Migrate to PHP-FPM for all Web images

2025-06-30 14:51:11 +02:00 · 2025-01-13 19:24:39 +09:00
parent 245234e41f
commit e977ceec40
131 changed files with 3919 additions and 1852 deletions
--- a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile
+++ b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile
@ -14,7 +14,8 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git

 ENV TERM=xterm \
    ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
-    ZABBIX_CONF_DIR="/etc/zabbix"
+    ZABBIX_CONF_DIR="/etc/zabbix" \
+    ZABBIX_WWW_ROOT="/usr/share/zabbix"

 LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zabbix.com>" \
      org.opencontainers.image.description="Zabbix web-interface based on Apache2 web server with MySQL database support" \
@ -28,7 +29,7 @@ LABEL org.opencontainers.image.authors="Alexey Pustovalov <alexey.pustovalov@zab

 STOPSIGNAL SIGTERM

-COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/ui", "/usr/share/zabbix"]
+COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/ui", "${ZABBIX_WWW_ROOT}"]
 COPY ["conf/etc/", "/etc/"]

 RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
@ -37,22 +38,26 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
    echo "#!/bin/sh\nexit 101" > /usr/sbin/policy-rc.d && \
    INSTALL_PKGS="bash \
            tzdata \
-            apache2 \
-            curl \
-            libapache2-mod-php \
+            curl \ 
            ca-certificates \
+            curl \
            mysql-client \
+            apache2 \
            locales \
            libldap-common \
            php8.3-bcmath \
            php8.3-curl \
+            php8.3-fpm \
            php8.3-gd \
            php8.3-ldap \
            php8.3-mbstring \
            php8.3-mysql \
-            php8.3-xml" && \
+            php8.3-xml \
+            supervisor" && \
    apt-get -y update && \
    DEBIAN_FRONTEND=noninteractive apt-get -y \
+            -o Dpkg::Options::="--force-confdef" \
+            -o Dpkg::Options::="--force-confold" \
            --no-install-recommends install \
        ${INSTALL_PKGS} && \
    groupadd \
@ -70,50 +75,45 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \
    mkdir -p ${ZABBIX_CONF_DIR} && \
    mkdir -p ${ZABBIX_CONF_DIR}/web && \
    mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
+    mkdir -p /var/lib/php/session && \
+    find /etc/ -name '*.dpkg-dist' | xargs rm -f && \
    rm -f /etc/apache2/sites-available/* && \
    rm -f /etc/apache2/sites-enabled/* && \
-    /usr/sbin/a2enmod ssl && \
-    sed -ri \
-            -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \
-            -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \
-        "/etc/apache2/apache2.conf" && \
-    sed -ri \
-            -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \
-            -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \
-        "/etc/apache2/conf-available/other-vhosts-access-log.conf" && \
