Optimized structure for Dockerfiles

Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/conf.d/99-zabbix.conf

@@ -0,0 +1,3 @@
+<IfModule !mpm_netware_module>
+    PidFile "/tmp/httpd.pid"
+</IfModule>

Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.conf

@@ -0,0 +1,9 @@
+include=/etc/php-fpm.d/*.conf
+
+[global]
+
+pid = /tmp/php-fpm.pid
+
+error_log = /dev/fd/2
+
+daemonize = no

Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf

@@ -0,0 +1,27 @@
+[zabbix]
+
+listen = /tmp/php-fpm.sock
+
+clear_env = no
+
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+
+slowlog = /dev/fd/1
+
+; php_admin_value[error_log] = /dev/fd/2
+php_admin_flag[log_errors] = on
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/session
+
+php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME}
+php_value[memory_limit] = ${ZBX_MEMORYLIMIT}
+php_value[post_max_size] = ${ZBX_POSTMAXSIZE}
+php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE}
+php_value[max_input_time] = ${ZBX_MAXINPUTTIME}
+php_value[max_input_vars] = 10000
+php_value[date.timezone] = ${PHP_TZ}

Dockerfiles/web-apache-mysql/centos/conf/etc/supervisor/conf.d/supervisord_zabbix.conf

@@ -0,0 +1,30 @@
+[supervisord]
+nodaemon = true
+
+[program:httpd]
+command = /usr/sbin/%(program_name)s -D FOREGROUND
+auto_start = true
+autorestart = true
+
+startsecs=2
+startretries=3
+stopsignal=TERM
+stopwaitsecs=2
+
+redirect_stderr=true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0
+
+[program:php-fpm]
+command = /usr/sbin/%(program_name)s -F -y /etc/%(program_name)s.conf
+auto_start = true
+autorestart = true
+
+startsecs=2
+startretries=3
+stopsignal=TERM
+stopwaitsecs=2
+
+redirect_stderr=true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0

Dockerfiles/web-apache-mysql/centos/conf/etc/supervisor/supervisord.conf

@@ -0,0 +1,35 @@
+; supervisor config file
+
+[unix_http_server]
+file = /tmp/supervisor.sock        ; (the path to the socket file)
+chmod = 0700                       ; sockef file mode (default 0700)
+username = zbx
+password = password
+
+[supervisord]
+logfile = /dev/stdout                        ; (main log file;default $CWD/supervisord.log)
+pidfile = /tmp/supervisord.pid               ; (supervisord pidfile;default supervisord.pid)
+childlogdir = /tmp                           ; ('AUTO' child log dir, default $TEMP)
+critical = critical
+;user = zabbix
+logfile_maxbytes = 0
+logfile_backupcount = 0
+loglevel = info
+
+; the below section must remain in the config file for RPC
+; (supervisorctl/web interface) to work, additional interfaces may be
+; added by defining them in separate rpcinterface: sections
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl = unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
+
+[include]
+files = /etc/supervisor/conf.d/*.conf

Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf

@@ -0,0 +1,65 @@
+<VirtualHost *:8080>
+    DocumentRoot /usr/share/zabbix/
+    ServerName zabbix
+    DirectoryIndex index.php
+    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
+    AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+
+        <FilesMatch \.(php|phar)$>
+            SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
+        </FilesMatch>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/locale">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/vendor">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+</VirtualHost>

Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf

@@ -0,0 +1,90 @@
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+
+Listen 8443
+
+    <VirtualHost *:8443>
+        DocumentRoot /usr/share/zabbix/
+        ServerName zabbix
+        DirectoryIndex index.php
+
+        AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
+        AddType application/x-httpd-php-source .phps
+
+        # Enable/Disable SSL for this virtual host.
+        SSLEngine on
+
+        # intermediate configuration
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        SSLHonorCipherOrder     off
+        SSLSessionTickets       off
+
+        SSLCertificateFile /etc/ssl/apache2/ssl.crt
+        SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
+        # SSLCACertificatePath /etc/ssl/apache2/chain/
+
+        # enable HTTP/2, if available
+        Protocols h2 http/1.1
+
+        # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+        Header always set Strict-Transport-Security "max-age=63072000"
+
+        <Directory "/usr/share/zabbix">
+            Options FollowSymLinks
+            AllowOverride None
+            Require all granted
+
+            <FilesMatch \.(php|phar)$>
+                SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
+            </FilesMatch>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/conf">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/app">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/include">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/local">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/locale">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/vendor">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+    </VirtualHost>

Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/maintenance.inc.php

@@ -0,0 +1,32 @@
+<?php
+/*
+** Zabbix
+** Copyright (C) 2001-2016 Zabbix SIA
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+**/
+
+
+// Maintenance mode
+if (getenv('ZBX_DENY_GUI_ACCESS') == 'true') {
+    define('ZBX_DENY_GUI_ACCESS', 1);
+
+    // IP range, who are allowed to connect to FrontEnd
+    $ip_range = str_replace("'","\"",getenv('ZBX_GUI_ACCESS_IP_RANGE'));
+    $ZBX_GUI_ACCESS_IP_RANGE = (json_decode($ip_range)) ? json_decode($ip_range, true) : array();
+
+    // MSG shown on Warning screen!
+    $_REQUEST['warning_msg'] = getenv('ZBX_GUI_WARNING_MSG');
+}

Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php

@@ -0,0 +1,50 @@
+<?php
+// Zabbix GUI configuration file.
+global $DB, $HISTORY;
+
+$DB['TYPE']     = getenv('DB_SERVER_TYPE');
+$DB['SERVER']   = getenv('DB_SERVER_HOST');
+$DB['PORT']     = getenv('DB_SERVER_PORT');
+$DB['DATABASE'] = getenv('DB_SERVER_DBNAME');
+$DB['USER']     = getenv('DB_SERVER_USER');
+$DB['PASSWORD'] = getenv('DB_SERVER_PASS');
+
+// Schema name. Used for IBM DB2 and PostgreSQL.
+$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA');
+
+$ZBX_SERVER      = getenv('ZBX_SERVER_HOST');
+$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT');
+$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME');
+
+// Used for TLS connection.
+$DB['ENCRYPTION']		= getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false;
+$DB['KEY_FILE']			= getenv('ZBX_DB_KEY_FILE');
+$DB['CERT_FILE']		= getenv('ZBX_DB_CERT_FILE');
+$DB['CA_FILE']			= getenv('ZBX_DB_CA_FILE');
+$DB['VERIFY_HOST']		= getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false;
+$DB['CIPHER_LIST']		= getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : '';
+
+// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
+// This option is enabled by default for new Zabbix installations.
+// For upgraded installations, please read database upgrade notes before enabling this option.
+$DB['DOUBLE_IEEE754']	= getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false;
+
+
+$IMAGE_FORMAT_DEFAULT	= IMAGE_FORMAT_PNG;
+
+// Elasticsearch url (can be string if same url is used for all types).
+$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL'));
+$HISTORY['url']   = (json_decode($history_url)) ? json_decode($history_url, true) : $history_url;
+// Value types stored in Elasticsearch.
+$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES'));
+
+$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array();
+
+// Used for SAML authentication.
+// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
+$SSO['SP_KEY']			= file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : '');
+$SSO['SP_CERT']			= file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : '');
+$SSO['IDP_CERT']		= file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : '');
+
+$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
+$SSO['SETTINGS']		= (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();