extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-02-17 18:30:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Optimizations for Nginx/Apache configs

Browse Source
This commit is contained in:
Alexey Pustovalov 2021-06-08 19:44:11 -04:00
commit 7d5536ef02
28 changed files with 287 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
web-apache-mysql/alpine/conf/etc/zabbix/apache.conf
View File

@ -43,6 +43,14 @@
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

25
web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf
View File

@ -5,8 +5,6 @@ Listen 8443
<IfModule mod_ssl.c> <IfModule mod_ssl.c>
<VirtualHost *:8443> <VirtualHost *:8443>
SSLEngine on
DocumentRoot /usr/share/zabbix/ DocumentRoot /usr/share/zabbix/
ServerName zabbix ServerName zabbix
DirectoryIndex index.php DirectoryIndex index.php
@ -17,16 +15,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # intermediate configuration
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/ # SSLCACertificatePath /etc/ssl/apache2/chain/
# HSTS (mod_headers is required) (15768000 seconds = 6 months) # enable HTTP/2, if available
Header always set Strict-Transport-Security "max-age=15768000" Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
<Directory "/usr/share/zabbix"> <Directory "/usr/share/zabbix">
Options FollowSymLinks Options FollowSymLinks
@ -66,6 +69,14 @@ Listen 8443
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

8
web-apache-mysql/centos/conf/etc/zabbix/apache.conf
View File

@ -47,6 +47,14 @@
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

25
web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf
View File

@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Listen 8443 Listen 8443
<VirtualHost *:8443> <VirtualHost *:8443>
SSLEngine on
DocumentRoot /usr/share/zabbix/ DocumentRoot /usr/share/zabbix/
ServerName zabbix ServerName zabbix
DirectoryIndex index.php DirectoryIndex index.php
@ -16,16 +14,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # intermediate configuration
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/ # SSLCACertificatePath /etc/ssl/apache2/chain/
# HSTS (mod_headers is required) (15768000 seconds = 6 months) # enable HTTP/2, if available
Header always set Strict-Transport-Security "max-age=15768000" Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
<Directory "/usr/share/zabbix"> <Directory "/usr/share/zabbix">
Options FollowSymLinks Options FollowSymLinks
@ -69,6 +72,14 @@ Listen 8443
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

8
web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
View File

@ -43,6 +43,14 @@
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

25
web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
View File

@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
<IfModule mod_ssl.c> <IfModule mod_ssl.c>
<VirtualHost *:8443> <VirtualHost *:8443>
SSLEngine on
DocumentRoot /usr/share/zabbix/ DocumentRoot /usr/share/zabbix/
ServerName zabbix ServerName zabbix
DirectoryIndex index.php DirectoryIndex index.php
@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # intermediate configuration
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/ # SSLCACertificatePath /etc/ssl/apache2/chain/
# HSTS (mod_headers is required) (15768000 seconds = 6 months) # enable HTTP/2, if available
Header always set Strict-Transport-Security "max-age=15768000" Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
<Directory "/usr/share/zabbix"> <Directory "/usr/share/zabbix">
Options FollowSymLinks Options FollowSymLinks
@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

8
web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf
View File

@ -43,6 +43,14 @@
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

25
web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf
View File

@ -5,8 +5,6 @@ Listen 8443
<IfModule mod_ssl.c> <IfModule mod_ssl.c>
<VirtualHost *:8443> <VirtualHost *:8443>
SSLEngine on
DocumentRoot /usr/share/zabbix/ DocumentRoot /usr/share/zabbix/
ServerName zabbix ServerName zabbix
DirectoryIndex index.php DirectoryIndex index.php
@ -17,16 +15,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # intermediate configuration
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/ # SSLCACertificatePath /etc/ssl/apache2/chain/
# HSTS (mod_headers is required) (15768000 seconds = 6 months) # enable HTTP/2, if available
Header always set Strict-Transport-Security "max-age=15768000" Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
<Directory "/usr/share/zabbix"> <Directory "/usr/share/zabbix">
Options FollowSymLinks Options FollowSymLinks
@ -66,6 +69,14 @@ Listen 8443
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

8
web-apache-pgsql/centos/conf/etc/zabbix/apache.conf
View File

@ -47,6 +47,14 @@
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

25
web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf
View File

@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Listen 8443 Listen 8443
<VirtualHost *:8443> <VirtualHost *:8443>
SSLEngine on
DocumentRoot /usr/share/zabbix/ DocumentRoot /usr/share/zabbix/
ServerName zabbix ServerName zabbix
DirectoryIndex index.php DirectoryIndex index.php
@ -16,16 +14,21 @@ Listen 8443
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # intermediate configuration
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/ # SSLCACertificatePath /etc/ssl/apache2/chain/
# HSTS (mod_headers is required) (15768000 seconds = 6 months) # enable HTTP/2, if available
Header always set Strict-Transport-Security "max-age=15768000" Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
<Directory "/usr/share/zabbix"> <Directory "/usr/share/zabbix">
Options FollowSymLinks Options FollowSymLinks
@ -69,6 +72,14 @@ Listen 8443
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

