Merge pull request #378 from zabbix/master

Updated Apache config for non-SSL connections

web-apache-mysql/alpine/conf/etc/zabbix/apache.conf

@@ -4,42 +4,42 @@
     DirectoryIndex index.php
     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
     AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
 </VirtualHost>
-
-<Directory "/usr/share/zabbix">
-    Options FollowSymLinks
-    AllowOverride None
-    Require all granted
-</Directory>
-
-<Directory "/usr/share/zabbix/conf">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/app">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/include">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/local">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>

web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf

@@ -5,20 +5,65 @@ Listen 443
 
 <IfModule mod_ssl.c>
     <VirtualHost *:443>
+        SSLEngine on
+
         DocumentRoot /usr/share/zabbix/
         ServerName zabbix
         DirectoryIndex index.php
+
         AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
         AddType application/x-httpd-php-source .phps
 
         # Enable/Disable SSL for this virtual host.
         SSLEngine on
 
-        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-        SSLProtocol all -SSLv2
+        SSLProtocol             all -SSLv2 -SSLv3
+        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+        SSLHonorCipherOrder     on
 
         SSLCertificateFile /etc/ssl/apache2/ssl.crt
         SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
         # SSLCACertificatePath /etc/ssl/apache2/chain/
+
+        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+        Header always set Strict-Transport-Security "max-age=15768000"
+
+        <Directory "/usr/share/zabbix">
+            Options FollowSymLinks
+            AllowOverride None
+            Require all granted
+        </Directory>
+
+        <Directory "/usr/share/zabbix/conf">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/app">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/include">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/local">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
     </VirtualHost>
 </IfModule>

web-apache-mysql/centos/conf/etc/zabbix/apache.conf

@@ -4,42 +4,42 @@
     DirectoryIndex index.php
     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
     AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
 </VirtualHost>
-
-<Directory "/usr/share/zabbix">
-    Options FollowSymLinks
-    AllowOverride None
-    Require all granted
-</Directory>
-
-<Directory "/usr/share/zabbix/conf">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/app">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/include">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/local">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>

web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf

@@ -4,47 +4,42 @@
     DirectoryIndex index.php
     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
     AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
 </VirtualHost>
-
-<Directory "/usr/share/zabbix">
-    Options FollowSymLinks
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>
-
-<Directory "/usr/share/zabbix/conf">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/app">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/include">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/local">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>

web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf

@@ -1,19 +1,69 @@
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+
+Listen 443
+
 <IfModule mod_ssl.c>
     <VirtualHost *:443>
+        SSLEngine on
+
         DocumentRoot /usr/share/zabbix/
         ServerName zabbix
         DirectoryIndex index.php
+
         AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
         AddType application/x-httpd-php-source .phps
 
         # Enable/Disable SSL for this virtual host.
         SSLEngine on
 
-        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-        SSLProtocol all -SSLv2
+        SSLProtocol             all -SSLv2 -SSLv3
+        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+        SSLHonorCipherOrder     on
 
         SSLCertificateFile /etc/ssl/apache2/ssl.crt
         SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
         # SSLCACertificatePath /etc/ssl/apache2/chain/
+
+        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+        Header always set Strict-Transport-Security "max-age=15768000"
+
+        <Directory "/usr/share/zabbix">
+            Options FollowSymLinks
+            AllowOverride None
+            Require all granted
+        </Directory>
+
+        <Directory "/usr/share/zabbix/conf">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/app">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/include">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/local">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
     </VirtualHost>
 </IfModule>

web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf

@@ -4,42 +4,42 @@
     DirectoryIndex index.php
     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
     AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
 </VirtualHost>
-
-<Directory "/usr/share/zabbix">
-    Options FollowSymLinks
-    AllowOverride None
-    Require all granted
-</Directory>
-
-<Directory "/usr/share/zabbix/conf">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/app">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/include">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/local">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>

web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf

@@ -5,20 +5,65 @@ Listen 443
 
 <IfModule mod_ssl.c>
     <VirtualHost *:443>
+        SSLEngine on
+
         DocumentRoot /usr/share/zabbix/
         ServerName zabbix
         DirectoryIndex index.php
+
         AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
         AddType application/x-httpd-php-source .phps
 
         # Enable/Disable SSL for this virtual host.
         SSLEngine on
 
-        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-        SSLProtocol all -SSLv2
+        SSLProtocol             all -SSLv2 -SSLv3
+        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+        SSLHonorCipherOrder     on
 
         SSLCertificateFile /etc/ssl/apache2/ssl.crt
         SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
         # SSLCACertificatePath /etc/ssl/apache2/chain/
+
+        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+        Header always set Strict-Transport-Security "max-age=15768000"
+
+        <Directory "/usr/share/zabbix">
+            Options FollowSymLinks
+            AllowOverride None
+            Require all granted
+        </Directory>
+
+        <Directory "/usr/share/zabbix/conf">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/app">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/include">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/local">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
     </VirtualHost>
 </IfModule>

web-apache-pgsql/centos/conf/etc/zabbix/apache.conf

@@ -4,42 +4,42 @@
     DirectoryIndex index.php
     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
     AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
 </VirtualHost>
-
-<Directory "/usr/share/zabbix">
-    Options FollowSymLinks
-    AllowOverride None
-    Require all granted
-</Directory>
-
-<Directory "/usr/share/zabbix/conf">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/app">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/include">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/local">
-    Require all denied
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>

web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf

@@ -4,47 +4,42 @@
     DirectoryIndex index.php
     AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
     AddType application/x-httpd-php-source .phps
+
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
 </VirtualHost>
-
-<Directory "/usr/share/zabbix">
-    Options FollowSymLinks
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>
-
-<Directory "/usr/share/zabbix/conf">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/app">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/include">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>
-
-<Directory "/usr/share/zabbix/local">
-    Order deny,allow
-    Deny from all
-    <files *.php>
-        Order deny,allow
-        Deny from all
-    </files>
-</Directory>

web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf

@@ -1,19 +1,69 @@
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+
+Listen 443
+
 <IfModule mod_ssl.c>
     <VirtualHost *:443>
+        SSLEngine on
+
         DocumentRoot /usr/share/zabbix/
         ServerName zabbix
         DirectoryIndex index.php
+
         AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
         AddType application/x-httpd-php-source .phps
 
         # Enable/Disable SSL for this virtual host.
         SSLEngine on
 
-        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-        SSLProtocol all -SSLv2
+        SSLProtocol             all -SSLv2 -SSLv3
+        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+        SSLHonorCipherOrder     on
 
         SSLCertificateFile /etc/ssl/apache2/ssl.crt
         SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
         # SSLCACertificatePath /etc/ssl/apache2/chain/
+
+        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+        Header always set Strict-Transport-Security "max-age=15768000"
+
+        <Directory "/usr/share/zabbix">
+            Options FollowSymLinks
+            AllowOverride None
+            Require all granted
+        </Directory>
+
+        <Directory "/usr/share/zabbix/conf">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/app">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/include">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
+        <Directory "/usr/share/zabbix/local">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
     </VirtualHost>
 </IfModule>