From f130bd6a642fcf9d83f5e6cc6710992b9c334ba7 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 4 Jul 2025 17:54:57 +0300 Subject: [PATCH] Added correct resolving for source IP addresses in case of HTTP proxies --- Dockerfiles/web-apache-mysql/README.md | 4 +++ .../alpine/conf/etc/apache2/modules.conf | 1 + .../alpine/conf/etc/zabbix/apache.conf | 3 ++ .../alpine/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../alpine/docker-entrypoint.sh | 5 ++++ .../centos/conf/etc/httpd/modules.conf | 1 + .../centos/conf/etc/zabbix/apache.conf | 3 ++ .../centos/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../centos/docker-entrypoint.sh | 5 ++++ .../ol/conf/etc/httpd/modules.conf | 1 + .../ol/conf/etc/zabbix/apache.conf | 3 ++ .../ol/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../web-apache-mysql/ol/docker-entrypoint.sh | 5 ++++ .../ubuntu/conf/etc/apache2/modules.conf | 1 + .../ubuntu/conf/etc/zabbix/apache.conf | 3 ++ .../ubuntu/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../ubuntu/docker-entrypoint.sh | 5 ++++ Dockerfiles/web-apache-pgsql/README.md | 4 +++ .../alpine/conf/etc/apache2/modules.conf | 1 + .../alpine/conf/etc/zabbix/apache.conf | 3 ++ .../alpine/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../alpine/docker-entrypoint.sh | 5 ++++ .../centos/conf/etc/httpd/modules.conf | 1 + .../centos/conf/etc/zabbix/apache.conf | 3 ++ .../centos/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../centos/docker-entrypoint.sh | 5 ++++ .../ol/conf/etc/httpd/modules.conf | 1 + .../ol/conf/etc/zabbix/apache.conf | 3 ++ .../ol/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../web-apache-pgsql/ol/docker-entrypoint.sh | 5 ++++ .../ubuntu/conf/etc/apache2/modules.conf | 1 + .../ubuntu/conf/etc/zabbix/apache.conf | 3 ++ .../ubuntu/conf/etc/zabbix/apache_ssl.conf | 3 ++ .../ubuntu/docker-entrypoint.sh | 5 ++++ Dockerfiles/web-nginx-mysql/README.md | 4 +++ .../alpine/conf/etc/zabbix/nginx.conf | 3 ++ .../alpine/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../alpine/docker-entrypoint.sh | 30 +++++++++++++++++++ .../centos/conf/etc/zabbix/nginx.conf | 3 ++ .../centos/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../centos/docker-entrypoint.sh | 30 +++++++++++++++++++ .../ol/conf/etc/zabbix/nginx.conf | 3 ++ .../ol/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../web-nginx-mysql/ol/docker-entrypoint.sh | 30 +++++++++++++++++++ .../rhel/conf/etc/zabbix/nginx.conf | 3 ++ .../rhel/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../web-nginx-mysql/rhel/docker-entrypoint.sh | 30 +++++++++++++++++++ .../ubuntu/conf/etc/zabbix/nginx.conf | 3 ++ .../ubuntu/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../ubuntu/docker-entrypoint.sh | 30 +++++++++++++++++++ Dockerfiles/web-nginx-pgsql/README.md | 4 +++ .../alpine/conf/etc/zabbix/nginx.conf | 3 ++ .../alpine/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../alpine/docker-entrypoint.sh | 30 +++++++++++++++++++ .../centos/conf/etc/zabbix/nginx.conf | 3 ++ .../centos/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../centos/docker-entrypoint.sh | 30 +++++++++++++++++++ .../ol/conf/etc/zabbix/nginx.conf | 3 ++ .../ol/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../web-nginx-pgsql/ol/docker-entrypoint.sh | 30 +++++++++++++++++++ .../rhel/conf/etc/zabbix/nginx.conf | 3 ++ .../rhel/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../web-nginx-pgsql/rhel/docker-entrypoint.sh | 30 +++++++++++++++++++ .../ubuntu/conf/etc/zabbix/nginx.conf | 3 ++ .../ubuntu/conf/etc/zabbix/nginx_ssl.conf | 3 ++ .../ubuntu/docker-entrypoint.sh | 30 +++++++++++++++++++ env_vars/.env_web | 3 ++ 67 files changed, 475 insertions(+) diff --git a/Dockerfiles/web-apache-mysql/README.md b/Dockerfiles/web-apache-mysql/README.md index 50a25490e..9c87d0f26 100644 --- a/Dockerfiles/web-apache-mysql/README.md +++ b/Dockerfiles/web-apache-mysql/README.md @@ -248,6 +248,10 @@ PHP_FPM_PM_START_SERVERS=5 PHP_FPM_PM_MIN_SPARE_SERVERS=5 PHP_FPM_PM_MAX_SPARE_SERVERS=35 PHP_FPM_PM_MAX_REQUESTS=0 + +Allowed Apache configuration options: +WEB_REAL_IP_FROM= +WEB_REAL_IP_HEADER= ``` ## Allowed volumes for the Zabbix web interface container diff --git