From 240792fe17d53345f0a30ee60745a1fd30573f50 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Tue, 6 Feb 2024 17:54:37 +0900 Subject: [PATCH] Added EXPOSE_WEB_SERVER_INFO variable to control web server / php versions expose --- Dockerfiles/web-apache-mysql/README.md | 6 +++++- .../alpine/conf/etc/php7/conf.d/99-zabbix.ini | 2 ++ .../alpine/docker-entrypoint.sh | 18 +++++++++++++++++- .../centos/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../centos/docker-entrypoint.sh | 18 +++++++++++++++++- .../ol/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../web-apache-mysql/ol/docker-entrypoint.sh | 18 +++++++++++++++++- .../etc/php/7.4/apache2/conf.d/99-zabbix.ini | 2 ++ .../ubuntu/docker-entrypoint.sh | 18 +++++++++++++++++- Dockerfiles/web-apache-pgsql/README.md | 6 +++++- .../alpine/conf/etc/php7/conf.d/99-zabbix.ini | 2 ++ .../alpine/docker-entrypoint.sh | 18 +++++++++++++++++- .../centos/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../centos/docker-entrypoint.sh | 18 +++++++++++++++++- .../ol/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../web-apache-pgsql/ol/docker-entrypoint.sh | 18 +++++++++++++++++- .../etc/php/7.4/apache2/conf.d/99-zabbix.ini | 2 ++ .../ubuntu/docker-entrypoint.sh | 18 +++++++++++++++++- Dockerfiles/web-nginx-mysql/README.md | 6 +++++- .../alpine/conf/etc/nginx/nginx.conf | 2 +- .../alpine/conf/etc/php7/php-fpm.d/zabbix.conf | 3 +++ .../alpine/docker-entrypoint.sh | 17 ++++++++++++++--- .../centos/conf/etc/nginx/nginx.conf | 2 +- .../centos/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../centos/docker-entrypoint.sh | 17 ++++++++++++++--- .../ol/conf/etc/nginx/nginx.conf | 2 +- .../ol/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../web-nginx-mysql/ol/docker-entrypoint.sh | 17 ++++++++++++++--- .../rhel/conf/etc/nginx/nginx.conf | 2 +- .../rhel/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../web-nginx-mysql/rhel/docker-entrypoint.sh | 17 ++++++++++++++--- .../ubuntu/conf/etc/nginx/nginx.conf | 2 +- .../conf/etc/php/7.4/fpm/pool.d/zabbix.conf | 3 +++ .../ubuntu/docker-entrypoint.sh | 17 ++++++++++++++--- Dockerfiles/web-nginx-pgsql/README.md | 6 +++++- .../alpine/conf/etc/nginx/nginx.conf | 2 +- .../alpine/conf/etc/php7/php-fpm.d/zabbix.conf | 3 +++ .../alpine/docker-entrypoint.sh | 17 ++++++++++++++--- .../centos/conf/etc/nginx/nginx.conf | 2 +- .../centos/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../ol/conf/etc/nginx/nginx.conf | 2 +- .../ol/conf/etc/php-fpm.d/zabbix.conf | 3 +++ .../ubuntu/conf/etc/nginx/nginx.conf | 2 +- .../conf/etc/php/7.4/fpm/pool.d/zabbix.conf | 3 +++ env_vars/.env_web | 1 + 45 files changed, 297 insertions(+), 39 deletions(-) diff --git a/Dockerfiles/web-apache-mysql/README.md b/Dockerfiles/web-apache-mysql/README.md index e881b7bc5..b8f36ebd8 100644 --- a/Dockerfiles/web-apache-mysql/README.md +++ b/Dockerfiles/web-apache-mysql/README.md @@ -134,12 +134,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av ### `ENABLE_WEB_ACCESS_LOG` -The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output. +The variable sets the Access Log directive for Web server. By default, value corresponds to standard output. ### `HTTP_INDEX_FILE` The variable controls default index page. By default, `index.php`. +### `EXPOSE_WEB_SERVER_INFO` + +The variable allows to hide Web server and PHP versions. By default, `on`. + ### `ZBX_MAXEXECUTIONTIME` The varable is PHP ``max_execution_time`` option. By default, value is `300`. diff --git a/Dockerfiles/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini b/Dockerfiles/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini index 5dfff39cd..e180720b9 100644 --- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini +++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini @@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME} ; always_populate_raw_post_data=-1 max_input_vars = 10000 date.timezone = ${PHP_TZ} +; https://www.php.net/manual/en/security.hiding.php +expose_php = ${EXPOSE_WEB_SERVER_INFO} diff --git a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh index a763da4ba..4c2b20431 100755 --- a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/apache2/httpd.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -218,8 +220,22 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/apache2/httpd.conf" + "$HTTPD_CONF_FILE" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh index 15fe524a9..05d523415 100755 --- a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -234,8 +236,22 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/httpd/conf/httpd.conf" + "$HTTPD_CONF_FILE" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-mysql/ol/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-apache-mysql/ol/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-apache-mysql/ol/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh index 15fe524a9..05d523415 100755 --- a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -234,8 +236,22 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/httpd/conf/httpd.conf" + "$HTTPD_CONF_FILE" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini index 5dfff39cd..e180720b9 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini +++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini @@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME} ; always_populate_raw_post_data=-1 max_input_vars = 10000 date.timezone = ${PHP_TZ} +; https://www.php.net/manual/en/security.hiding.php +expose_php = ${EXPOSE_WEB_SERVER_INFO} diff --git a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh index 52c264b59..d383f5f3a 100755 --- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/apache2/apache2.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -218,11 +220,25 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/apache2/apache2.conf" + "$HTTPD_CONF_FILE" sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ "/etc/apache2/conf-available/other-vhosts-access-log.