Added correct resolving for source IP addresses in case of HTTP proxies

2025-08-09 16:45:05 +02:00 · 2025-07-04 17:54:57 +03:00
parent 9860d2a88d
commit e0f77c4380
67 changed files with 475 additions and 0 deletions
--- a/Dockerfiles/web-apache-mysql/README.md
+++ b/Dockerfiles/web-apache-mysql/README.md
@ -258,6 +258,10 @@ PHP_FPM_PM_START_SERVERS=5
 PHP_FPM_PM_MIN_SPARE_SERVERS=5
 PHP_FPM_PM_MAX_SPARE_SERVERS=35
 PHP_FPM_PM_MAX_REQUESTS=0
+
+Allowed Apache configuration options:
+WEB_REAL_IP_FROM=
+WEB_REAL_IP_HEADER=
 ```

 ## Allowed volumes for the Zabbix web interface container
--- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/apache2/modules.conf
+++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/apache2/modules.conf
@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 LoadModule expires_module modules/mod_expires.so
 LoadModule headers_module modules/mod_headers.so
+LoadModule remoteip_module modules/mod_remoteip.so
--- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf
+++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf
@ -1,6 +1,9 @@
 Listen 8080

 <VirtualHost *:8080>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    <LocationMatch "/(ping|status)">
        Require all granted

--- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf
+++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf
@ -14,6 +14,9 @@ SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
 SSLSessionCacheTimeout  300

 <VirtualHost *:8443>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

--- a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh
+++ b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh
@ -202,6 +202,11 @@ prepare_web_server() {
        export APACHE_SERVER_SIGNATURE="Off"
    fi

+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+
    mkdir -p "${APACHE_RUN_DIR}"
 }

--- a/Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/modules.conf
+++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/modules.conf
@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 LoadModule expires_module modules/mod_expires.so
 LoadModule headers_module modules/mod_headers.so
+LoadModule remoteip_module modules/mod_remoteip.so
--- a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf
+++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf
@ -1,6 +1,9 @@
 Listen 8080

 <VirtualHost *:8080>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    <LocationMatch "/(ping|status)">
        Require all granted

--- a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf
+++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf
@ -14,6 +14,9 @@ SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
 SSLSessionCacheTimeout  300

 <VirtualHost *:8443>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

--- a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh
+++ b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh
@ -202,6 +202,11 @@ prepare_web_server() {
        export APACHE_SERVER_SIGNATURE="Off"
    fi

+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+
    mkdir -p "${APACHE_RUN_DIR}"
 }

--- a/Dockerfiles/web-apache-mysql/ol/conf/etc/httpd/modules.conf
+++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/httpd/modules.conf
@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 LoadModule expires_module modules/mod_expires.so
 LoadModule headers_module modules/mod_headers.so
+LoadModule remoteip_module modules/mod_remoteip.so
--- a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache.conf
+++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache.conf
@ -1,6 +1,9 @@
 Listen 8080

 <VirtualHost *:8080>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    <LocationMatch "/(ping|status)">
        Require all granted

--- a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache_ssl.conf
+++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache_ssl.conf
@ -14,6 +14,9 @@ SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
 SSLSessionCacheTimeout  300

 <VirtualHost *:8443>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

--- a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh
+++ b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh
@ -202,6 +202,11 @@ prepare_web_server() {
        export APACHE_SERVER_SIGNATURE="Off"
    fi

+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+
    mkdir -p "${APACHE_RUN_DIR}"
 }

--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf
@ -12,3 +12,4 @@ LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
 LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so
 LoadModule expires_module /usr/lib/apache2/modules/mod_expires.so
 LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
@ -1,6 +1,9 @@
 Listen 8080

 <VirtualHost *:8080>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    <LocationMatch "/(ping|status)">
        Require all granted

--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
@ -14,6 +14,9 @@ SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
 SSLSessionCacheTimeout  300

 <VirtualHost *:8443>
+    RemoteIPInternalProxy ${WEB_REAL_IP_FROM}
+    RemoteIPHeader ${WEB_REAL_IP_HEADER}
+
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

--- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh
+++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh
@ -202,6 +202,11 @@ prepare_web_server() {
        export APACHE_SERVER_SIGNATURE="Off"
    fi

+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf"
+    [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf"
+
    mkdir -p "${APACHE_RUN_DIR}"
 }