mirror of
https://github.com/zabbix/zabbix-docker.git
synced 2025-08-09 00:24:58 +02:00
Added encryption support between server and frontend
This commit is contained in:
Alexey Pustovalov
@ -241,6 +241,16 @@ ZBX_VAULTDBPATH= # Available since 5.2.0
|
||||
ZBX_VAULTURL=https://127.0.0.1:8200 # Available since 5.2.0
|
||||
VAULT_TOKEN= # Available since 5.2.0
|
||||
|
||||
ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_CA= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_KEY= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_CERT= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0
|
||||
ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0
|
||||
|
||||
Allowed PHP-FPM configuration options:
|
||||
PHP_FPM_PM=dynamic
|
||||
PHP_FPM_PM_MAX_CHILDREN=50
|
||||
@ -262,6 +272,10 @@ Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4
|
||||
|
||||
The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0.
|
||||
|
||||
### ``/var/lib/zabbix/enc``
|
||||
|
||||
The volume is used to store TLS related files. These file names are specified using ``ZBX_SERVER_TLS_CAFILE``, ``ZBX_SERVER_TLS_KEYFILE`` and ``ZBX_SERVER_TLS_CERTFILE`` variables. Additionally it is possible to use environment variables ``ZBX_SERVER_TLS_CA``, ``ZBX_SERVER_TLS_KEY`` and ``ZBX_SERVER_TLS_CERT`` with plaintext values. Available since 7.4.0.
|
||||
|
||||
# The image variants
|
||||
|
||||
The `zabbix-web-apache-mysql` images come in many flavors, each designed for a specific use case.
|
||||
|
||||
@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
|
||||
ENV TERM=xterm \
|
||||
ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
|
||||
ZABBIX_CONF_DIR="/etc/zabbix" \
|
||||
ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
|
||||
ZABBIX_WWW_ROOT="/usr/share/zabbix"
|
||||
|
||||
LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zabbix.com>" \
|
||||
@ -77,11 +78,13 @@ RUN set -eux && \
|
||||
--uid 1997 \
|
||||
--ingroup zabbix \
|
||||
--shell /sbin/nologin \
|
||||
--home /var/lib/zabbix/ \
|
||||
--home ${ZABBIX_USER_HOME_DIR} \
|
||||
zabbix && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR} && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
|
||||
rm -f "/etc/apache2/conf.d/default.conf" && \
|
||||
rm -f "/etc/apache2/conf.d/ssl.conf" && \
|
||||
rm -f "/etc/apache2/conf.d/info.conf" && \
|
||||
@ -103,9 +106,9 @@ RUN set -eux && \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chown --quiet -R zabbix:root /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
|
||||
chgrp -R 0 /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
|
||||
chmod -R g=u /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
|
||||
chgrp -R 0 ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
|
||||
chmod -R g=u ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
|
||||
chown --quiet -R zabbix:root /var/lib/php/session/ && \
|
||||
chgrp -R 0 /var/lib/php/session/ && \
|
||||
chmod -R g=u /var/lib/php/session/
|
||||
|
||||
@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
|
||||
$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
|
||||
|
||||
$ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
|
||||
|
||||
$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
|
||||
$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
|
||||
$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');
|
||||
|
||||
@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
|
||||
set -o xtrace
|
||||
fi
|
||||
|
||||
# Internal directory for TLS related files, used when TLS*File specified as plain text values
|
||||
ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
|
||||
|
||||
# Default Zabbix installation name
|
||||
# Used only by Zabbix web-interface
|
||||
: ${ZBX_SERVER_NAME:="Zabbix docker"}
|
||||
@ -66,6 +69,22 @@ file_env() {
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_process_from_env() {
|
||||
local var_name=$1
|
||||
local file_name=$2
|
||||
local var_value=$3
|
||||
|
||||
if [ ! -z "$var_value" ]; then
|
||||
echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
|
||||
file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
|
||||
fi
|
||||
|
||||
export "$var_name"="$file_name"
|
||||
|
||||
# Remove variable with plain text data
|
||||
unset "${var_name%%FILE}"
|
||||
}
|
||||
|
||||
# Check prerequisites for MySQL database
|
||||
check_variables() {
|
||||
if [ ! -n "${DB_SERVER_SOCKET}" ]; then
|
||||
@ -254,6 +273,14 @@ prepare_zbx_php_config() {
|
||||
|
||||
: ${ZBX_ALLOW_HTTP_AUTH:="true"}
|
||||
export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
|
||||
|
||||
: ${ZBX_SERVER_TLS_ACTIVE:="0"}
|
||||
export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
|
||||
file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
|
||||
export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
|
||||
export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
|
||||
}
|
||||
|
||||
prepare_zbx_config() {
|
||||
|
||||
@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
