3-2-x-csrf-token-verification-failed/3080/20

would have to add this to the NGNIX.

proxy_set_header X-Forwarded-Proto https;

My question is can I also solve this via Traefik?

Hi,

Yes you can add custom headers via Traefik :

https://docs.traefik.io/middlewares/headers/

In your case, try : - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Forwarded-Proto=https"

And use the middleware :slight_smile:

Thank you for your help

I have now tried to implement it as follows.
Even after 2-3 attempts with testHeader and the name of the middleware, I still get the error.

I have to admit that I still have problems with the names as in your example testHeader.

I will send you my 2 yml files with maybe you can help me better.

My docker-compose File:

version: "2"

services:

  traefik:
    image: traefik:v2.1
    container_name: Traefik
    command:
      - "--log.level=INFO"
      - "--api"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=infos@leder-stoffe-online.de"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"

    ports:
      - 80:80
      - 443:443
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      traefik.enable: true

      # Routers
      traefik.http.routers.traefik.rule: Host(`traefik.leder-stoffe-online.de`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.tls.certresolver: myresolver
      traefik.http.routers.traefik.middlewares: traefik-auth

      # global redirect to https
      traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.http-catchall.entrypoints: web
      traefik.http.routers.http-catchall.middlewares: redirect-to-https

      # Middleware
      traefik.http.middlewares.traefik-auth.basicauth.removeheader: true
      traefik.http.middlewares.traefik-auth.basicauth.users: csaeum:$$1$$X[kMyb^l$$Npy/uslnNuMB4pK0focS00

      # middleware redirect
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https

  portainer:
    image: portainer/portainer
    container_name: Portainer
    command: -H unix:///var/run/docker.sock
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    labels:
      traefik.enable: true

      # Routers
      traefik.http.routers.portainer.rule: Host(`portainer.leder-stoffe-online.de`)
      traefik.http.routers.portainer.entrypoints: websecure
      traefik.http.routers.portainer.tls.certresolver: myresolver
      traefik.http.routers.portainer.service: portainer_svc

      traefik.http.services.portainer_svc.loadBalancer.server.port: 9000

  zammad-backup:
    command: ["zammad-backup"]
    depends_on:
      - zammad-railsserver
    entrypoint: /usr/local/bin/backup.sh
    environment:
      - BACKUP_SLEEP=86400
      - HOLD_DAYS=10
      - POSTGRESQL_USER=${POSTGRES_USER}
      - POSTGRESQL_PASSWORD=${POSTGRES_PASS}
    image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
    links:
      - zammad-postgresql
    restart: ${RESTART}
    volumes:
      - zammad-backup:/var/tmp/zammad
      - zammad-data:/opt/zammad

  zammad-elasticsearch:
    environment:
      - discovery.type=single-node
    image: ${IMAGE_REPO}:zammad-elasticsearch${VERSION}
    restart: ${RESTART}
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data

  zammad-init:
    command: ["zammad-init"]
    depends_on:
      - zammad-postgresql
    image: ${IMAGE_REPO}:zammad${VERSION}
    links:
      - zammad-elasticsearch
      - zammad-postgresql
    restart: on-failure
    volumes:
      - zammad-data:/opt/zammad

  zammad-memcached:
    command: memcached -m 256M
    image: memcached:1.5.22-alpine
    restart: ${RESTART}

  zammad-nginx:
    command: ["zammad-nginx"]
    expose:
      - "80"
    depends_on:
      - zammad-railsserver
    image: ${IMAGE_REPO}:zammad${VERSION}
    links:
      - zammad-railsserver
      - zammad-websocket
    restart: ${RESTART}
    volumes:
      - zammad-data:/opt/zammad

  zammad-postgresql:
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASS}
    image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
    restart: ${RESTART}
    volumes:
      - postgresql-data:/var/lib/postgresql/data

  zammad-railsserver:
    command: ["zammad-railsserver"]
    depends_on:
      - zammad-memcached
      - zammad-postgresql
    image: ${IMAGE_REPO}:zammad${VERSION}
    links:
      - zammad-elasticsearch
      - zammad-memcached
      - zammad-postgresql
    restart: ${RESTART}
    volumes:
      - zammad-data:/opt/zammad

  zammad-scheduler:
    command: ["zammad-scheduler"]
    depends_on:
      - zammad-memcached
      - zammad-railsserver
    image: ${IMAGE_REPO}:zammad${VERSION}
    links:
      - zammad-elasticsearch
      - zammad-memcached
      - zammad-postgresql
    restart: ${RESTART}
    volumes:
      - zammad-data:/opt/zammad

  zammad-websocket:
    command: ["zammad-websocket"]
    depends_on:
      - zammad-memcached
      - zammad-railsserver
    image: ${IMAGE_REPO}:zammad${VERSION}
    links:
      - zammad-postgresql
      - zammad-memcached
    restart: ${RESTART}
    volumes:
      - zammad-data:/opt/zammad

volumes:
  portainer_data:
  elasticsearch-data:
    driver: local
  postgresql-data:
    driver: local
  zammad-backup:
    driver: local
  zammad-data:
    driver: local

my docker-compose.override

in the override file I also added the NGINX container

version: '2'
services:

  zammad-backup:
    container_name: Zammad-Backup

  zammad-elasticsearch:
    container_name: Zammad-ElasticSearch

  zammad-init:
    container_name: Zammad-Init

  zammad-memcached:
    container_name: Zammad-MemCached

  zammad-postgresql:
    container_name: Zammad-PostgreSQL

  zammad-railsserver:
    container_name: Zammad-RailsServer

  zammad-scheduler:
    container_name: Zammad-Scheduler

  zammad-websocket:
    container_name: Zammad-WebSocket

  zammad-nginx:
    container_name: Zammad-NGINX
    labels:
      traefik.enable: true

      # Routers
      traefik.http.routers.zammad-nginx.rule: Host(`service.leather-fabrics-online.com`)
      traefik.http.routers.zammad-nginx.entrypoints: websecure
      traefik.http.routers.zammad-nginx.tls.certresolver: myresolver
      traefik.http.routers.zammad-nginx.service: zammad_svc

      traefik.http.services.zammad_svc.loadBalancer.server.port: 80

      traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Forwarded-Proto: https

The declaration of middleware is fine but you need use it :

traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Forwarded-Proto: https
traefik.http.routers.zammad-nginx.middlewares: testHeader

You can check if the header is realy pass with firefox by example.

Ok I used it as you wrote it.
Under Treafik I can also see this in the menu http.

But Zammad still doesn't let me log in.

I can't find a solution to this in the Zammad Forum.

How can I see this in the FireFox that it is really running properly? In the developer tools?

1 Like

I also had the CSRF token verification error - took me a while to figure out what to do.
I wrote my solution here:

1 Like