Added encryption support between server and frontend

2025-08-13 18:37:10 +02:00 · 2025-06-26 17:08:19 +09:00
parent dc7086ede0
commit 39b04c8215
70 changed files with 890 additions and 243 deletions
--- a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh
+++ b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh
@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
    set -o xtrace
 fi

+# Internal directory for TLS related files, used when TLS*File specified as plain text values
+ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
+
 # Default Zabbix installation name
 # Used only by Zabbix web-interface
 : ${ZBX_SERVER_NAME:="Zabbix docker"}
@ -24,7 +27,7 @@ fi

 # DefaultRuntimeDir configuration option value
 export APACHE_RUN_DIR="/tmp/httpd"
-
+    
 # Default directories
 # Apache main configuration file
 HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf"
@ -66,6 +69,22 @@ file_env() {
    unset "$fileVar"
 }

+file_process_from_env() {
+    local var_name=$1
+    local file_name=$2
+    local var_value=$3
+
+    if [ ! -z "$var_value" ]; then
+        echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
+        file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
+    fi
+
+    export "$var_name"="$file_name"
+
+    # Remove variable with plain text data
+    unset "${var_name%%FILE}"
+}
+
 # Check prerequisites for PostgreSQL database
 check_variables() {
    file_env POSTGRES_USER
@ -140,28 +159,6 @@ check_db_connect() {
    unset PGSSLKEY
 }

-prepare_web_server() {
-    APACHE_SITES_DIR=/etc/httpd/conf.d
-
-    echo "** Adding Zabbix virtual host (HTTP)"
-    if [ -f "$ZABBIX_CONF_DIR/apache.conf" ]; then
-        ln -sfT "$ZABBIX_CONF_DIR/apache.conf" "$APACHE_SITES_DIR/zabbix.conf"
-    else
-        echo "**** Impossible to enable HTTP virtual host"
-    fi
-
-    if [ -f "/etc/ssl/apache2/ssl.crt" ] && [ -f "/etc/ssl/apache2/ssl.key" ]; then
-        echo "** Adding Zabbix virtual host (HTTPS)"
-        if [ -f "$ZABBIX_CONF_DIR/apache_ssl.conf" ]; then
-            ln -sfT "$ZABBIX_CONF_DIR/apache_ssl.conf" "$APACHE_SITES_DIR/zabbix_ssl.conf"
-        else
-            echo "**** Impossible to enable HTTPS virtual host"
-        fi
-    else
-        echo "**** Impossible to enable SSL support for Apache2. Certificates are missed."
-    fi
-}
-
 prepare_web_server() {
    if [ "$(id -u)" == '0' ]; then
        export APACHE_RUN_USER=${DAEMON_USER}
@ -275,6 +272,14 @@ prepare_zbx_php_config() {

    : ${ZBX_ALLOW_HTTP_AUTH:="true"}
    export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
+
+    : ${ZBX_SERVER_TLS_ACTIVE:="0"}
+    export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
+    file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
+    file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
+    file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
+    export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
+    export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
 }

 prepare_zbx_config() {