|
||||
ENV TERM=xterm \
|
||||
ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
|
||||
ZABBIX_CONF_DIR="/etc/zabbix" \
|
||||
ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
|
||||
ZABBIX_WWW_ROOT="/usr/share/zabbix"
|
||||
|
||||
LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zabbix.com>" \
|
||||
@ -88,11 +89,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \
|
||||
-g zabbix \
|
||||
--uid 1997 \
|
||||
--shell /sbin/nologin \
|
||||
--home-dir /var/lib/zabbix/ \
|
||||
--home-dir ${ZABBIX_USER_HOME_DIR} \
|
||||
zabbix && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR} && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
|
||||
rm -f "/etc/httpd/conf.d/default.conf" && \
|
||||
rm -f "/etc/httpd/conf.d/ssl.conf" && \
|
||||
rm -f "/etc/httpd/conf.d/autoindex.conf" && \
|
||||
@ -115,9 +118,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \
|
||||
chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \
|
||||
chmod -R g=u /run/httpd/ /var/lib/php/session/ && \
|
||||
|
||||
@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
|
||||
$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
|
||||
|
||||
$ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
|
||||
|
||||
$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
|
||||
$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
|
||||
$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');
|
||||
|
||||
@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
|
||||
set -o xtrace
|
||||
fi
|
||||
|
||||
# Internal directory for TLS related files, used when TLS*File specified as plain text values
|
||||
ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
|
||||
|
||||
# Default Zabbix installation name
|
||||
# Used only by Zabbix web-interface
|
||||
: ${ZBX_SERVER_NAME:="Zabbix docker"}
|
||||
@ -66,6 +69,22 @@ file_env() {
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_process_from_env() {
|
||||
local var_name=$1
|
||||
local file_name=$2
|
||||
local var_value=$3
|
||||
|
||||
if [ ! -z "$var_value" ]; then
|
||||
echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
|
||||
file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
|
||||
fi
|
||||
|
||||
export "$var_name"="$file_name"
|
||||
|
||||
# Remove variable with plain text data
|
||||
unset "${var_name%%FILE}"
|
||||
}
|
||||
|
||||
# Check prerequisites for MySQL database
|
||||
check_variables() {
|
||||
if [ ! -n "${DB_SERVER_SOCKET}" ]; then
|
||||
@ -254,6 +273,14 @@ prepare_zbx_php_config() {
|
||||
|
||||
: ${ZBX_ALLOW_HTTP_AUTH:="true"}
|
||||
export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
|
||||
|
||||
: ${ZBX_SERVER_TLS_ACTIVE:="0"}
|
||||
export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
|
||||
file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
|
||||
export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
|
||||
export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
|
||||
}
|
||||
|
||||
prepare_zbx_config() {
|
||||
|
||||
@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
|
||||
ENV TERM=xterm \
|
||||
ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
|
||||
ZABBIX_CONF_DIR="/etc/zabbix" \
|
||||
ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
|
||||
ZABBIX_WWW_ROOT="/usr/share/zabbix"
|
||||
|
||||
LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zabbix.com>" \
|
||||
@ -80,11 +81,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \
|
||||
-g zabbix \
|
||||
--uid 1997 \
|
||||
--shell /sbin/nologin \
|
||||
--home-dir /var/lib/zabbix/ \
|
||||
--home-dir ${ZABBIX_USER_HOME_DIR} \
|
||||
zabbix && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR} && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
|
||||
rm -f "/etc/httpd/conf.d/default.conf" && \
|
||||
rm -f "/etc/httpd/conf.d/ssl.conf" && \
|
||||
rm -f "/etc/httpd/conf.d/autoindex.conf" && \
|
||||
@ -107,9 +110,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
|
||||
chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \
|
||||
chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \
|
||||
chmod -R g=u /run/httpd/ /var/lib/php/session/ && \
|
||||
|
||||
@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
|
||||
$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
|
||||
|
||||
$ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
|
||||
|
||||
$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
|
||||
$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
|
||||
$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');
|
||||
|
||||
@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
|
||||
set -o xtrace
|
||||
fi
|
||||
|
||||
# Internal directory for TLS related files, used when TLS*File specified as plain text values
|
||||
ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
|
||||
|
||||
# Default Zabbix installation name
|
||||
# Used only by Zabbix web-interface
|
||||
: ${ZBX_SERVER_NAME:="Zabbix docker"}
|
||||
@ -66,6 +69,22 @@ file_env() {
