From 39b04c8215e8292f12cde84a748426283328918e Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 26 Jun 2025 17:08:19 +0900 Subject: [PATCH] Added encryption support between server and frontend --- Dockerfiles/proxy-mysql/README.md | 1 + Dockerfiles/proxy-sqlite3/README.md | 2 +- Dockerfiles/server-mysql/README.md | 5 ++ Dockerfiles/server-pgsql/README.md | 5 ++ Dockerfiles/web-apache-mysql/README.md | 14 ++++ .../web-apache-mysql/alpine/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../alpine/docker-entrypoint.sh | 27 +++++++ .../web-apache-mysql/centos/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../centos/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-apache-mysql/ol/Dockerfile | 11 ++- .../ol/conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../web-apache-mysql/ol/docker-entrypoint.sh | 27 +++++++ .../web-apache-mysql/ubuntu/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../ubuntu/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-apache-pgsql/README.md | 14 ++++ .../web-apache-pgsql/alpine/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../alpine/docker-entrypoint.sh | 29 +++++++- .../web-apache-pgsql/centos/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../centos/docker-entrypoint.sh | 29 +++++++- Dockerfiles/web-apache-pgsql/ol/Dockerfile | 11 ++- .../ol/conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../web-apache-pgsql/ol/docker-entrypoint.sh | 51 +++++++------ .../web-apache-pgsql/ubuntu/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../ubuntu/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-mysql/README.md | 14 ++++ Dockerfiles/web-nginx-mysql/alpine/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../alpine/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-mysql/centos/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../centos/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-mysql/ol/Dockerfile | 11 ++- .../ol/conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../web-nginx-mysql/ol/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-mysql/rhel/Dockerfile | 11 ++- .../rhel/conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../web-nginx-mysql/rhel/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../ubuntu/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-pgsql/README.md | 14 ++++ Dockerfiles/web-nginx-pgsql/alpine/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../alpine/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-pgsql/centos/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../centos/docker-entrypoint.sh | 74 +++++++------------ Dockerfiles/web-nginx-pgsql/ol/Dockerfile | 11 ++- .../ol/conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../web-nginx-pgsql/ol/docker-entrypoint.sh | 74 +++++++------------ Dockerfiles/web-nginx-pgsql/rhel/Dockerfile | 11 ++- .../rhel/conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../web-nginx-pgsql/rhel/docker-entrypoint.sh | 27 +++++++ Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile | 11 ++- .../conf/etc/zabbix/web/zabbix.conf.php | 7 ++ .../ubuntu/docker-entrypoint.sh | 74 +++++++------------ compose_zabbix_components.yaml | 2 + config_templates/proxy/zabbix_proxy_tls.conf | 10 +++ config_templates/server/zabbix_server.conf | 1 + .../server/zabbix_server_frontend.conf | 45 +++++++++++ .../server/zabbix_server_tls.conf | 10 +++ env_vars/.env_prx | 1 + env_vars/.env_srv | 7 +- env_vars/.env_web | 9 +++ 70 files changed, 890 insertions(+), 243 deletions(-) create mode 100644 config_templates/server/zabbix_server_frontend.conf diff --git a/Dockerfiles/proxy-mysql/README.md b/Dockerfiles/proxy-mysql/README.md index 87d8be7f0..a0e4074e2 100644 --- a/Dockerfiles/proxy-mysql/README.md +++ b/Dockerfiles/proxy-mysql/README.md @@ -219,6 +219,7 @@ ZBX_UNREACHABLEPERIOD=45 ZBX_UNAVAILABLEDELAY=60 ZBX_UNREACHABLEDELAY=15 ZBX_LOGSLOWQUERIES=3000 +ZBX_TLSLISTEN= # Available since 7.4.0 ZBX_TLSCONNECT=unencrypted ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= diff --git a/Dockerfiles/proxy-sqlite3/README.md b/Dockerfiles/proxy-sqlite3/README.md index 12f36d314..e110e4347 100644 --- a/Dockerfiles/proxy-sqlite3/README.md +++ b/Dockerfiles/proxy-sqlite3/README.md @@ -172,6 +172,7 @@ ZBX_UNREACHABLEPERIOD=45 ZBX_UNAVAILABLEDELAY=60 ZBX_UNREACHABLEDELAY=15 ZBX_LOGSLOWQUERIES=3000 +ZBX_TLSLISTEN= # Available since 7.4.0 ZBX_TLSCONNECT=unencrypted ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= @@ -196,7 +197,6 @@ ZBX_TLSCIPHERPSK13= # Available since 4.4.7 ZBX_WEBDRIVERURL= # Available since 7.0.0 ZBX_STARTBROWSERPOLLERS=1 # Available since 7.0.0 ZBX_STARTSNMPPOLLERS=1 # Available since 7.0.0 - ``` Default values of these variables are specified after equal sign. diff --git a/Dockerfiles/server-mysql/README.md b/Dockerfiles/server-mysql/README.md index 93c4a1864..dd63051b6 100644 --- a/Dockerfiles/server-mysql/README.md +++ b/Dockerfiles/server-mysql/README.md @@ -208,6 +208,7 @@ ZBX_LOGSLOWQUERIES=3000 ZBX_STARTPROXYPOLLERS=1 ZBX_PROXYCONFIGFREQUENCY=10 ZBX_PROXYDATAFREQUENCY=1 +ZBX_TLSLISTEN= # Available since 7.4.0 ZBX_TLSCAFILE= ZBX_TLSCA= ZBX_TLSCRLFILE= @@ -222,6 +223,10 @@ ZBX_TLSCIPHERCERT= # Available since 4.4.7 ZBX_TLSCIPHERCERT13= # Available since 4.4.7 ZBX_TLSCIPHERPSK= # Available since 4.4.7 ZBX_TLSCIPHERPSK13= # Available since 4.4.7 +ZBX_TLS_FRONTENDACCEPT= # Available since 7.4.0 +ZBX_FRONTENDALLOWEDIP= # Available since 7.4.0 +ZBX_TLSFRONTENDCERTISSUER= # Available since 7.4.0 +ZBX_TLSFRONTENDCERTSUBJECT= # Available since 7.4.0 ZBX_WEBDRIVERURL= # Available since 7.0.0 ZBX_STARTBROWSERPOLLERS=1 # Available since 7.0.0 ZBX_STARTSNMPPOLLERS=1 # Available since 7.0.0 diff --git a/Dockerfiles/server-pgsql/README.md b/Dockerfiles/server-pgsql/README.md index e88e6d3df..d4481c184 100644 --- a/Dockerfiles/server-pgsql/README.md +++ b/Dockerfiles/server-pgsql/README.md @@ -209,6 +209,7 @@ ZBX_LOGSLOWQUERIES=3000 ZBX_STARTPROXYPOLLERS=1 ZBX_PROXYCONFIGFREQUENCY=10 ZBX_PROXYDATAFREQUENCY=1 +ZBX_TLSLISTEN= # Available since 7.4.0 ZBX_TLSCAFILE= ZBX_TLSCA= ZBX_TLSCRLFILE= @@ -223,6 +224,10 @@ ZBX_TLSCIPHERCERT= # Available since 4.4.7 ZBX_TLSCIPHERCERT13= # Available since 4.4.7 ZBX_TLSCIPHERPSK= # Available since 4.4.7 ZBX_TLSCIPHERPSK13= # Available since 4.4.7 +ZBX_TLS_FRONTENDACCEPT= # Available since 7.4.0 +ZBX_FRONTENDALLOWEDIP= # Available since 7.4.0 +ZBX_TLSFRONTENDCERTISSUER= # Available since 7.4.0 +ZBX_TLSFRONTENDCERTSUBJECT= # Available since 7.4.0 ZBX_WEBDRIVERURL= # Available since 7.0.0 ZBX_STARTBROWSERPOLLERS=1 # Available since 7.0.0 ZBX_STARTSNMPPOLLERS=1 # Available since 7.0.0 diff --git a/Dockerfiles/web-apache-mysql/README.md b/Dockerfiles/web-apache-mysql/README.md index b27de5d52..9bf1b3434 100644 --- a/Dockerfiles/web-apache-mysql/README.md +++ b/Dockerfiles/web-apache-mysql/README.md @@ -241,6 +241,16 @@ ZBX_VAULTDBPATH= # Available since 5.2.0 ZBX_VAULTURL=https://127.0.0.1:8200 # Available since 5.2.0 VAULT_TOKEN= # Available since 5.2.0 +ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0 +ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CA= # Available since 7.4.0 +ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_KEY= # Available since 7.4.0 +ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0 + Allowed PHP-FPM configuration options: PHP_FPM_PM=dynamic PHP_FPM_PM_MAX_CHILDREN=50 @@ -262,6 +272,10 @@ Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4 The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. +### ``/var/lib/zabbix/enc`` + +The volume is used to store TLS related files. These file names are specified using ``ZBX_SERVER_TLS_CAFILE``, ``ZBX_SERVER_TLS_KEYFILE`` and ``ZBX_SERVER_TLS_CERTFILE`` variables. Additionally it is possible to use environment variables ``ZBX_SERVER_TLS_CA``, ``ZBX_SERVER_TLS_KEY`` and ``ZBX_SERVER_TLS_CERT`` with plaintext values. Available since 7.4.0. + # The image variants The `zabbix-web-apache-mysql` images come in many flavors, each designed for a specific use case. diff --git a/Dockerfiles/web-apache-mysql/alpine/Dockerfile b/Dockerfiles/web-apache-mysql/alpine/Dockerfile index e16625bb0..4c5d32ef9 100644 --- a/Dockerfiles/web-apache-mysql/alpine/Dockerfile +++ b/Dockerfiles/web-apache-mysql/alpine/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -77,11 +78,13 @@ RUN set -eux && \ --uid 1997 \ --ingroup zabbix \ --shell /sbin/nologin \ - --home /var/lib/zabbix/ \ + --home ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ rm -f "/etc/apache2/conf.d/default.conf" && \ rm -f "/etc/apache2/conf.d/ssl.conf" && \ rm -f "/etc/apache2/conf.d/info.conf" && \ @@ -103,9 +106,9 @@ RUN set -eux && \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ - chgrp -R 0 /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ - chmod -R g=u /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ diff --git a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh index d06654801..cd84f15a7 100755 --- a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -254,6 +273,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-mysql/centos/Dockerfile b/Dockerfiles/web-apache-mysql/centos/Dockerfile index d73de26e3..234c70a7f 100644 --- a/Dockerfiles/web-apache-mysql/centos/Dockerfile +++ b/Dockerfiles/web-apache-mysql/centos/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -88,11 +89,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ rm -f "/etc/httpd/conf.d/default.conf" && \ rm -f "/etc/httpd/conf.d/ssl.conf" && \ rm -f "/etc/httpd/conf.d/autoindex.conf" && \ @@ -115,9 +118,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \ chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \ chmod -R g=u /run/httpd/ /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh index 977f545c9..b6c30b92f 100755 --- a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -254,6 +273,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-mysql/ol/Dockerfile b/Dockerfiles/web-apache-mysql/ol/Dockerfile index 79775549c..355394b54 100644 --- a/Dockerfiles/web-apache-mysql/ol/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ol/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -80,11 +81,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ rm -f "/etc/httpd/conf.d/default.conf" && \ rm -f "/etc/httpd/conf.d/ssl.conf" && \ rm -f "/etc/httpd/conf.d/autoindex.conf" && \ @@ -107,9 +110,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \ chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \ chmod -R g=u /run/httpd/ /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh index 977f545c9..b6c30b92f 100755 --- a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -254,6 +273,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile index 8a780f32c..585be1568 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -70,11 +71,13 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR}/ \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ find /etc/ -name '*.dpkg-dist' | xargs rm -f && \ rm -f /etc/apache2/sites-available/* && \ @@ -98,9 +101,9 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/apache2/ /etc/php/8.3/fpm/ && \ - chgrp -R 0 /etc/apache2/ /etc/php/8.3/fpm/ && \ - chmod -R g=u /etc/apache2/ /etc/php/8.3/fpm/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ diff --git a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh index e6d089cc3..1f2e1ee41 100755 --- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -254,6 +273,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-pgsql/README.md b/Dockerfiles/web-apache-pgsql/README.md index 7a1d65ea6..2437044d8 100644 --- a/Dockerfiles/web-apache-pgsql/README.md +++ b/Dockerfiles/web-apache-pgsql/README.md @@ -241,6 +241,16 @@ ZBX_VAULTDBPATH= # Available since 5.2.0 ZBX_VAULTURL=https://127.0.0.1:8200 # Available since 5.2.0 VAULT_TOKEN= # Available since 5.2.0 +ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0 +ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CA= # Available since 7.4.0 +ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_KEY= # Available since 7.4.0 +ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0 + Allowed PHP-FPM configuration options: PHP_FPM_PM=dynamic PHP_FPM_PM_MAX_CHILDREN=50 @@ -262,6 +272,10 @@ Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4 The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. +### ``/var/lib/zabbix/enc`` + +The volume is used to store TLS related files. These file names are specified using ``ZBX_SERVER_TLS_CAFILE``, ``ZBX_SERVER_TLS_KEYFILE`` and ``ZBX_SERVER_TLS_CERTFILE`` variables. Additionally it is possible to use environment variables ``ZBX_SERVER_TLS_CA``, ``ZBX_SERVER_TLS_KEY`` and ``ZBX_SERVER_TLS_CERT`` with plaintext values. Available since 7.4.0. + # The image variants The `zabbix-web-apache-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/Dockerfiles/web-apache-pgsql/alpine/Dockerfile b/Dockerfiles/web-apache-pgsql/alpine/Dockerfile index 4af09d408..afa8bae70 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/alpine/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -76,11 +77,13 @@ RUN set -eux && \ --uid 1997 \ --ingroup zabbix \ --shell /sbin/nologin \ - --home /var/lib/zabbix/ \ + --home ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ rm -f "/etc/apache2/conf.d/default.conf" && \ rm -f "/etc/apache2/conf.d/ssl.conf" && \ rm -f "/etc/apache2/conf.d/info.conf" && \ @@ -102,9 +105,9 @@ RUN set -eux && \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ - chgrp -R 0 /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ - chmod -R g=u /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ diff --git a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh index f05e6f09d..c6a02cfba 100755 --- a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -24,7 +27,7 @@ fi # DefaultRuntimeDir configuration option value export APACHE_RUN_DIR="/tmp/apache2" - + # Default directories # Apache main configuration file HTTPD_CONF_FILE="/etc/apache2/httpd.conf" @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -253,6 +272,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-pgsql/centos/Dockerfile b/Dockerfiles/web-apache-pgsql/centos/Dockerfile index f2f98a28a..791afb593 100644 --- a/Dockerfiles/web-apache-pgsql/centos/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/centos/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -88,11 +89,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ rm -f "/etc/httpd/conf.d/default.conf" && \ rm -f "/etc/httpd/conf.d/ssl.conf" && \ rm -f "/etc/httpd/conf.d/autoindex.conf" && \ @@ -115,9 +118,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \ chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \ chmod -R g=u /run/httpd/ /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh index 4e97a986b..20bd8d24d 100755 --- a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -24,7 +27,7 @@ fi # DefaultRuntimeDir configuration option value export APACHE_RUN_DIR="/tmp/httpd" - + # Default directories # Apache main configuration file HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf" @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -253,6 +272,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-pgsql/ol/Dockerfile b/Dockerfiles/web-apache-pgsql/ol/Dockerfile index 315e3638f..1a0018f7c 100644 --- a/Dockerfiles/web-apache-pgsql/ol/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/ol/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -81,11 +82,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ rm -f "/etc/httpd/conf.d/default.conf" && \ rm -f "/etc/httpd/conf.d/ssl.conf" && \ rm -f "/etc/httpd/conf.d/autoindex.conf" && \ @@ -108,9 +111,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ - chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \ chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \ chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \ chmod -R g=u /run/httpd/ /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh index add12fe57..c05cb33fd 100755 --- a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -24,7 +27,7 @@ fi # DefaultRuntimeDir configuration option value export APACHE_RUN_DIR="/tmp/httpd" - + # Default directories # Apache main configuration file HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf" @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -140,28 +159,6 @@ check_db_connect() { unset PGSSLKEY } -prepare_web_server() { - APACHE_SITES_DIR=/etc/httpd/conf.d - - echo "** Adding Zabbix virtual host (HTTP)" - if [ -f "$ZABBIX_CONF_DIR/apache.conf" ]; then - ln -sfT "$ZABBIX_CONF_DIR/apache.conf" "$APACHE_SITES_DIR/zabbix.conf" - else - echo "**** Impossible to enable HTTP virtual host" - fi - - if [ -f "/etc/ssl/apache2/ssl.crt" ] && [ -f "/etc/ssl/apache2/ssl.key" ]; then - echo "** Adding Zabbix virtual host (HTTPS)" - if [ -f "$ZABBIX_CONF_DIR/apache_ssl.conf" ]; then - ln -sfT "$ZABBIX_CONF_DIR/apache_ssl.conf" "$APACHE_SITES_DIR/zabbix_ssl.conf" - else - echo "**** Impossible to enable HTTPS virtual host" - fi - else - echo "**** Impossible to enable SSL support for Apache2. Certificates are missed." - fi -} - prepare_web_server() { if [ "$(id -u)" == '0' ]; then export APACHE_RUN_USER=${DAEMON_USER} @@ -275,6 +272,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile b/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile index 097b08a31..ab3bc05a5 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -69,11 +70,13 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR}/ \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ find /etc/ -name '*.dpkg-dist' | xargs rm -f && \ rm -f /etc/apache2/sites-available/* && \ @@ -97,9 +100,9 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/apache2/ /etc/php/8.3/fpm/ && \ - chgrp -R 0 /etc/apache2/ /etc/php/8.3/fpm/ && \ - chmod -R g=u /etc/apache2/ /etc/php/8.3/fpm/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh index a49c7dff4..4b8cf4234 100755 --- a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -66,6 +69,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -253,6 +272,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-mysql/README.md b/Dockerfiles/web-nginx-mysql/README.md index ef9882714..531c6b576 100644 --- a/Dockerfiles/web-nginx-mysql/README.md +++ b/Dockerfiles/web-nginx-mysql/README.md @@ -242,6 +242,16 @@ ZBX_VAULTDBPATH= # Available since 5.2.0 ZBX_VAULTURL=https://127.0.0.1:8200 # Available since 5.2.0 VAULT_TOKEN= # Available since 5.2.0 +ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0 +ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CA= # Available since 7.4.0 +ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_KEY= # Available since 7.4.0 +ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0 + Allowed PHP-FPM configuration options: PHP_FPM_PM=dynamic PHP_FPM_PM_MAX_CHILDREN=50 @@ -263,6 +273,10 @@ Please follow official Nginx [documentation](http://nginx.org/en/docs/http/confi The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. +### ``/var/lib/zabbix/enc`` + +The volume is used to store TLS related files. These file names are specified using ``ZBX_SERVER_TLS_CAFILE``, ``ZBX_SERVER_TLS_KEYFILE`` and ``ZBX_SERVER_TLS_CERTFILE`` variables. Additionally it is possible to use environment variables ``ZBX_SERVER_TLS_CA``, ``ZBX_SERVER_TLS_KEY`` and ``ZBX_SERVER_TLS_CERT`` with plaintext values. Available since 7.4.0. + # The image variants The `zabbix-web-nginx-mysql` images come in many flavors, each designed for a specific use case. diff --git a/Dockerfiles/web-nginx-mysql/alpine/Dockerfile b/Dockerfiles/web-nginx-mysql/alpine/Dockerfile index 98e58fecb..a5dd9d562 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/alpine/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -77,11 +78,13 @@ RUN set -eux && \ --uid 1997 \ --ingroup zabbix \ --shell /sbin/nologin \ - --home /var/lib/zabbix/ \ + --home ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -rf /etc/php84/php-fpm.d/www.conf && \ rm -f /etc/nginx/http.d/*.conf && \ @@ -101,9 +104,9 @@ RUN set -eux && \ chown --quiet -R zabbix:root /etc/nginx/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ chgrp -R 0 /etc/nginx/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ chmod -R g=u /etc/nginx/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ - chown --quiet -R zabbix:root /var/lib/php/session/ /var/lib/nginx/ && \ - chgrp -R 0 /var/lib/php/session/ /var/lib/nginx/ && \ - chmod -R g=u /var/lib/php/session/ /var/lib/nginx/ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /var/lib/php/session/ /var/lib/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /var/lib/php/session/ /var/lib/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /var/lib/php/session/ /var/lib/nginx/ HEALTHCHECK --interval=1m30s --timeout=3s --retries=3 --start-period=40s --start-interval=5s \ CMD curl -f http://localhost:8080/ping || exit 1 diff --git a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh index 4111e982c..bb77a009f 100755 --- a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -280,6 +299,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-mysql/centos/Dockerfile b/Dockerfiles/web-nginx-mysql/centos/Dockerfile index c3e31ce8f..9552aea00 100644 --- a/Dockerfiles/web-nginx-mysql/centos/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/centos/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -86,11 +87,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -f /etc/php-fpm.d/www.conf && \ @@ -110,9 +113,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chgrp -R 0 /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chmod -R g=u /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh index 0d945631c..75a2af188 100755 --- a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -280,6 +299,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-mysql/ol/Dockerfile b/Dockerfiles/web-nginx-mysql/ol/Dockerfile index 82fb85156..db7af098a 100644 --- a/Dockerfiles/web-nginx-mysql/ol/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/ol/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -79,11 +80,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -f /etc/php-fpm.d/www.conf && \ @@ -103,9 +106,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chgrp -R 0 /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chmod -R g=u /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh index 0d945631c..75a2af188 100755 --- a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -280,6 +299,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile index d50d5281c..d55ead00f 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile @@ -17,6 +17,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL description="Zabbix web-interface based on Nginx web server with MySQL database support" \ @@ -116,11 +117,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -f /etc/php-fpm.conf.rpmnew && \ @@ -141,9 +144,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chgrp -R 0 /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chmod -R g=u /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh index 0d945631c..75a2af188 100755 --- a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -280,6 +299,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile b/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile index 0edd47e1d..554c804fc 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -69,11 +70,13 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -rf /var/cache/nginx/ && \ @@ -98,9 +101,9 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ - chgrp -R 0 /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ - chmod -R g=u /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh index e163a07ee..72fdbb897 100755 --- a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for MySQL database check_variables() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -280,6 +299,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-pgsql/README.md b/Dockerfiles/web-nginx-pgsql/README.md index 4f6f4e708..8ed996b84 100644 --- a/Dockerfiles/web-nginx-pgsql/README.md +++ b/Dockerfiles/web-nginx-pgsql/README.md @@ -241,6 +241,16 @@ ZBX_VAULTDBPATH= # Available since 5.2.0 ZBX_VAULTURL=https://127.0.0.1:8200 # Available since 5.2.0 VAULT_TOKEN= # Available since 5.2.0 +ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0 +ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CA= # Available since 7.4.0 +ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_KEY= # Available since 7.4.0 +ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0 +ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0 + Allowed PHP-FPM configuration options: PHP_FPM_PM=dynamic PHP_FPM_PM_MAX_CHILDREN=50 @@ -262,6 +272,10 @@ Please follow official Nginx [documentation](http://nginx.org/en/docs/http/confi The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. +### ``/var/lib/zabbix/enc`` + +The volume is used to store TLS related files. These file names are specified using ``ZBX_SERVER_TLS_CAFILE``, ``ZBX_SERVER_TLS_KEYFILE`` and ``ZBX_SERVER_TLS_CERTFILE`` variables. Additionally it is possible to use environment variables ``ZBX_SERVER_TLS_CA``, ``ZBX_SERVER_TLS_KEY`` and ``ZBX_SERVER_TLS_CERT`` with plaintext values. Available since 7.4.0. + # The image variants The `zabbix-web-nginx-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile b/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile index 287d2c635..54ec36d72 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -76,11 +77,13 @@ RUN set -eux && \ --uid 1997 \ --ingroup zabbix \ --shell /sbin/nologin \ - --home /var/lib/zabbix/ \ + --home ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -rf /etc/php84/php-fpm.d/www.conf && \ rm -f /etc/nginx/http.d/*.conf && \ @@ -100,9 +103,9 @@ RUN set -eux && \ chown --quiet -R zabbix:root /etc/nginx/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ chgrp -R 0 /etc/nginx/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ chmod -R g=u /etc/nginx/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \ - chown --quiet -R zabbix:root /var/lib/php/session/ /var/lib/nginx/ && \ - chgrp -R 0 /var/lib/php/session/ /var/lib/nginx/ && \ - chmod -R g=u /var/lib/php/session/ /var/lib/nginx/ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /var/lib/php/session/ /var/lib/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /var/lib/php/session/ /var/lib/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /var/lib/php/session/ /var/lib/nginx/ HEALTHCHECK --interval=1m30s --timeout=3s --retries=3 --start-period=40s --start-interval=5s \ CMD curl -f http://localhost:8080/ping || exit 1 diff --git a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh index 2d2f2a594..1edfd1c29 100755 --- a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -279,6 +298,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-pgsql/centos/Dockerfile b/Dockerfiles/web-nginx-pgsql/centos/Dockerfile index a68e48352..281d197f5 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/centos/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -86,11 +87,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -f /etc/php-fpm.d/www.conf && \ @@ -110,9 +113,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chgrp -R 0 /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chmod -R g=u /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh index ce300b174..b9629d58a 100755 --- a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -280,54 +299,13 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} - if [ -n "${ZBX_SESSION_NAME}" ]; then - cp "$ZABBIX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" - sed "/ZBX_SESSION_NAME/s/'[^']*'/'${ZBX_SESSION_NAME}'/2" "/tmp/defines.inc.php_tmp" > "$ZABBIX_WWW_ROOT/include/defines.inc.php" - rm -f "/tmp/defines.inc.php_tmp" - fi - - FCGI_READ_TIMEOUT=$(expr ${ZBX_MAXEXECUTIONTIME} + 1) - sed -i \ - -e "s/{FCGI_READ_TIMEOUT}/${FCGI_READ_TIMEOUT}/g" \ - "$ZABBIX_CONF_DIR/nginx.conf" - - : ${HTTP_INDEX_FILE:="index.php"} - sed -i \ - -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \ - "$ZABBIX_CONF_DIR/nginx.conf" - - if [ -f "$ZABBIX_CONF_DIR/nginx_ssl.conf" ]; then - sed -i \ - -e "s/{FCGI_READ_TIMEOUT}/${FCGI_READ_TIMEOUT}/g" \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - - sed -i \ - -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - fi - - : ${ENABLE_WEB_ACCESS_LOG:="true"} - - if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$NGINX_CONF_FILE" - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$NGINX_CONF_FILE" - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - fi - - : ${EXPOSE_WEB_SERVER_INFO:="on"} - - [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" - - export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} - sed -i \ - -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ - "$NGINX_CONF_FILE" + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-pgsql/ol/Dockerfile b/Dockerfiles/web-nginx-pgsql/ol/Dockerfile index ec37e4346..6a45d9170 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/ol/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -80,11 +81,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -f /etc/php-fpm.d/www.conf && \ @@ -104,9 +107,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chgrp -R 0 /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chmod -R g=u /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh index ce300b174..b9629d58a 100755 --- a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -280,54 +299,13 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} - if [ -n "${ZBX_SESSION_NAME}" ]; then - cp "$ZABBIX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" - sed "/ZBX_SESSION_NAME/s/'[^']*'/'${ZBX_SESSION_NAME}'/2" "/tmp/defines.inc.php_tmp" > "$ZABBIX_WWW_ROOT/include/defines.inc.php" - rm -f "/tmp/defines.inc.php_tmp" - fi - - FCGI_READ_TIMEOUT=$(expr ${ZBX_MAXEXECUTIONTIME} + 1) - sed -i \ - -e "s/{FCGI_READ_TIMEOUT}/${FCGI_READ_TIMEOUT}/g" \ - "$ZABBIX_CONF_DIR/nginx.conf" - - : ${HTTP_INDEX_FILE:="index.php"} - sed -i \ - -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \ - "$ZABBIX_CONF_DIR/nginx.conf" - - if [ -f "$ZABBIX_CONF_DIR/nginx_ssl.conf" ]; then - sed -i \ - -e "s/{FCGI_READ_TIMEOUT}/${FCGI_READ_TIMEOUT}/g" \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - - sed -i \ - -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - fi - - : ${ENABLE_WEB_ACCESS_LOG:="true"} - - if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$NGINX_CONF_FILE" - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$NGINX_CONF_FILE" - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - fi - - : ${EXPOSE_WEB_SERVER_INFO:="on"} - - [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" - - export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} - sed -i \ - -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ - "$NGINX_CONF_FILE" + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile b/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile index c958f4833..68ca8f332 100644 --- a/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile @@ -18,6 +18,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL description="Zabbix web-interface based on Nginx web server with PostgreSQL database support" \ @@ -117,11 +118,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -f /etc/php-fpm.conf.rpmnew && \ @@ -142,9 +145,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chgrp -R 0 /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ - chmod -R g=u /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php-fpm.d/ /etc/php-fpm.conf /var/log/nginx/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ && \ diff --git a/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh index 94c5b5186..b9629d58a 100755 --- a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -279,6 +298,14 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} + + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile b/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile index 0068c6537..201c006ec 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile @@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git ENV TERM=xterm \ ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \ ZABBIX_CONF_DIR="/etc/zabbix" \ + ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \ ZABBIX_WWW_ROOT="/usr/share/zabbix" LABEL org.opencontainers.image.authors="Alexey Pustovalov " \ @@ -69,11 +70,13 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ -g zabbix \ --uid 1997 \ --shell /sbin/nologin \ - --home-dir /var/lib/zabbix/ \ + --home-dir ${ZABBIX_USER_HOME_DIR} \ zabbix && \ mkdir -p ${ZABBIX_CONF_DIR} && \ mkdir -p ${ZABBIX_CONF_DIR}/web && \ mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \ + mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \ mkdir -p /var/lib/php/session && \ rm -f /etc/nginx/conf.d/*.conf && \ rm -rf /var/cache/nginx/ && \ @@ -98,9 +101,9 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \ - chown --quiet -R zabbix:root /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ - chgrp -R 0 /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ - chmod -R g=u /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ + chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ + chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ + chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \ chown --quiet -R zabbix:root /var/lib/php/session/ && \ chgrp -R 0 /var/lib/php/session/ && \ chmod -R g=u /var/lib/php/session/ diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 697acbf9b..fcbfc6313 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array(); $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false; + +$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0'; +$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : ''; +$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : ''; +$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : ''; +$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER'); +$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT'); diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh index fc17031da..2fb456239 100755 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh @@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then set -o xtrace fi +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" + # Default Zabbix installation name # Used only by Zabbix web-interface : ${ZBX_SERVER_NAME:="Zabbix docker"} @@ -63,6 +66,22 @@ file_env() { unset "$fileVar" } +file_process_from_env() { + local var_name=$1 + local file_name=$2 + local var_value=$3 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + + export "$var_name"="$file_name" + + # Remove variable with plain text data + unset "${var_name%%FILE}" +} + # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -280,54 +299,13 @@ prepare_zbx_php_config() { : ${ZBX_ALLOW_HTTP_AUTH:="true"} export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH} - if [ -n "${ZBX_SESSION_NAME}" ]; then - cp "$ZABBIX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" - sed "/ZBX_SESSION_NAME/s/'[^']*'/'${ZBX_SESSION_NAME}'/2" "/tmp/defines.inc.php_tmp" > "$ZABBIX_WWW_ROOT/include/defines.inc.php" - rm -f "/tmp/defines.inc.php_tmp" - fi - - FCGI_READ_TIMEOUT=$(expr ${ZBX_MAXEXECUTIONTIME} + 1) - sed -i \ - -e "s/{FCGI_READ_TIMEOUT}/${FCGI_READ_TIMEOUT}/g" \ - "$ZABBIX_CONF_DIR/nginx.conf" - - : ${HTTP_INDEX_FILE:="index.php"} - sed -i \ - -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \ - "$ZABBIX_CONF_DIR/nginx.conf" - - if [ -f "$ZABBIX_CONF_DIR/nginx_ssl.conf" ]; then - sed -i \ - -e "s/{FCGI_READ_TIMEOUT}/${FCGI_READ_TIMEOUT}/g" \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - - sed -i \ - -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - fi - - : ${ENABLE_WEB_ACCESS_LOG:="true"} - - if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$NGINX_CONF_FILE" - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$NGINX_CONF_FILE" - sed -ri \ - -e 's!^(\s*access_log).+\;!\1 off\;!g' \ - "$ZABBIX_CONF_DIR/nginx_ssl.conf" - fi - - : ${EXPOSE_WEB_SERVER_INFO:="on"} - - [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on" - - export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO} - sed -i \ - -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ - "$NGINX_CONF_FILE" + : ${ZBX_SERVER_TLS_ACTIVE:="0"} + export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE} + file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}" + file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}" + file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}" + export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER} + export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT} } prepare_zbx_config() { diff --git a/compose_zabbix_components.yaml b/compose_zabbix_components.yaml index 7878091d8..a31f6d6e2 100644 --- a/compose_zabbix_components.yaml +++ b/compose_zabbix_components.yaml @@ -316,6 +316,7 @@ services: - /etc/localtime:/etc/localtime:ro - ${DATA_DIRECTORY}/etc/ssl/apache2:/etc/ssl/apache2:ro - ${DATA_DIRECTORY}/usr/share/zabbix/modules/:/usr/share/zabbix/modules/:ro + - ${DATA_DIRECTORY}/var/lib/zabbix/enc:/var/lib/zabbix/enc:ro tmpfs: - /tmp - /var/lib/php/session:mode=770,uid=1997,gid=1995 @@ -409,6 +410,7 @@ services: - /etc/localtime:/etc/localtime:ro - ${DATA_DIRECTORY}/etc/ssl/nginx:/etc/ssl/nginx:ro - ${DATA_DIRECTORY}/usr/share/zabbix/modules/:/usr/share/zabbix/modules/:ro + - ${DATA_DIRECTORY}/var/lib/zabbix/enc:/var/lib/zabbix/enc:ro tmpfs: - /tmp - /var/lib/php/session:mode=770,uid=1997,gid=1995 diff --git a/config_templates/proxy/zabbix_proxy_tls.conf b/config_templates/proxy/zabbix_proxy_tls.conf index 9ff65708b..49d9a143e 100644 --- a/config_templates/proxy/zabbix_proxy_tls.conf +++ b/config_templates/proxy/zabbix_proxy_tls.conf @@ -99,6 +99,16 @@ TLSPSKIdentity=${ZBX_TLSPSKIDENTITY} TLSPSKFile=${ZBX_TLSPSKFILE} +### Option: TLSListen +# Setting this option enforces that only encrypted connections are accepted by trappers. +# Supported values: +# required - accept only TLS connections +# Mandatory: no +# Default: +# TLSListen= + +TLSListen=${ZBX_TLSLISTEN} + ####### For advanced users - TLS ciphersuite selection criteria ####### ### Option: TLSCipherCert13 diff --git a/config_templates/server/zabbix_server.conf b/config_templates/server/zabbix_server.conf index 757c35929..cfcf0951b 100644 --- a/config_templates/server/zabbix_server.conf +++ b/config_templates/server/zabbix_server.conf @@ -34,6 +34,7 @@ Include=/etc/zabbix/zabbix_server_snmp_traps.conf Include=/etc/zabbix/zabbix_server_ssl.conf Include=/etc/zabbix/zabbix_server_timeouts.conf Include=/etc/zabbix/zabbix_server_tls.conf +Include=/etc/zabbix/zabbix_server_frontend.conf Include=/etc/zabbix/zabbix_server_vault.conf Include=/etc/zabbix/zabbix_server_vmware.conf Include=/etc/zabbix/zabbix_server_webdriver.conf diff --git a/config_templates/server/zabbix_server_frontend.conf b/config_templates/server/zabbix_server_frontend.conf new file mode 100644 index 000000000..fac453b31 --- /dev/null +++ b/config_templates/server/zabbix_server_frontend.conf @@ -0,0 +1,45 @@ +### Option: TLSFrontendAccept +# What incoming connections to accept from frontend. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: no +# Default: +# TLSFrontendAccept=unencrypted + +TLSFrontendAccept=${ZBX_TLS_FRONTENDACCEPT} + +### Option: FrontendAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Frontend connection will be accepted only from the addresses listed here if this parameter is set. +# By default all connections are accepted for frontend requests +# +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: FrontendAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# FrontendAllowedIP= + +FrontendAllowedIP=${ZBX_FRONTENDALLOWEDIP} + +### Option: TLSFrontendCertIssuer +# Allowed frontend certificate issuer. +# +# Mandatory: no +# Default: +# TLSFrontendCertIssuer= + +TLSFrontendCertIssuer=${ZBX_TLSFRONTENDCERTISSUER} + +### Option: TLSFrontendCertSubject +# Allowed frontend certificate subject. +# +# Mandatory: no +# Default: +# TLSFrontendCertSubject= + +TLSFrontendCertSubject=${ZBX_TLSFRONTENDCERTSUBJECT} diff --git a/config_templates/server/zabbix_server_tls.conf b/config_templates/server/zabbix_server_tls.conf index 2a950e02f..31917e71b 100644 --- a/config_templates/server/zabbix_server_tls.conf +++ b/config_templates/server/zabbix_server_tls.conf @@ -37,6 +37,16 @@ TLSCertFile=${ZBX_TLSCERTFILE} TLSKeyFile=${ZBX_TLSKEYFILE} +### Option: TLSListen +# Setting this option enforces that only encrypted connections are accepted by trappers. +# Supported values: +# required - accept only TLS connections +# Mandatory: no +# Default: +# TLSListen= + +TLSListen=${ZBX_TLSLISTEN} + ####### For advanced users - TLS ciphersuite selection criteria ####### ### Option: TLSCipherCert13 diff --git a/env_vars/.env_prx b/env_vars/.env_prx index d617a0dd0..49d8f0afb 100644 --- a/env_vars/.env_prx +++ b/env_vars/.env_prx @@ -54,6 +54,7 @@ # ZBX_UNREACHABLEDELAY=15 # ZBX_LOGSLOWQUERIES=3000 # ZBX_LOADMODULE="dummy1.so,dummy2.so,dummy10.so" +# ZBX_TLSLISTEN= # Available since 7.4.0 # ZBX_TLSCONNECT=unencrypted # ZBX_TLSACCEPT=unencrypted # ZBX_TLSCAFILE= diff --git a/env_vars/.env_srv b/env_vars/.env_srv index a98fe580a..d5989def0 100644 --- a/env_vars/.env_srv +++ b/env_vars/.env_srv @@ -15,7 +15,7 @@ # ZBX_HANODENAME= # Available since 6.0.0 # ZBX_AUTONODEADDRESS=fqdn # Allowed values: fqdn, hostname. Available since 6.0.0 # ZBX_NODEADDRESSPORT=10051 # Allowed to use with ZBX_AUTONODEADDRESS variable only. Available since 6.0.0 -# ZBX_NODEADDRESS=localhost:10051 # Available since 6.0.0 +ZBX_NODEADDRESS=zabbix-server:10051 # Available since 6.0.0 # ZBX_DEBUGLEVEL=3 # ZBX_ENABLEGLOBALSCRIPTS=0 # Available since 7.0.0 # ZBX_STARTAGENTPOLLERS=1 # Available since 7.0.0 @@ -70,6 +70,7 @@ ZBX_ENABLE_SNMP_TRAPS=true # ZBX_PROXYCONFIGFREQUENCY=10 # ZBX_PROXYDATAFREQUENCY=1 # ZBX_LOADMODULE="dummy1.so,dummy2.so,dummy10.so" +# ZBX_TLSLISTEN= # Available since 7.4.0 # ZBX_TLSCAFILE= # ZBX_TLSCA= # ZBX_TLSCRLFILE= @@ -78,6 +79,10 @@ ZBX_ENABLE_SNMP_TRAPS=true # ZBX_TLSCERT= # ZBX_TLSKEYFILE= # ZBX_TLSKEY= +# ZBX_TLS_FRONTENDACCEPT=cert # Available since 7.4.0 +# ZBX_FRONTENDALLOWEDIP= # Available since 7.4.0 +# ZBX_TLSFRONTENDCERTISSUER= # Available since 7.4.0 +# ZBX_TLSFRONTENDCERTSUBJECT= # Available since 7.4.0 # ZBX_VAULT=HashiCorp # Available since 6.2.0 # ZBX_VAULTDBPATH= # ZBX_VAULTTLSCERTFILE= # Available since 6.2.0 diff --git a/env_vars/.env_web b/env_vars/.env_web index ae7aaa624..ba8934c60 100644 --- a/env_vars/.env_web +++ b/env_vars/.env_web @@ -18,6 +18,15 @@ ZBX_SERVER_NAME=Composed installation # ZBX_HISTORYSTORAGETYPES=['uint', 'dbl', 'str', 'text', 'log'] # Available since 3.4.5 # ZBX_SSO_SETTINGS={} # Available since 5.0.0. Then will be converted from JSON to PHP array. # ZBX_ALLOW_HTTP_AUTH=true # Available since 7.0.0 +# ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0 +# ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0 +# ZBX_SERVER_TLS_CA= # Available since 7.4.0 +# ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0 +# ZBX_SERVER_TLS_KEY= # Available since 7.4.0 +# ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0 +# ZBX_SERVER_TLS_CERT= # Available since 7.4.0 +# ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0 +# ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0 # ENABLE_WEB_ACCESS_LOG=true # ZBX_MAXEXECUTIONTIME=600 # ZBX_MEMORYLIMIT=128M