a/Dockerfiles/web-apache-mysql/alpine/conf/etc/apache2/modules.conf b/Dockerfiles/web-apache-mysql/alpine/conf/etc/apache2/modules.conf index 2595627c0..89a21169e 100644 --- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/apache2/modules.conf +++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/apache2/modules.conf @@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +LoadModule remoteip_module modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf index 61cc676ee..2738d7abb 100644 --- a/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh index d06654801..7cf62a20d 100755 --- a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh @@ -183,6 +183,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/modules.conf b/Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/modules.conf index 2595627c0..89a21169e 100644 --- a/Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/modules.conf +++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/httpd/modules.conf @@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +LoadModule remoteip_module modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf index f4b52948b..9fcdb019b 100644 --- a/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh index 977f545c9..0fba0b331 100755 --- a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh @@ -183,6 +183,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-mysql/ol/conf/etc/httpd/modules.conf b/Dockerfiles/web-apache-mysql/ol/conf/etc/httpd/modules.conf index 2595627c0..89a21169e 100644 --- a/Dockerfiles/web-apache-mysql/ol/conf/etc/httpd/modules.conf +++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/httpd/modules.conf @@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +LoadModule remoteip_module modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache_ssl.conf index f4b52948b..9fcdb019b 100644 --- a/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-mysql/ol/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh index 977f545c9..0fba0b331 100755 --- a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh @@ -183,6 +183,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf index 88cbea64c..6eb7a763d 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf +++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/apache2/modules.conf @@ -12,3 +12,4 @@ LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so LoadModule expires_module /usr/lib/apache2/modules/mod_expires.so LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so +LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf index fede75993..5a345610b 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-mysql/ubuntu/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh index e6d089cc3..3f5fd3f87 100755 --- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -183,6 +183,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-pgsql/README.md b/Dockerfiles/web-apache-pgsql/README.md index e7dcc5114..66c63a4cb 100644 --- a/Dockerfiles/web-apache-pgsql/README.md +++ b/Dockerfiles/web-apache-pgsql/README.md @@ -248,6 +248,10 @@ PHP_FPM_PM_START_SERVERS=5 PHP_FPM_PM_MIN_SPARE_SERVERS=5 PHP_FPM_PM_MAX_SPARE_SERVERS=35 PHP_FPM_PM_MAX_REQUESTS=0 + +Allowed Apache configuration options: +WEB_REAL_IP_FROM= +WEB_REAL_IP_HEADER= ``` ## Allowed volumes for the Zabbix web interface container diff --git a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/apache2/modules.conf b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/apache2/modules.conf index 2595627c0..89a21169e 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/apache2/modules.conf +++ b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/apache2/modules.conf @@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +LoadModule remoteip_module modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf index 61cc676ee..2738d7abb 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-pgsql/alpine/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh index f05e6f09d..2d41a2604 100755 --- a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -182,6 +182,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-pgsql/centos/conf/etc/httpd/modules.conf b/Dockerfiles/web-apache-pgsql/centos/conf/etc/httpd/modules.conf index 