8
web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf
View File

@ -43,6 +43,14 @@
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

25
web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf
View File

@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
<IfModule mod_ssl.c> <IfModule mod_ssl.c>
<VirtualHost *:8443> <VirtualHost *:8443>
SSLEngine on
DocumentRoot /usr/share/zabbix/ DocumentRoot /usr/share/zabbix/
ServerName zabbix ServerName zabbix
DirectoryIndex index.php DirectoryIndex index.php
@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # intermediate configuration
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/ssl/apache2/ssl.crt SSLCertificateFile /etc/ssl/apache2/ssl.crt
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
# SSLCACertificatePath /etc/ssl/apache2/chain/ # SSLCACertificatePath /etc/ssl/apache2/chain/
# HSTS (mod_headers is required) (15768000 seconds = 6 months) # enable HTTP/2, if available
Header always set Strict-Transport-Security "max-age=15768000" Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
<Directory "/usr/share/zabbix"> <Directory "/usr/share/zabbix">
Options FollowSymLinks Options FollowSymLinks
@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
</files> </files>
</Directory> </Directory>
<Directory "/usr/share/zabbix/locale">
Require all denied
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/vendor"> <Directory "/usr/share/zabbix/vendor">
Require all denied Require all denied
<files *.php> <files *.php>

7
web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf
View File

@ -41,7 +41,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

24
web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
@ -63,7 +68,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

7
web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf
View File

@ -41,7 +41,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

24
web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
@ -63,7 +68,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

21
web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf
View File

@ -15,7 +15,6 @@ server {
large_client_header_buffers 8 8k; large_client_header_buffers 8 8k;
client_max_body_size 10M; client_max_body_size 10M;
location = /favicon.ico { location = /favicon.ico {
log_not_found off; log_not_found off;
} }
@ -26,12 +25,6 @@ server {
access_log off; access_log off;
} }
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. { location ~ /\. {
deny all; deny all;
@ -40,23 +33,23 @@ server {
} }
# caching of files # caching of files
location ~* \.(ico|pdf|flv)$ { location ~* \.ico$ {
expires 1y; expires 1y;
} }
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

40
web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf
View File

@ -1,6 +1,7 @@
server { server {
listen 8443 ssl http2; listen 8443 ssl http2;
listen [::]:8443 ssl http2; listen [::]:8443 ssl http2;
server_name zabbix; server_name zabbix;
server_name_in_redirect off; server_name_in_redirect off;
@ -20,18 +21,23 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
stub_status on; stub_status on;
access_log off; access_log off;
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;
} }
@ -44,12 +50,6 @@ server {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
}
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
} }
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
@ -60,23 +60,23 @@ server {
} }
# caching of files # caching of files
location ~* \.(ico|pdf|flv)$ { location ~* \.ico$ {
expires 1y; expires 1y;
} }
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

7
web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf
View File

@ -41,7 +41,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

24
web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
@ -63,7 +68,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

7
web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf
View File

@ -41,7 +41,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

24
web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
@ -63,7 +68,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

7
web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf
View File

@ -41,7 +41,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

24
web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
@ -63,7 +68,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

7
web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf
View File

@ -41,7 +41,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -50,11 +50,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

24
web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,13 +21,18 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
@ -63,7 +68,7 @@ server {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include|locale) { location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all; deny all;
return 404; return 404;
} }
@ -72,11 +77,6 @@ server {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

21
zabbix-appliance/rhel/conf/etc/zabbix/nginx.conf
View File

@ -15,7 +15,6 @@ server {
large_client_header_buffers 8 8k; large_client_header_buffers 8 8k;
client_max_body_size 10M; client_max_body_size 10M;
location = /favicon.ico { location = /favicon.ico {
log_not_found off; log_not_found off;
} }
@ -26,12 +25,6 @@ server {
access_log off; access_log off;
} }
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. { location ~ /\. {
deny all; deny all;
@ -40,23 +33,23 @@ server {
} }
# caching of files # caching of files
location ~* \.(ico|pdf|flv)$ { location ~* \.ico$ {
expires 1y; expires 1y;
} }
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;

39
zabbix-appliance/rhel/conf/etc/zabbix/nginx_ssl.conf
View File

@ -21,18 +21,23 @@ server {
ssl_certificate_key /etc/ssl/nginx/ssl.key; ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_timeout 1d;
ssl_verify_depth 3; ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=31536000; preload";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location =/nginx_status { location =/nginx_status {
stub_status on; stub_status on;
access_log off; access_log off;
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;
} }
@ -45,12 +50,6 @@ server {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
}
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
} }
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
@ -61,23 +60,23 @@ server {
} }
# caching of files # caching of files
location ~* \.(ico|pdf|flv)$ { location ~* \.ico$ {
expires 1y; expires 1y;
} }
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d; expires 14d;
} }
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
deny all;
return 404;
}
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
deny all;
return 404;
}
location ~ .php$ { location ~ .php$ {
fastcgi_pass unix:/tmp/php-fpm.sock; fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;