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-pgsql/README.md b/Dockerfiles/web-apache-pgsql/README.md index 745fc1c11..eca02da6b 100644 --- a/Dockerfiles/web-apache-pgsql/README.md +++ b/Dockerfiles/web-apache-pgsql/README.md @@ -138,12 +138,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av ### `ENABLE_WEB_ACCESS_LOG` -The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output. +The variable sets the Access Log directive for Web server. By default, value corresponds to standard output. ### `HTTP_INDEX_FILE` The variable controls default index page. By default, `index.php`. +### `EXPOSE_WEB_SERVER_INFO` + +The variable allows to hide Web server and PHP versions. By default, `on`. + ### `ZBX_MAXEXECUTIONTIME` The varable is PHP ``max_execution_time`` option. By default, value is `300`. diff --git a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini index 5dfff39cd..e180720b9 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini +++ b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini @@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME} ; always_populate_raw_post_data=-1 max_input_vars = 10000 date.timezone = ${PHP_TZ} +; https://www.php.net/manual/en/security.hiding.php +expose_php = ${EXPOSE_WEB_SERVER_INFO} diff --git a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh index de5d1ac97..90fbcbafc 100755 --- a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/apache2/httpd.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -205,8 +207,22 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/apache2/httpd.conf" + "$HTTPD_CONF_FILE" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh index 95541d891..b44b5abd8 100755 --- a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -221,8 +223,22 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/httpd/conf/httpd.conf" + "$HTTPD_CONF_FILE" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-apache-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-apache-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-apache-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh index 95541d891..b44b5abd8 100755 --- a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -221,8 +223,22 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/httpd/conf/httpd.conf" + "$HTTPD_CONF_FILE" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini index 5dfff39cd..e180720b9 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini +++ b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini @@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME} ; always_populate_raw_post_data=-1 max_input_vars = 10000 date.timezone = ${PHP_TZ} +; https://www.php.net/manual/en/security.hiding.php +expose_php = ${EXPOSE_WEB_SERVER_INFO} diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh index c3602ce35..7945b4783 100755 --- a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Apache main configuration file +HTTPD_CONF_FILE="/etc/apache2/apache2.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -209,11 +211,25 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ - "/etc/apache2/apache2.conf" + "$HTTPD_CONF_FILE" sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \ "/etc/apache2/conf-available/other-vhosts-access-log.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then + sed -i \ + -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \ + "$HTTPD_CONF_FILE" + else + EXPOSE_WEB_SERVER_INFO="on" + fi + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \ + "$HTTPD_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-mysql/README.md b/Dockerfiles/web-nginx-mysql/README.md index 6951c025b..93b394993 100644 --- a/Dockerfiles/web-nginx-mysql/README.md +++ b/Dockerfiles/web-nginx-mysql/README.md @@ -135,12 +135,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av ### `ENABLE_WEB_ACCESS_LOG` -The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output. +The variable sets the Access Log directive for Web server. By default, value corresponds to standard output. ### `HTTP_INDEX_FILE` The variable controls default index page. By default, `index.php`. +### `EXPOSE_WEB_SERVER_INFO` + +The variable allows to hide Web server and PHP versions. By default, `on`. + ### `ZBX_MAXEXECUTIONTIME` The varable is PHP ``max_execution_time`` option. By default, value is `300`. diff --git a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/nginx/nginx.conf index 75f0f9a1b..f40a71604 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/http.d/*.conf; } diff --git a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh index fb64d1099..5807f5d9f 100755 --- a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Nginx main configuration file +NGINX_CONF_FILE="/etc/nginx/nginx.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -249,14 +251,23 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/nginx/nginx.conf" + "$NGINX_CONF_FILE" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx.conf" + "$ZABBIX_ETC_DIR/nginx.conf" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx_ssl.conf" + "$ZABBIX_ETC_DIR/nginx_ssl.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + + [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ + "$NGINX_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-mysql/centos/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-mysql/centos/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-mysql/centos/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/centos/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh index 25b56706b..45b8e325f 100755 --- a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Nginx main configuration file +NGINX_CONF_FILE="/etc/nginx/nginx.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -249,14 +251,23 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/nginx/nginx.conf" + "$NGINX_CONF_FILE" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx.conf" + "$ZABBIX_ETC_DIR/nginx.conf" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx_ssl.conf" + "$ZABBIX_ETC_DIR/nginx_ssl.