-    sed -i 's/Listen 80/Listen 8080/g' /etc/apache2/ports.conf && \
-    sed -i 's/Listen 443/Listen 8443/g' /etc/apache2/ports.conf && \
-    sed -i 's|/var/run/apache2$SUFFIX|/tmp|g' /etc/apache2/envvars && \
-    rm -f /var/run/apache2/apache2.pid && \
-    cd /usr/share/zabbix/ && \
+    rm -f /etc/php/8.3/fpm/pool.d/www.conf && \
+    rm -f /var/run/apache2/ && \
+    cd ${ZABBIX_WWW_ROOT}/ && \
    rm -f conf/zabbix.conf.php conf/maintenance.inc.php conf/zabbix.conf.php.example && \
    rm -rf tests && \
    rm -f locale/add_new_language.sh locale/update_po.sh locale/make_mo.sh && \
-    find /usr/share/zabbix/locale -name '*.po' | xargs rm -f && \
-    find /usr/share/zabbix/locale -name '*.sh' | xargs rm -f && \
-    ln -s "${ZABBIX_CONF_DIR}/web/zabbix.conf.php" "/usr/share/zabbix/conf/zabbix.conf.php" && \
-    ln -s "${ZABBIX_CONF_DIR}/web/maintenance.inc.php" "/usr/share/zabbix/conf/maintenance.inc.php" && \
+    find ${ZABBIX_WWW_ROOT}/locale -name '*.po' | xargs rm -f && \
+    find ${ZABBIX_WWW_ROOT}/locale -name '*.sh' | xargs rm -f && \
+    ln -s "${ZABBIX_CONF_DIR}/web/zabbix.conf.php" "${ZABBIX_WWW_ROOT}/conf/zabbix.conf.php" && \
+    ln -s "${ZABBIX_CONF_DIR}/web/maintenance.inc.php" "${ZABBIX_WWW_ROOT}/conf/maintenance.inc.php" && \
    mkdir -p /var/lib/locales/supported.d/ && \
    rm -f /var/lib/locales/supported.d/local && \
-    cat /usr/share/zabbix/include/locales.inc.php | grep display | grep true | awk '{$1=$1};1' | \
+    cat ${ZABBIX_WWW_ROOT}/include/locales.inc.php | grep display | grep true | awk '{$1=$1};1' | \
        cut -d"'" -f 2 | sort | \
        xargs -I '{}' bash -c 'echo "{}.UTF-8 UTF-8" >> /var/lib/locales/supported.d/local' && \
    dpkg-reconfigure locales && \
-    chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ /usr/share/zabbix/include/defines.inc.php /usr/share/zabbix/modules/ && \
-    chgrp -R 0 ${ZABBIX_CONF_DIR}/ /usr/share/zabbix/include/defines.inc.php /usr/share/zabbix/modules/ && \
-    chmod -R g=u ${ZABBIX_CONF_DIR}/ /usr/share/zabbix/include/defines.inc.php /usr/share/zabbix/modules/ && \
-    chown --quiet -R zabbix:root /etc/apache2/ /etc/php/8.3/ && \
-    chgrp -R 0 /etc/apache2/ /etc/php/8.3/ && \
-    chmod -R g=u /etc/apache2/ /etc/php/8.3/
+    chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
+    chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
+    chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
+    chown --quiet -R zabbix:root /etc/apache2/ /etc/php/8.3/fpm/ && \
+    chgrp -R 0 /etc/apache2/ /etc/php/8.3/fpm/ && \
+    chmod -R g=u /etc/apache2/ /etc/php/8.3/fpm/ && \
+    chown --quiet -R zabbix:root /var/lib/php/session/ && \
+    chgrp -R 0 /var/lib/php/session/ && \
+    chmod -R g=u /var/lib/php/session/
+
+HEALTHCHECK --interval=1m30s --timeout=3s --retries=3 --start-period=40s --start-interval=5s \
+    CMD curl -f http://localhost:8080/ping || exit 1

