Optimized structure for Dockerfiles

This commit is contained in:
Alexey Pustovalov
2021-10-05 18:59:11 +02:00
565 changed files with 550 additions and 602 deletions

View File

@@ -0,0 +1,74 @@
server {
listen 8080;
listen [::]:8080;
server_name zabbix;
index index.php;
access_log /dev/fd/1 main;
error_log /dev/fd/2 notice;
set $webroot '/usr/share/zabbix';
root $webroot;
large_client_header_buffers 8 8k;
client_max_body_size 10M;
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# caching of files
location ~* \.ico$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $webroot$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout {FCGI_READ_TIMEOUT};
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}

View File

@@ -0,0 +1,101 @@
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name zabbix;
server_name_in_redirect off;
index index.php;
access_log /dev/fd/1 main;
error_log /dev/fd/2 error;
set $webroot '/usr/share/zabbix';
root $webroot;
large_client_header_buffers 8 8k;
client_max_body_size 10M;
ssl_certificate /etc/ssl/nginx/ssl.crt;
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# caching of files
location ~* \.ico$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $webroot$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout {FCGI_READ_TIMEOUT};
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}

View File

@@ -0,0 +1,32 @@
<?php
/*
** Zabbix
** Copyright (C) 2001-2016 Zabbix SIA
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
**/
// Maintenance mode
if (getenv('ZBX_DENY_GUI_ACCESS') == 'true') {
define('ZBX_DENY_GUI_ACCESS', 1);
// IP range, who are allowed to connect to FrontEnd
$ip_range = str_replace("'","\"",getenv('ZBX_GUI_ACCESS_IP_RANGE'));
$ZBX_GUI_ACCESS_IP_RANGE = (json_decode($ip_range)) ? json_decode($ip_range, true) : array();
// MSG shown on Warning screen!
$_REQUEST['warning_msg'] = getenv('ZBX_GUI_WARNING_MSG');
}

View File

@@ -0,0 +1,50 @@
<?php
// Zabbix GUI configuration file.
global $DB, $HISTORY;
$DB['TYPE'] = getenv('DB_SERVER_TYPE');
$DB['SERVER'] = getenv('DB_SERVER_HOST');
$DB['PORT'] = getenv('DB_SERVER_PORT');
$DB['DATABASE'] = getenv('DB_SERVER_DBNAME');
$DB['USER'] = getenv('DB_SERVER_USER');
$DB['PASSWORD'] = getenv('DB_SERVER_PASS');
// Schema name. Used for IBM DB2 and PostgreSQL.
$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA');
$ZBX_SERVER = getenv('ZBX_SERVER_HOST');
$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT');
$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME');
// Used for TLS connection.
$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false;
$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE');
$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE');
$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE');
$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false;
$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : '';
// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
// This option is enabled by default for new Zabbix installations.
// For upgraded installations, please read database upgrade notes before enabling this option.
$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false;
$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;
// Elasticsearch url (can be string if same url is used for all types).
$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL'));
$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url, true) : $history_url;
// Value types stored in Elasticsearch.
$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES'));
$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array();
// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : '');
$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : '');
$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : '');
$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();