diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf b/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf
index 9a36c5002..2c55ebca2 100644
--- a/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf
+++ b/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf
@@ -43,6 +43,14 @@
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf
index 4cb13d56f..2cffba707 100644
--- a/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf
@@ -5,8 +5,6 @@ Listen 8443
- SSLEngine on
-
DocumentRoot /usr/share/zabbix/
ServerName zabbix
DirectoryIndex index.php
@@ -17,16 +15,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
+ # enable HTTP/2, if available
+ Protocols h2 http/1.1
+
+ # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+ Header always set Strict-Transport-Security "max-age=63072000"
Options FollowSymLinks
@@ -66,6 +69,14 @@ Listen 8443
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-mysql/centos/conf/etc/zabbix/apache.conf b/web-apache-mysql/centos/conf/etc/zabbix/apache.conf
index a58c94c32..da1fc2a5d 100644
--- a/web-apache-mysql/centos/conf/etc/zabbix/apache.conf
+++ b/web-apache-mysql/centos/conf/etc/zabbix/apache.conf
@@ -47,6 +47,14 @@
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf
index ed3e546f1..2c6f4660d 100644
--- a/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf
@@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Listen 8443
- SSLEngine on
-
DocumentRoot /usr/share/zabbix/
ServerName zabbix
DirectoryIndex index.php
@@ -16,16 +14,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
+ # enable HTTP/2, if available
+ Protocols h2 http/1.1
+
+ # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+ Header always set Strict-Transport-Security "max-age=63072000"
Options FollowSymLinks
@@ -69,6 +72,14 @@ Listen 8443
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
index 9a36c5002..2c55ebca2 100644
--- a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
+++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
@@ -43,6 +43,14 @@
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
index 0d4382cfd..2c956fec1 100644
--- a/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
@@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
- SSLEngine on
-
DocumentRoot /usr/share/zabbix/
ServerName zabbix
DirectoryIndex index.php
@@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
+ # enable HTTP/2, if available
+ Protocols h2 http/1.1
+
+ # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+ Header always set Strict-Transport-Security "max-age=63072000"
Options FollowSymLinks
@@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf b/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf
index 9a36c5002..2c55ebca2 100644
--- a/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf
+++ b/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf
@@ -43,6 +43,14 @@
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf
index 4cb13d56f..2cffba707 100644
--- a/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf
@@ -5,8 +5,6 @@ Listen 8443
- SSLEngine on
-
DocumentRoot /usr/share/zabbix/
ServerName zabbix
DirectoryIndex index.php
@@ -17,16 +15,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
+ # enable HTTP/2, if available
+ Protocols h2 http/1.1
+
+ # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+ Header always set Strict-Transport-Security "max-age=63072000"
Options FollowSymLinks
@@ -66,6 +69,14 @@ Listen 8443
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf b/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf
index a58c94c32..da1fc2a5d 100644
--- a/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf
+++ b/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf
@@ -47,6 +47,14 @@
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf
index ed3e546f1..2c6f4660d 100644
--- a/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf
@@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Listen 8443
- SSLEngine on
-
DocumentRoot /usr/share/zabbix/
ServerName zabbix
DirectoryIndex index.php
@@ -16,16 +14,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
+ # enable HTTP/2, if available
+ Protocols h2 http/1.1
+
+ # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+ Header always set Strict-Transport-Security "max-age=63072000"
Options FollowSymLinks
@@ -69,6 +72,14 @@ Listen 8443
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf
index 9a36c5002..2c55ebca2 100644
--- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf
+++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf
@@ -43,6 +43,14 @@
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf
index 0d4382cfd..2c956fec1 100644
--- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf
@@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
- SSLEngine on
-
DocumentRoot /usr/share/zabbix/
ServerName zabbix
DirectoryIndex index.php
@@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/
- # HSTS (mod_headers is required) (15768000 seconds = 6 months)
- Header always set Strict-Transport-Security "max-age=15768000"
+ # enable HTTP/2, if available
+ Protocols h2 http/1.1
+
+ # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+ Header always set Strict-Transport-Security "max-age=63072000"
Options FollowSymLinks
@@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+
+ Require all denied
+
+ Order deny,allow
+ Deny from all
+
+
+
Require all denied
diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf
index f1074b94f..da6769355 100644
--- a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf
@@ -41,7 +41,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf
index 23417419a..f3a6d6534 100644
--- a/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf
@@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
@@ -63,7 +68,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf
index f1074b94f..da6769355 100644
--- a/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf
@@ -41,7 +41,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf
index 23417419a..f3a6d6534 100644
--- a/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf
@@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