 EXPOSE 8080/TCP 8443/TCP

-WORKDIR /usr/share/zabbix
+WORKDIR ${ZABBIX_WWW_ROOT}

 COPY ["docker-entrypoint.sh", "/usr/bin/"]

 USER 1997

 ENTRYPOINT ["docker-entrypoint.sh"]
-
-CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/apache2.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/apache2.conf
@ -0,0 +1,75 @@
+ServerRoot /etc/apache2/
+ServerRoot /var/www
+DefaultRuntimeDir /tmp/apache2/
+PidFile /tmp/apache2.pid
+
+ServerName 127.0.0.1
+
+IncludeOptional /etc/apache2/includes.conf
+
+Timeout 300
+KeepAlive On
+MaxKeepAliveRequests 100
+KeepAliveTimeout 5
+
+<IfModule unixd_module>
+    User ${APACHE_RUN_USER}
+    Group ${APACHE_RUN_GROUP}
+</IfModule>
+
+HostnameLookups Off
+
+LogLevel warn
+
+<IfModule log_config_module>
+    SetEnvIf Request_URI "^/(robots\.txt|favicon\.ico|status|ping|apache-status)$" exclude_from_logs
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+    LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %O" common
+    LogFormat "%{Referer}i -> %U" referer
+    LogFormat "%{User-agent}i" agent
+
+    CustomLog ${APACHE_CUSTOM_LOG} vhost_combined env=!exclude_from_logs
+</IfModule>
+
+ErrorLog /proc/self/fd/2
+
+LogLevel warn
+
+<IfModule mpm_event_module>
+    StartServers            2
+    MinSpareThreads         25
+    MaxSpareThreads         75
+    ThreadLimit             64
+    ThreadsPerChild         25
+    MaxRequestWorkers       150
+    MaxConnectionsPerChild  0
+</IfModule>
+
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
+ServerTokens ${APACHE_SERVER_TOKENS}
+
+ServerSignature ${APACHE_SERVER_SIGNATURE}
+
+TraceEnable Off
+
+AddDefaultCharset UTF-8
+
+<IfModule status_module>
+    <Location /apache-status>
+        SetHandler server-status
+        Require local
+    </Location>
+
+    ExtendedStatus On
+
+    <IfModule mod_proxy.c>
+        ProxyStatus On
+    </IfModule>
+</IfModule>
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/includes.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/includes.conf
@ -0,0 +1,8 @@
+IncludeOptional /etc/apache2/modules.conf
+
+IncludeOptional mods-enabled/mime.conf
+IncludeOptional mods-enabled/negotiation.conf
+IncludeOptional mods-enabled/reqtimeout.conf
+IncludeOptional mods-enabled/setenvif.conf
+
+IncludeOptional sites-enabled/*.conf
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf
@ -0,0 +1,21 @@
+LoadModule access_compat_module /usr/lib/apache2/modules/mod_access_compat.so
+LoadModule auth_basic_module /usr/lib/apache2/modules/mod_auth_basic.so
+LoadModule authn_core_module /usr/lib/apache2/modules/mod_authn_core.so
+LoadModule authn_file_module /usr/lib/apache2/modules/mod_authn_file.so
+LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so
+LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so
+LoadModule authz_user_module /usr/lib/apache2/modules/mod_authz_user.so
+LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so
+LoadModule env_module /usr/lib/apache2/modules/mod_env.so
+LoadModule filter_module /usr/lib/apache2/modules/mod_filter.so
+LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so
+LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
+LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so
+LoadModule reqtimeout_module /usr/lib/apache2/modules/mod_reqtimeout.so
+LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so
+LoadModule status_module /usr/lib/apache2/modules/mod_status.so
+
+LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
+LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so
+LoadModule expires_module /usr/lib/apache2/modules/mod_expires.so
+LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.3/apache2/conf.d/99-zabbix.ini
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.3/apache2/conf.d/99-zabbix.ini
@ -1,10 +0,0 @@
-max_execution_time = ${ZBX_MAXEXECUTIONTIME}
-memory_limit = ${ZBX_MEMORYLIMIT}
-post_max_size = ${ZBX_POSTMAXSIZE}
