Added encryption support between server and frontend

Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile

@@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
 ENV TERM=xterm \
     ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
     ZABBIX_CONF_DIR="/etc/zabbix" \
+    ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
     ZABBIX_WWW_ROOT="/usr/share/zabbix"
 
 LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zabbix.com>" \
@@ -69,11 +70,13 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
             -g zabbix \
             --uid 1997 \
             --shell /sbin/nologin \
-            --home-dir /var/lib/zabbix/ \
+            --home-dir ${ZABBIX_USER_HOME_DIR} \
         zabbix && \
     mkdir -p ${ZABBIX_CONF_DIR} && \
     mkdir -p ${ZABBIX_CONF_DIR}/web && \
     mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
+    mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
+    mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
     mkdir -p /var/lib/php/session && \
     rm -f /etc/nginx/conf.d/*.conf && \
     rm -rf /var/cache/nginx/ && \
@@ -98,9 +101,9 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
     chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
     chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
     chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
-    chown --quiet -R zabbix:root /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \
-    chgrp -R 0 /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \
-    chmod -R g=u /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \
+    chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \
+    chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \
+    chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/nginx/ /etc/php/8.3/fpm/php-fpm.conf /etc/php/8.3/fpm/pool.d/ && \
     chown --quiet -R zabbix:root /var/lib/php/session/ && \
     chgrp -R 0 /var/lib/php/session/ && \
     chmod -R g=u /var/lib/php/session/

Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php

@@ -105,3 +105,10 @@ $sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS'));
 $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
 
 $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
+
+$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
+$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
+$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
+$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
+$ZBX_SERVER_TLS['CERTIFICATE_ISSUER']  = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
+$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');

Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh

@@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
     set -o xtrace
 fi
 
+# Internal directory for TLS related files, used when TLS*File specified as plain text values
+ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
+
 # Default Zabbix installation name
 # Used only by Zabbix web-interface
 : ${ZBX_SERVER_NAME:="Zabbix docker"}
@@ -63,6 +66,22 @@ file_env() {
     unset "$fileVar"
 }
 
+file_process_from_env() {
+    local var_name=$1
+    local file_name=$2
+    local var_value=$3
+
+    if [ ! -z "$var_value" ]; then
+        echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
+        file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
+    fi
+
+    export "$var_name"="$file_name"
+
+    # Remove variable with plain text data
+    unset "${var_name%%FILE}"
+}
+
 # Check prerequisites for MySQL database
 check_variables() {
     if [ ! -n "${DB_SERVER_SOCKET}" ]; then
@@ -280,6 +299,14 @@ prepare_zbx_php_config() {
 
     : ${ZBX_ALLOW_HTTP_AUTH:="true"}
     export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
+
+    : ${ZBX_SERVER_TLS_ACTIVE:="0"}
+    export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
+    file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
+    file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
+    file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
+    export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
+    export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
 }
 
 prepare_zbx_config() {