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + + [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ + "$NGINX_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-mysql/ol/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-mysql/ol/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-mysql/ol/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/ol/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-mysql/ol/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-mysql/ol/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-mysql/ol/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-mysql/ol/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh index 25b56706b..45b8e325f 100755 --- a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Nginx main configuration file +NGINX_CONF_FILE="/etc/nginx/nginx.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -249,14 +251,23 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/nginx/nginx.conf" + "$NGINX_CONF_FILE" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx.conf" + "$ZABBIX_ETC_DIR/nginx.conf" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx_ssl.conf" + "$ZABBIX_ETC_DIR/nginx_ssl.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + + [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ + "$NGINX_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh index dbc6a23de..e2550bb3d 100755 --- a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Nginx main configuration file +NGINX_CONF_FILE="/etc/nginx/nginx.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -249,14 +251,23 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/nginx/nginx.conf" + "$NGINX_CONF_FILE" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx.conf" + "$ZABBIX_ETC_DIR/nginx.conf" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx_ssl.conf" + "$ZABBIX_ETC_DIR/nginx_ssl.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + + [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ + "$NGINX_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf +++ b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh index 056ba9e81..31ada1678 100755 --- a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Nginx main configuration file +NGINX_CONF_FILE="/etc/nginx/nginx.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -249,14 +251,23 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/nginx/nginx.conf" + "$NGINX_CONF_FILE" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx.conf" + "$ZABBIX_ETC_DIR/nginx.conf" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx_ssl.conf" + "$ZABBIX_ETC_DIR/nginx_ssl.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + + [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ + "$NGINX_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-pgsql/README.md b/Dockerfiles/web-nginx-pgsql/README.md index 5f4de91ec..ef31b63e1 100644 --- a/Dockerfiles/web-nginx-pgsql/README.md +++ b/Dockerfiles/web-nginx-pgsql/README.md @@ -138,12 +138,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av ### `ENABLE_WEB_ACCESS_LOG` -The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output. +The variable sets the Access Log directive for Web server. By default, value corresponds to standard output. ### `HTTP_INDEX_FILE` The variable controls default index page. By default, `index.php`. +### `EXPOSE_WEB_SERVER_INFO` + +The variable allows to hide Web server and PHP versions. By default, `on`. + ### `ZBX_MAXEXECUTIONTIME` The varable is PHP ``max_execution_time`` option. By default, value is `300`. diff --git a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/nginx/nginx.conf index 75f0f9a1b..f40a71604 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/http.d/*.conf; } diff --git a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh index f281aa2cc..9f7cf1f6e 100755 --- a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -25,6 +25,8 @@ fi ZABBIX_ETC_DIR="/etc/zabbix" # Web interface www-root directory ZABBIX_WWW_ROOT="/usr/share/zabbix" +# Nginx main configuration file +NGINX_CONF_FILE="/etc/nginx/nginx.conf" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -236,14 +238,23 @@ prepare_zbx_web_config() { if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/nginx/nginx.conf" + "$NGINX_CONF_FILE" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx.conf" + "$ZABBIX_ETC_DIR/nginx.conf" sed -ri \ -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "/etc/zabbix/nginx_ssl.conf" + "$ZABBIX_ETC_DIR/nginx_ssl.conf" fi + + : ${EXPOSE_WEB_SERVER_INFO:="on"} + + [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" + + export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} + sed -i \ + -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ + "$NGINX_CONF_FILE" } ################################################# diff --git a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf +++ b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/nginx/nginx.conf b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/nginx/nginx.conf index 6bc8c1739..7c96929b0 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/nginx/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/nginx/nginx.conf @@ -65,7 +65,7 @@ http { ignore_invalid_headers on; index index.php; - server_tokens off; + server_tokens {EXPOSE_WEB_SERVER_INFO}; include /etc/nginx/conf.d/*.conf; } diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf index 8b2e1d9e1..05dc3ec2b 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf @@ -1,5 +1,8 @@ [zabbix] +; https://www.php.net/manual/en/security.hiding.php +php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO} + listen = /tmp/php-fpm.sock clear_env = no diff --git a/env_vars/.env_web b/env_vars/.env_web index 07a61e380..ec052561e 100644 --- a/env_vars/.env_web +++ b/env_vars/.env_web @@ -23,6 +23,7 @@ ZBX_SERVER_NAME=Composed installation # ZBX_GUI_ACCESS_IP_RANGE=['127.0.0.1'] # ZBX_GUI_WARNING_MSG=Zabbix is under maintenance. # HTTP_INDEX_FILE=index.php +# EXPOSE_WEB_SERVER_INFO=on # PHP_FPM_PM=dynamic # PHP_FPM_PM_MAX_CHILDREN=50