-upload_max_filesize = ${ZBX_UPLOADMAXFILESIZE}
-max_input_time = ${ZBX_MAXINPUTTIME}
-; always_populate_raw_post_data=-1
-max_input_vars = 10000
-date.timezone = ${PHP_TZ}
-; https://www.php.net/manual/en/security.hiding.php
-expose_php = ${EXPOSE_WEB_SERVER_INFO}
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.3/fpm/php-fpm.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.3/fpm/php-fpm.conf
@ -0,0 +1,10 @@
+include=/etc/php/8.3/fpm/pool.d/*.conf
+
+[global]
+
+pid = /tmp/php-fpm.pid
+
+error_log = /dev/fd/2
+log_level = notice
+
+daemonize = no
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.3/fpm/pool.d/zabbix.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.3/fpm/pool.d/zabbix.conf
@ -0,0 +1,36 @@
+[zabbix]
+
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
+listen = /tmp/php-fpm.sock
+
+clear_env = no
+
+pm = ${PHP_FPM_PM}
+pm.max_children = ${PHP_FPM_PM_MAX_CHILDREN}
+pm.start_servers = ${PHP_FPM_PM_START_SERVERS}
+pm.min_spare_servers = ${PHP_FPM_PM_MIN_SPARE_SERVERS}
+pm.max_spare_servers = ${PHP_FPM_PM_MAX_SPARE_SERVERS}
+pm.max_requests = ${PHP_FPM_PM_MAX_REQUESTS}
+
+slowlog = /dev/fd/1
+
+php_admin_value[error_log] = /dev/fd/2
+php_admin_flag[log_errors] = on
+catch_workers_output = yes
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/session
+
+php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME}
+php_value[memory_limit] = ${ZBX_MEMORYLIMIT}
+php_value[post_max_size] = ${ZBX_POSTMAXSIZE}
+php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE}
+php_value[max_input_time] = ${ZBX_MAXINPUTTIME}
+php_value[max_input_vars] = 10000
+php_value[date.timezone] = ${PHP_TZ}
+
+; PHP-FPM monitoring
+pm.status_path = /status
+ping.path = /ping
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/supervisor/conf.d/supervisord_zabbix.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/supervisor/conf.d/supervisord_zabbix.conf
@ -0,0 +1,30 @@
+[supervisord]
+nodaemon = true
+
+[program:apache2]
+command = /usr/sbin/%(program_name)s -D FOREGROUND
+auto_start = true
+autorestart = true
+
+startsecs=2
+startretries=3
+stopsignal=TERM
+stopwaitsecs=2
+
+redirect_stderr=true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0
+
+[program:php-fpm8.3]
+command = /usr/sbin/%(program_name)s -F -y /etc/php/8.3/fpm/php-fpm.conf
+auto_start = true
+autorestart = true
+
+startsecs=2
+startretries=3
+stopsignal=TERM
+stopwaitsecs=2
+
+redirect_stderr=true
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/supervisor/supervisord.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/supervisor/supervisord.conf
@ -0,0 +1,35 @@
+; supervisor config file
+
+[unix_http_server]
+file = /tmp/supervisor.sock        ; (the path to the socket file)
+chmod = 0700                       ; sockef file mode (default 0700)
+username = zbx
+password = password
+
+[supervisord]
+logfile = /dev/stdout                        ; (main log file;default $CWD/supervisord.log)
+pidfile = /tmp/supervisord.pid               ; (supervisord pidfile;default supervisord.pid)
+childlogdir = /tmp                           ; ('AUTO' child log dir, default $TEMP)
+critical = critical
+;user = zabbix
+logfile_maxbytes = 0
+logfile_backupcount = 0
+loglevel = info
+
+; the below section must remain in the config file for RPC
+; (supervisorctl/web interface) to work, additional interfaces may be
+; added by defining them in separate rpcinterface: sections
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl = unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
+
+[include]
+files = /etc/supervisor/conf.d/*.conf
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf
@ -1,14 +1,44 @@
+Listen 8080
+
 <VirtualHost *:8080>
    DocumentRoot /usr/share/zabbix/
+
    ServerName zabbix
-    DirectoryIndex {HTTP_INDEX_FILE}
+
+    DirectoryIndex ${HTTP_INDEX_FILE}
+
    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-httpd-php-source .phps