@@ -63,7 +68,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf
index d3a9a85bb..da6769355 100644
--- a/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf
@@ -15,7 +15,6 @@ server {
large_client_header_buffers 8 8k;
client_max_body_size 10M;
-
location = /favicon.ico {
log_not_found off;
}
@@ -26,12 +25,6 @@ server {
access_log off;
}
- # deny running scripts inside writable directories
- location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
- return 403;
- error_page 403 /403_error.html;
- }
-
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
@@ -40,23 +33,23 @@ server {
}
# caching of files
- location ~* \.(ico|pdf|flv)$ {
+ location ~* \.ico$ {
expires 1y;
}
- location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
+ location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
+ deny all;
+ return 404;
+ }
+
location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf
index a53bad7df..f3a6d6534 100644
--- a/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf
@@ -1,6 +1,7 @@
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
+
server_name zabbix;
server_name_in_redirect off;
@@ -20,18 +21,23 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
stub_status on;
- access_log off;
+ access_log off;
allow 127.0.0.1;
deny all;
}
@@ -44,12 +50,6 @@ server {
allow all;
log_not_found off;
access_log off;
- }
-
- # deny running scripts inside writable directories
- location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
- return 403;
- error_page 403 /403_error.html;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
@@ -60,23 +60,23 @@ server {
}
# caching of files
- location ~* \.(ico|pdf|flv)$ {
+ location ~* \.ico$ {
expires 1y;
}
- location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
+ location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
+ deny all;
+ return 404;
+ }
+
location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf
index f1074b94f..da6769355 100644
--- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf
@@ -41,7 +41,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
index 23417419a..f3a6d6534 100644
--- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
@@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
@@ -63,7 +68,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf
index f1074b94f..da6769355 100644
--- a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf
@@ -41,7 +41,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf
index 23417419a..f3a6d6534 100644
--- a/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf
@@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
@@ -63,7 +68,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf
index f1074b94f..da6769355 100644
--- a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf
@@ -41,7 +41,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf
index 23417419a..f3a6d6534 100644
--- a/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf
@@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
@@ -63,7 +68,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf
index f1074b94f..da6769355 100644
--- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf
+++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf
@@ -41,7 +41,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
index 23417419a..f3a6d6534 100644
--- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
+++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
@@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
@@ -63,7 +68,7 @@ server {
expires 14d;
}
- location ~ /(app\/|conf[^\.]|include|locale) {
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
@@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/zabbix-appliance/rhel/conf/etc/zabbix/nginx.conf b/zabbix-appliance/rhel/conf/etc/zabbix/nginx.conf
index d3a9a85bb..da6769355 100644
--- a/zabbix-appliance/rhel/conf/etc/zabbix/nginx.conf
+++ b/zabbix-appliance/rhel/conf/etc/zabbix/nginx.conf
@@ -15,7 +15,6 @@ server {
large_client_header_buffers 8 8k;
client_max_body_size 10M;
-
location = /favicon.ico {
log_not_found off;
}
@@ -26,12 +25,6 @@ server {
access_log off;
}
- # deny running scripts inside writable directories
- location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
- return 403;
- error_page 403 /403_error.html;
- }
-
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
@@ -40,23 +33,23 @@ server {
}
# caching of files
- location ~* \.(ico|pdf|flv)$ {
+ location ~* \.ico$ {
expires 1y;
}
- location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
+ location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
+ deny all;
+ return 404;
+ }
+
location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
diff --git a/zabbix-appliance/rhel/conf/etc/zabbix/nginx_ssl.conf b/zabbix-appliance/rhel/conf/etc/zabbix/nginx_ssl.conf
index 1474dcc7a..f3a6d6534 100644
--- a/zabbix-appliance/rhel/conf/etc/zabbix/nginx_ssl.conf
+++ b/zabbix-appliance/rhel/conf/etc/zabbix/nginx_ssl.conf
@@ -21,18 +21,23 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_verify_depth 3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ # intermediate configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
stub_status on;
- access_log off;
+ access_log off;
allow 127.0.0.1;
deny all;
}
@@ -45,12 +50,6 @@ server {
allow all;
log_not_found off;
access_log off;
- }
-
- # deny running scripts inside writable directories
- location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
- return 403;
- error_page 403 /403_error.html;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
@@ -61,23 +60,23 @@ server {
}
# caching of files
- location ~* \.(ico|pdf|flv)$ {
+ location ~* \.ico$ {
expires 1y;
}
- location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
+ location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
+ location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
+ deny all;
+ return 404;
+ }
+
location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ /(api\/|conf[^\.]|include|locale|vendor) {
- deny all;
- return 404;
- }
-
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;