extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-08-09 00:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimizations for Nginx/Apache configs

Browse Source
This commit is contained in:
Alexey Pustovalov
2021-06-08 19:44:11 -04:00
parent 201878da63 d8eef085c7
commit 7d5536ef02
28 changed files with 287 additions and 218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf
View File

@ -15,7 +15,6 @@ server {
large_client_header_buffers 8 8k;
client_max_body_size 10M;
location = /favicon.ico {
log_not_found off;
}
@ -26,12 +25,6 @@ server {
access_log off;
}
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
@ -40,23 +33,23 @@ server {
}
# caching of files
location ~* \.(ico|pdf|flv)$ {
location ~* \.ico$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;

40
web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf
View File

@ -1,6 +1,7 @@
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name zabbix;
server_name_in_redirect off;
@ -20,18 +21,23 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_verify_depth 3;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status {
stub_status on;
access_log off;
access_log off;
allow 127.0.0.1;
deny all;
}
@ -44,12 +50,6 @@ server {
allow all;
log_not_found off;
access_log off;
}
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
@ -60,23 +60,23 @@ server {
}
# caching of files
location ~* \.(ico|pdf|flv)$ {
location ~* \.ico$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;