+    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+
+    <LocationMatch "/(ping|status)">
+        Order Allow,Deny
+        Allow from all
+
+        SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
+    </LocationMatch>
+
    <Directory "/usr/share/zabbix">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
+
+        <FilesMatch \.(php|phar)$>
+            SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
+        </FilesMatch>
+
+        <filesMatch "\.(ico)$">
+            ExpiresActive On
+            ExpiresDefault "access plus 1 year"
+            Header append Cache-Control "public"
+        </filesMatch>
+
+        <filesMatch "\.(js|css|png|jpg|jpeg|gif|xml|txt)$">
+            ExpiresActive On
+            ExpiresDefault "access plus 14 day"
+            Header append Cache-Control "public"
+        </filesMatch>
    </Directory>

    <Directory "/usr/share/zabbix/conf">
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_envvars
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_envvars
@ -1,4 +0,0 @@
-export APACHE_RUN_USER=$(id -n -u)
-export APACHE_RUN_GROUP=www-data
-export APACHE_PID_FILE=/tmp/apache2.pid
-export APACHE_RUN_DIR=/tmp/apache2
--- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
+++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf
@ -1,87 +1,113 @@
 LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
 LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
-LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

-<IfModule mod_ssl.c>
-    <VirtualHost *:8443>
-        DocumentRoot /usr/share/zabbix/
-        ServerName zabbix
-        DirectoryIndex {HTTP_INDEX_FILE}
+Listen 8443

-        AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
-        AddType application/x-httpd-php-source .phps
+<VirtualHost *:8443>
+    DocumentRoot /usr/share/zabbix/

-        # Enable/Disable SSL for this virtual host.
-        SSLEngine on
+    ServerName zabbix

-        # intermediate configuration
-        SSLProtocol             -all +TLSv1.2 +TLSv1.3
-        SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-        SSLHonorCipherOrder     off
-        SSLSessionTickets       off
+    DirectoryIndex ${HTTP_INDEX_FILE}

-        SSLCertificateFile /etc/ssl/apache2/ssl.crt
-        SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
-        # SSLCACertificatePath /etc/ssl/apache2/chain/
+    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
+    AddType application/x-httpd-php-source .phps

-        # enable HTTP/2, if available
-        Protocols h2 http/1.1
+    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

-        # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
-        Header always set Strict-Transport-Security "max-age=63072000"
+    # Enable/Disable SSL for this virtual host.
+    SSLEngine on

-        <Directory "/usr/share/zabbix">
-            Options FollowSymLinks
-            AllowOverride None
-            Require all granted
-        </Directory>
+    # intermediate configuration
+    SSLProtocol             -all +TLSv1.2 +TLSv1.3
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off

-        <Directory "/usr/share/zabbix/conf">
-            Require all denied
-            <files *.php>
-                Order deny,allow
-                Deny from all
-            </files>
-        </Directory>
+    SSLCertificateFile /etc/ssl/apache2/ssl.crt
+    SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
+    # SSLCACertificatePath /etc/ssl/apache2/chain/

-        <Directory "/usr/share/zabbix/app">
-            Require all denied
-            <files *.php>
-                Order deny,allow
-                Deny from all
-            </files>
-        </Directory>
+    # enable HTTP/2, if available
+    Protocols h2 http/1.1

-        <Directory "/usr/share/zabbix/include">
-            Require all denied
-            <files *.php>
-                Order deny,allow
-                Deny from all
-            </files>
-        </Directory>
+    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+    Header always set Strict-Transport-Security "max-age=63072000"

-        <Directory "/usr/share/zabbix/local">
-            Require all denied
-            <files *.php>
-                Order deny,allow
-                Deny from all
-            </files>
-        </Directory>
+    <LocationMatch "/(ping|status)">
+        Order Allow,Deny
+        Allow from all

-        <Directory "/usr/share/zabbix/locale">
-            Require all denied
-            <files *.php>
-                Order deny,allow
-                Deny from all
-            </files>
-        </Directory>
+        SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
+    </LocationMatch>

-        <Directory "/usr/share/zabbix/vendor">
-            Require all denied
-            <files *.php>
-                Order deny,allow
-                Deny from all
-            </files>
-        </Directory>
-    </VirtualHost>
-</IfModule>
+    <Directory "/usr/share/zabbix">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+
+        <FilesMatch \.(php|phar)$>
+            SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
+        </FilesMatch>
+
+        <filesMatch "\.(ico)$">
+            ExpiresActive On
+            ExpiresDefault "access plus 1 year"
+            Header append Cache-Control "public"
+        </filesMatch>
+
+        <filesMatch "\.(js|css|png|jpg|jpeg|gif|xml|txt)$">
+            ExpiresActive On
+            ExpiresDefault "access plus 14 day"
+            Header append Cache-Control "public"
+        </filesMatch>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/conf">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/app">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/include">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/local">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/locale">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
+    <Directory "/usr/share/zabbix/vendor">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+</VirtualHost>
--- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh
+++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh
@ -18,13 +18,19 @@ fi
 # Default timezone for web interface
 : ${PHP_TZ:="Europe/Riga"}

