Added EXPOSE_WEB_SERVER_INFO variable to control web server / php versions expose

Dockerfiles/web-nginx-mysql/README.md

@@ -135,12 +135,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av
 
 ### `ENABLE_WEB_ACCESS_LOG`
 
-The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output.
+The variable sets the Access Log directive for Web server. By default, value corresponds to standard output.
 
 ### `HTTP_INDEX_FILE`
 
 The variable controls default index page. By default, `index.php`.
 
+### `EXPOSE_WEB_SERVER_INFO`
+
+The variable allows to hide Web server and PHP versions. By default, `on`.
+
 ### `ZBX_MAXEXECUTIONTIME`
 
 The varable is PHP ``max_execution_time`` option. By default, value is `300`.

Dockerfiles/web-nginx-mysql/alpine/conf/etc/nginx/nginx.conf

@@ -65,7 +65,7 @@ http {
     ignore_invalid_headers          on;
 
     index                           index.php;
-    server_tokens                   off;
+    server_tokens                   {EXPOSE_WEB_SERVER_INFO};
 
     include /etc/nginx/http.d/*.conf;
 }

Dockerfiles/web-nginx-mysql/alpine/conf/etc/php83/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Nginx main configuration file
+NGINX_CONF_FILE="/etc/nginx/nginx.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -214,7 +216,7 @@ prepare_zbx_web_config() {
     export VAULT_TOKEN=${VAULT_TOKEN}
     export ZBX_VAULTCERTFILE=${ZBX_VAULTCERTFILE}
     export ZBX_VAULTKEYFILE=${ZBX_VAULTKEYFILE}
-    
+
     : ${DB_DOUBLE_IEEE754:="true"}
     export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754,,}
 
@@ -257,14 +259,23 @@ prepare_zbx_web_config() {
     if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/nginx/nginx.conf"
+            "$NGINX_CONF_FILE"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx.conf"
+            "$ZABBIX_ETC_DIR/nginx.conf"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx_ssl.conf"
+            "$ZABBIX_ETC_DIR/nginx_ssl.conf"
     fi
+
+    : ${EXPOSE_WEB_SERVER_INFO:="on"}
+
+    [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on"
+
+    export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+    sed -i \
+        -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \
+    "$NGINX_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-nginx-mysql/centos/conf/etc/nginx/nginx.conf

@@ -65,7 +65,7 @@ http {
     ignore_invalid_headers          on;
 
     index                           index.php;
-    server_tokens                   off;
+    server_tokens                   {EXPOSE_WEB_SERVER_INFO};
 
     include /etc/nginx/conf.d/*.conf;
 }

Dockerfiles/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Nginx main configuration file
+NGINX_CONF_FILE="/etc/nginx/nginx.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -257,14 +259,23 @@ prepare_zbx_web_config() {
     if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/nginx/nginx.conf"
+            "$NGINX_CONF_FILE"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx.conf"
+            "$ZABBIX_ETC_DIR/nginx.conf"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx_ssl.conf"
+            "$ZABBIX_ETC_DIR/nginx_ssl.conf"
     fi
+
+    : ${EXPOSE_WEB_SERVER_INFO:="on"}
+
+    [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on"
+
+    export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+    sed -i \
+        -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \
+    "$NGINX_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-nginx-mysql/ol/conf/etc/nginx/nginx.conf

@@ -65,7 +65,7 @@ http {
     ignore_invalid_headers          on;
 
     index                           index.php;
-    server_tokens                   off;
+    server_tokens                   {EXPOSE_WEB_SERVER_INFO};
 
     include /etc/nginx/conf.d/*.conf;
 }

Dockerfiles/web-nginx-mysql/ol/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Nginx main configuration file
+NGINX_CONF_FILE="/etc/nginx/nginx.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -257,14 +259,23 @@ prepare_zbx_web_config() {
     if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/nginx/nginx.conf"
+            "$NGINX_CONF_FILE"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx.conf"
+            "$ZABBIX_ETC_DIR/nginx.conf"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx_ssl.conf"
+            "$ZABBIX_ETC_DIR/nginx_ssl.conf"
     fi
+
+    : ${EXPOSE_WEB_SERVER_INFO:="on"}
+
+    [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on"
+
+    export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+    sed -i \
+        -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \
+    "$NGINX_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-nginx-mysql/rhel/conf/etc/nginx/nginx.conf

@@ -65,7 +65,7 @@ http {
     ignore_invalid_headers          on;
 
     index                           index.php;
-    server_tokens                   off;
+    server_tokens                   {EXPOSE_WEB_SERVER_INFO};
 
     include /etc/nginx/conf.d/*.conf;
 }

Dockerfiles/web-nginx-mysql/rhel/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Nginx main configuration file
+NGINX_CONF_FILE="/etc/nginx/nginx.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -257,14 +259,23 @@ prepare_zbx_web_config() {
     if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/nginx/nginx.conf"
+            "$NGINX_CONF_FILE"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx.conf"
+            "$ZABBIX_ETC_DIR/nginx.conf"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx_ssl.conf"
+            "$ZABBIX_ETC_DIR/nginx_ssl.conf"
     fi
+
+    : ${EXPOSE_WEB_SERVER_INFO:="on"}
+
+    [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on"
+
+    export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+    sed -i \
+        -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \
+    "$NGINX_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/nginx/nginx.conf

@@ -65,7 +65,7 @@ http {
     ignore_invalid_headers          on;
 
     index                           index.php;
-    server_tokens                   off;
+    server_tokens                   {EXPOSE_WEB_SERVER_INFO};
 
     include /etc/nginx/conf.d/*.conf;
 }

Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/php/8.1/fpm/pool.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Nginx main configuration file
+NGINX_CONF_FILE="/etc/nginx/nginx.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -257,14 +259,23 @@ prepare_zbx_web_config() {
     if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/nginx/nginx.conf"
+            "$NGINX_CONF_FILE"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx.conf"
+            "$ZABBIX_ETC_DIR/nginx.conf"
         sed -ri \
             -e 's!^(\s*access_log).+\;!\1 off\;!g' \
-            "/etc/zabbix/nginx_ssl.conf"
+            "$ZABBIX_ETC_DIR/nginx_ssl.conf"
     fi
+
+    : ${EXPOSE_WEB_SERVER_INFO:="on"}
+
+    [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on"
+
+    export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+    sed -i \
+        -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \
+    "$NGINX_CONF_FILE"
 }
 
 #################################################