Install Zammad on Debian 9

zammad

Last post was a nice intro on how I’ve found Zammad, an open source, nice looking support ticket system. Will it handle all the requirements I’ve set in last post and be ‘the one’?

Let me immediately spoil that for you: it’s almost perfect and Zammad will be my choice for sure. Installing it is very simple, I can’t believe how easy the developers made it to get it up and running at your own domain and VPS.

Let me first state the only point what lacks for me in this system and that is the lack of a responsiveness: it would look good on a mobile and some tablets. They are working on it though.

Installation is simple and their documentation tell us how! But let me summarise it for you for Debian 9.

First step is checking and setting the locale to UTF-8:

# locale

If its not UTF-8, change it to it:

# apt install locales
# locale-gen en_US.UTF-8
# echo "LANG=en_US.UTF-8" > /etc/default/locale

Second is installing Elasticsearch that is, unfortunately, a bit heavy on the dependencies, but nothing we can do about that. Configure the correct repo and key and install the software:

# echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
# apt update
# apt install openjdk-8-jre elasticsearch

Install the needed plugin and start and enable elasticsearch:

# /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-attachment
# systemctl restart elasticsearch
# systemctl enable elasticsearch

Now configure the correct Zammad repo and key and install the software:

 # wget -qO- https://dl.packager.io/srv/zammad/zammad/key | sudo apt-key add -
# wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/9.repo
# apt update
# apt install zammad

This will do absolutely everything for you: software, user, group, even the database and Nginx config. Awesome. We’ll be changing the Nginx config though to the correct server_name and we of course need SSL.

# cd /etc/nginx/sites-available
# mv zammad.conf support.yourdomain.com.conf
# cd /etc/nginx/sites-enabled
# rm zammad.conf
# ln -s /etc/nginx/sites-available/support.yourdomain.com.conf /etc/nginx/sites-enabled/

Update: Noteworthy is, that every zammad update, the zammad.conf file will be recreated when it doesn’t exist. When you update often, you’d probably want to just leave the file there and change it, but don’t rename it.

The actual Nginx configuration can be changed to the below, but this is my preferred setup and maybe does not apply to you. At least it has SSL and uses a modern, secure configuration. You’ll need SSL certificates and some knowledge how to set it up of course. Here’s an old post.

My support.yourdomain.com.conf contents:

upstream zammad-railsserver {
server localhost:3000;
}

upstream zammad-websocket {
server localhost:6042;
}

server {
listen 80;
listen [::]:80;
server_name support.yourdomain.com;
access_log /var/log/nginx/support.yourdomain.com.access.log;
error_log /var/log/nginx/support.yourdomain.com.error.log;
return 301 https://support.yourdomain.com$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name support.yourdomain.com;
ssl_certificate /etc/ssl/public/wildcard.yourdomain.com.crt;
ssl_certificate_key /etc/ssl/private/wildcard.yourdomain.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
root /opt/zammad/public;
index index.html;
access_log /var/log/nginx/support.yourdomain.com.access.log;
error_log /var/log/nginx/support.yourdomain.com.error.log;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;

add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Strict-Transport-Security max-age=15768000;
add_header X-Content-Type-Options nosniff;
add_header X-Download-Options noopen;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-XSS-Protection "1; mode=block";

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/public/wildcard.yourdomain.com.ca.crt;

client_max_body_size 50M;

location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
    expires max;
}

location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 86400;
    proxy_pass http://zammad-websocket;
}

location / {
    proxy_set_header Host $http_host;
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 300;
    proxy_pass http://zammad-railsserver;

    gzip on;
    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
    gzip_proxied any;
}
}

Test your config and restart your webserver:

# nginx -t
# systemctl restart nginx

If everything went OK, and it should, you can surf to the web setup to complete your config there: https://support.yourdomain.com

You can check our and manage the Zammad process with:

# systemctl status zammad
# systemctl stop zammad
# systemctl start zammad
# systemctl restart zammad

Or one of its individual services:

# systemctl status zammad-web
# systemctl status zammad-worker
# systemctl status zammad-websocket

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.