+# Default user settings
+: ${DAEMON_USER:="www-data"}
+: ${DAEMON_GROUP:="www-data"}
+
 # Default directories
-# Web interface www-root directory
-ZABBIX_WWW_ROOT="/usr/share/zabbix"
 # Apache main configuration file
 HTTPD_CONF_FILE="/etc/apache2/apache2.conf"
-# Apache security configuration file
-HTTPD_SECURITY_CONF_FILE="/etc/apache2/conf-enabled/security.conf"
+# Apache additional configuration files directory
+APACHE_SITES_DIR="/etc/apache2/sites-enabled"
+# Directory with SSL certificate files for Apache
+APACHE_SSL_CONFIG_DIR="/etc/ssl/apache2"
+# PHP-FPM configuration file
+PHP_CONFIG_FILE="/etc/php/8.3/fpm/pool.d/zabbix.conf"

 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@ -133,9 +139,12 @@ check_db_connect() {
 }

 prepare_web_server() {
-    APACHE_SITES_DIR="/etc/apache2/sites-enabled"
-
-    ln -sfT "$ZABBIX_CONF_DIR/apache_envvars" "/etc/apache2/envvars"
+    if [ "$(id -u)" == '0' ]; then
+        export APACHE_RUN_USER=${DAEMON_USER}
+    else
+        export APACHE_RUN_USER=$(id -n -u)
+    fi
+    export APACHE_RUN_GROUP=${DAEMON_GROUP}

    echo "** Adding Zabbix virtual host (HTTP)"
    if [ -f "$ZABBIX_CONF_DIR/apache.conf" ]; then
@ -144,7 +153,7 @@ prepare_web_server() {
        echo "**** Impossible to enable HTTP virtual host"
    fi

-    if [ -f "/etc/ssl/apache2/ssl.crt" ] && [ -f "/etc/ssl/apache2/ssl.key" ]; then
+    if [ -f "$APACHE_SSL_CONFIG_DIR/ssl.crt" ] && [ -f "$APACHE_SSL_CONFIG_DIR/ssl.key" ]; then
        echo "** Adding Zabbix virtual host (HTTPS)"
        if [ -f "$ZABBIX_CONF_DIR/apache_ssl.conf" ]; then
            ln -sfT "$ZABBIX_CONF_DIR/apache_ssl.conf" "$APACHE_SITES_DIR/zabbix_ssl.conf"
@ -154,10 +163,42 @@ prepare_web_server() {
    else
        echo "**** Impossible to enable SSL support for Apache2. Certificates are missed."
    fi
+
+    export HTTP_INDEX_FILE=${HTTP_INDEX_FILE:="index.php"}
+
+    : ${ENABLE_WEB_ACCESS_LOG:="true"}
+    export APACHE_CUSTOM_LOG="/proc/self/fd/1"
+    if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
+        export APACHE_CUSTOM_LOG="/dev/null"
+    fi
+
+    : ${EXPOSE_WEB_SERVER_INFO:="on"}
+    export APACHE_SERVER_TOKENS="OS"
+    export APACHE_SERVER_SIGNATURE="On"
+    if [ "${EXPOSE_WEB_SERVER_INFO}" == "off" ]; then
+        export APACHE_SERVER_TOKENS="Prod"
+        export APACHE_SERVER_SIGNATURE="Off"
+    fi
+
+    mkdir -p /tmp/apache2
 }