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_process_from_env() {
|
||||
local var_name=$1
|
||||
local file_name=$2
|
||||
local var_value=$3
|
||||
|
||||
if [ ! -z "$var_value" ]; then
|
||||
echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
|
||||
file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
|
||||
fi
|
||||
|
||||
export "$var_name"="$file_name"
|
||||
|
||||
# Remove variable with plain text data
|
||||
unset "${var_name%%FILE}"
|
||||
}
|
||||
|
||||
# Check prerequisites for MySQL database
|
||||
check_variables() {
|
||||
if [ ! -n "${DB_SERVER_SOCKET}" ]; then
|
||||
@ -254,6 +273,14 @@ prepare_zbx_php_config() {
|
||||
|
||||
: ${ZBX_ALLOW_HTTP_AUTH:="true"}
|
||||
export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
|
||||
|
||||
: ${ZBX_SERVER_TLS_ACTIVE:="0"}
|
||||
export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
|
||||
file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
|
||||
export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
|
||||
export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
|
||||
}
|
||||
|
||||
prepare_zbx_config() {
|
||||
|
||||
@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
|
||||
ENV TERM=xterm \
|
||||
ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
|
||||
ZABBIX_CONF_DIR="/etc/zabbix" \
|
||||
ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
|
||||
ZABBIX_WWW_ROOT="/usr/share/zabbix"
|
||||
|
||||
LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zabbix.com>" \
|
||||
@ -70,11 +71,13 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
|
||||
-g zabbix \
|
||||
--uid 1997 \
|
||||
--shell /sbin/nologin \
|
||||
--home-dir /var/lib/zabbix/ \
|
||||
--home-dir ${ZABBIX_USER_HOME_DIR}/ \
|
||||
zabbix && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR} && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web && \
|
||||
mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
|
||||
mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
|
||||
mkdir -p /var/lib/php/session && \
|
||||
find /etc/ -name '*.dpkg-dist' | xargs rm -f && \
|
||||
rm -f /etc/apache2/sites-available/* && \
|
||||
@ -98,9 +101,9 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
|
||||
chown --quiet -R zabbix:root /etc/apache2/ /etc/php/8.3/fpm/ && \
|
||||
chgrp -R 0 /etc/apache2/ /etc/php/8.3/fpm/ && \
|
||||
chmod -R g=u /etc/apache2/ /etc/php/8.3/fpm/ && \
|
||||
chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \
|
||||
chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \
|
||||
chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/apache2/ /etc/php/8.3/fpm/ && \
|
||||
chown --quiet -R zabbix:root /var/lib/php/session/ && \
|
||||
chgrp -R 0 /var/lib/php/session/ && \
|
||||
chmod -R g=u /var/lib/php/session/
|
||||
|
||||
@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
|
||||
$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
|
||||
|
||||
$ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
|
||||
|
||||
$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
|
||||
$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
|
||||
$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_ISSUER'] = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
|
||||
$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');
|
||||
|
||||
@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
|
||||
set -o xtrace
|
||||
fi
|
||||
|
||||
# Internal directory for TLS related files, used when TLS*File specified as plain text values
|
||||
ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
|
||||
|
||||
# Default Zabbix installation name
|
||||
# Used only by Zabbix web-interface
|
||||
: ${ZBX_SERVER_NAME:="Zabbix docker"}
|
||||
@ -66,6 +69,22 @@ file_env() {
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_process_from_env() {
|
||||
local var_name=$1
|
||||
local file_name=$2
|
||||
local var_value=$3
|
||||
|
||||
if [ ! -z "$var_value" ]; then
|
||||
echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
|
||||
file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
|
||||
fi
|
||||
|
||||
export "$var_name"="$file_name"
|
||||
|
||||
# Remove variable with plain text data
|
||||
unset "${var_name%%FILE}"
|
||||
}
|
||||
|
||||
# Check prerequisites for MySQL database
|
||||
check_variables() {
|
||||
if [ ! -n "${DB_SERVER_SOCKET}" ]; then
|
||||
@ -254,6 +273,14 @@ prepare_zbx_php_config() {
|
||||
|
||||
: ${ZBX_ALLOW_HTTP_AUTH:="true"}
|
||||
export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
|
||||
|
||||
: ${ZBX_SERVER_TLS_ACTIVE:="0"}
|
||||
export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
|
||||
file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
|
||||
file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
|
||||
export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
|
||||
export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
|
||||
}
|
||||
|
||||
prepare_zbx_config() {
|
||||
|
||||
Reference in New Issue
Block a user