-prepare_zbx_web_config() {
-    echo "** Preparing Zabbix frontend configuration file"
+prepare_zbx_php_config() {
+    echo "** Preparing PHP configuration"
+
+    export PHP_FPM_PM=${PHP_FPM_PM:-"dynamic"}
+    export PHP_FPM_PM_MAX_CHILDREN=${PHP_FPM_PM_MAX_CHILDREN:-"50"}
+    export PHP_FPM_PM_START_SERVERS=${PHP_FPM_PM_START_SERVERS:-"5"}
+    export PHP_FPM_PM_MIN_SPARE_SERVERS=${PHP_FPM_PM_MIN_SPARE_SERVERS:-"5"}
+    export PHP_FPM_PM_MAX_SPARE_SERVERS=${PHP_FPM_PM_MAX_SPARE_SERVERS:-"35"}
+    export PHP_FPM_PM_MAX_REQUESTS=${PHP_FPM_PM_MAX_REQUESTS:-"0"}
+
+    if [ "$(id -u)" == '0' ]; then
+        echo "user = ${DAEMON_USER}" >> "$PHP_CONFIG_FILE"
+        echo "group = ${DAEMON_GROUP}" >> "$PHP_CONFIG_FILE"
+        echo "listen.owner = ${DAEMON_USER}" >> "$PHP_CONFIG_FILE"
+        echo "listen.group = ${DAEMON_GROUP}" >> "$PHP_CONFIG_FILE"
+    fi

    : ${ZBX_DENY_GUI_ACCESS:="false"}
    export ZBX_DENY_GUI_ACCESS=${ZBX_DENY_GUI_ACCESS,,}
@ -210,48 +251,14 @@ prepare_zbx_web_config() {

    : ${ZBX_ALLOW_HTTP_AUTH:="true"}
    export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
+}

+prepare_zbx_config() {
    if [ -n "${ZBX_SESSION_NAME}" ]; then
        cp "$ZABBIX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp"
        sed "/ZBX_SESSION_NAME/s/'[^']*'/'${ZBX_SESSION_NAME}'/2" "/tmp/defines.inc.php_tmp" > "$ZABBIX_WWW_ROOT/include/defines.inc.php"
        rm -f "/tmp/defines.inc.php_tmp"
    fi
-
-    : ${HTTP_INDEX_FILE:="index.php"}
-    sed -i \
-        -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \
-    "$ZABBIX_CONF_DIR/apache.conf"
-
-    if [ -f "$ZABBIX_CONF_DIR/apache_ssl.conf" ]; then
-        sed -i \
-            -e "s/{HTTP_INDEX_FILE}/${HTTP_INDEX_FILE}/g" \
-        "$ZABBIX_CONF_DIR/apache_ssl.conf"
-    fi
-
-    : ${ENABLE_WEB_ACCESS_LOG:="true"}
-
-    if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
-        sed -ri \
-            -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
-            "$HTTPD_CONF_FILE"
-        sed -ri \
-            -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
-            "/etc/apache2/conf-available/other-vhosts-access-log.conf"
-    fi
-
-    : ${EXPOSE_WEB_SERVER_INFO:="on"}
-    [[ "${EXPOSE_WEB_SERVER_INFO}" != "off" ]] && EXPOSE_WEB_SERVER_INFO="on"
-    export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
-
-    if [ "${EXPOSE_WEB_SERVER_INFO}" == "off" ]; then
-        sed -i \
-            -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
-        "$HTTPD_SECURITY_CONF_FILE"
-    fi
-
-    sed -i \
-        -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO}/g" \
-    "$HTTPD_SECURITY_CONF_FILE"
 }

 #################################################
@ -260,17 +267,18 @@ echo "** Deploying Zabbix web-interface (Apache) with MySQL database"

 check_variables
 check_db_connect
+prepare_zbx_php_config
 prepare_web_server
-prepare_zbx_web_config
+prepare_zbx_config

 echo "########################################################"

 if [ "$1" != "" ]; then
    echo "** Executing '$@'"
    exec "$@"
-elif [ -f "/usr/sbin/httpd" ]; then
-    echo "** Executing HTTPD"
-    exec /usr/sbin/httpd -D FOREGROUND
+elif [ -f "/usr/bin/supervisord" ]; then
+    echo "** Executing supervisord"
+    exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
 else
    echo "Unknown instructions. Exiting..."
    exit 1