2595627c0..89a21169e 100644 --- a/Dockerfiles/web-apache-pgsql/centos/conf/etc/httpd/modules.conf +++ b/Dockerfiles/web-apache-pgsql/centos/conf/etc/httpd/modules.conf @@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +LoadModule remoteip_module modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf index f4b52948b..9fcdb019b 100644 --- a/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-pgsql/centos/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh index 4e97a986b..651fb38e8 100755 --- a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh @@ -182,6 +182,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-pgsql/ol/conf/etc/httpd/modules.conf b/Dockerfiles/web-apache-pgsql/ol/conf/etc/httpd/modules.conf index 2595627c0..89a21169e 100644 --- a/Dockerfiles/web-apache-pgsql/ol/conf/etc/httpd/modules.conf +++ b/Dockerfiles/web-apache-pgsql/ol/conf/etc/httpd/modules.conf @@ -15,3 +15,4 @@ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +LoadModule remoteip_module modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache_ssl.conf index f4b52948b..9fcdb019b 100644 --- a/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-pgsql/ol/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh index 83452cdd2..6db1f88ab 100755 --- a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh @@ -182,6 +182,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/apache2/modules.conf b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/apache2/modules.conf index 88cbea64c..6eb7a763d 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/apache2/modules.conf +++ b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/apache2/modules.conf @@ -12,3 +12,4 @@ LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so LoadModule proxy_fcgi_module /usr/lib/apache2/modules/mod_proxy_fcgi.so LoadModule expires_module /usr/lib/apache2/modules/mod_expires.so LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so +LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf index 231767341..c9e066204 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf +++ b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf @@ -1,6 +1,9 @@ Listen 8080 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + Require all granted diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf index fede75993..5a345610b 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf +++ b/Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf @@ -14,6 +14,9 @@ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 + RemoteIPInternalProxy ${WEB_REAL_IP_FROM} + RemoteIPHeader ${WEB_REAL_IP_HEADER} + # Enable/Disable SSL for this virtual host. SSLEngine on diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh index a49c7dff4..2f38961f7 100755 --- a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -182,6 +182,11 @@ prepare_web_server() { export APACHE_SERVER_SIGNATURE="Off" fi + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_FROM}" ] && sed -i '/WEB_REAL_IP_FROM/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache.conf" + [ -z "${WEB_REAL_IP_HEADER}" ] && sed -i '/WEB_REAL_IP_HEADER/d' "$ZABBIX_CONF_DIR/apache_ssl.conf" + mkdir -p "${APACHE_RUN_DIR}" } diff --git a/Dockerfiles/web-nginx-mysql/README.md b/Dockerfiles/web-nginx-mysql/README.md index 587507624..7d6b61115 100644 --- a/Dockerfiles/web-nginx-mysql/README.md +++ b/Dockerfiles/web-nginx-mysql/README.md @@ -249,6 +249,10 @@ PHP_FPM_PM_START_SERVERS=5 PHP_FPM_PM_MIN_SPARE_SERVERS=5 PHP_FPM_PM_MAX_SPARE_SERVERS=35 PHP_FPM_PM_MAX_REQUESTS=0 + +Allowed Nginx configuration options: +WEB_REAL_IP_FROM= +WEB_REAL_IP_HEADER= ``` ## Allowed volumes for the Zabbix web interface container diff --git a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf index 3a59b420a..1b9739373 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-mysql/alpine/conf/etc/zabbix/nginx_ssl.conf @@ -4,6 +4,9 @@ server { http2 on; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh index 4111e982c..794bb0f72 100755 --- a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php84/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -210,6 +219,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-mysql/centos/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh index 0d945631c..7ab6bd490 100755 --- a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -210,6 +219,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-mysql/ol/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh index 0d945631c..7ab6bd490 100755 --- a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -210,6 +219,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-mysql/rhel/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh index 0d945631c..7ab6bd490 100755 --- a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -210,6 +219,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh index e163a07ee..9238281bc 100755 --- a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php/8.3/fpm/pool.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -210,6 +219,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-pgsql/README.md b/Dockerfiles/web-nginx-pgsql/README.md index f373b4392..0be74e6d4 100644 --- a/Dockerfiles/web-nginx-pgsql/README.md +++ b/Dockerfiles/web-nginx-pgsql/README.md @@ -248,6 +248,10 @@ PHP_FPM_PM_START_SERVERS=5 PHP_FPM_PM_MIN_SPARE_SERVERS=5 PHP_FPM_PM_MAX_SPARE_SERVERS=35 PHP_FPM_PM_MAX_REQUESTS=0 + +Allowed Nginx configuration options: +WEB_REAL_IP_FROM= +WEB_REAL_IP_HEADER= ``` ## Allowed volumes for the Zabbix web interface container diff --git a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf index 3a59b420a..1b9739373 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf @@ -4,6 +4,9 @@ server { http2 on; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh index 2d2f2a594..723c9ad80 100755 --- a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php84/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -209,6 +218,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh index ce300b174..9bdaeafb5 100755 --- a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -209,6 +218,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-pgsql/ol/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh index ce300b174..9bdaeafb5 100755 --- a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -209,6 +218,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-pgsql/rhel/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh index 94c5b5186..41925fb1f 100755 --- a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -209,6 +218,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf index eb9cd6c64..0539ae798 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf @@ -2,6 +2,9 @@ server { listen 8080; listen [::]:8080; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; index {HTTP_INDEX_FILE}; diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf index 047e84455..f41e56397 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf @@ -2,6 +2,9 @@ server { listen 8443 ssl http2; listen [::]:8443 ssl http2; + {WEB_REAL_IP_FROM} + {WEB_REAL_IP_HEADER} + server_name zabbix; server_name_in_redirect off; diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh index fc17031da..e3dd15608 100755 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh @@ -32,6 +32,15 @@ NGINX_SSL_CONFIG_DIR="/etc/ssl/nginx" # PHP-FPM configuration file PHP_CONFIG_FILE="/etc/php/8.3/fpm/pool.d/zabbix.conf" +escape_spec_char() { + local var_value=$1 + + var_value="${var_value//\\/\\\\}" + var_value="${var_value//./\\.}" + + echo "$var_value" +} + # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' # (will allow for "$MYSQL_PASSWORD_FILE" to fill in the value of "$MYSQL_PASSWORD" from a file) @@ -209,6 +218,27 @@ prepare_web_server() { sed -i \ -e "s/{EXPOSE_WEB_SERVER_INFO}/${EXPOSE_WEB_SERVER_INFO}/g" \ "$NGINX_CONF_FILE" + + [ ! -z "${WEB_REAL_IP_FROM}" ] && WEB_REAL_IP_FROM="set_real_ip_from ${WEB_REAL_IP_FROM};" + WEB_REAL_IP_FROM=$(escape_spec_char "$WEB_REAL_IP_FROM") + [ ! -z "${WEB_REAL_IP_HEADER}" ] && WEB_REAL_IP_HEADER="real_ip_header ${WEB_REAL_IP_HEADER};" + WEB_REAL_IP_HEADER=$(escape_spec_char "$WEB_REAL_IP_HEADER") + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_FROM}/${WEB_REAL_IP_FROM}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx.conf" + + sed -i \ + -e "s/{WEB_REAL_IP_HEADER}/${WEB_REAL_IP_HEADER}/g" \ + "$ZABBIX_CONF_DIR/nginx_ssl.conf" } prepare_zbx_php_config() { diff --git a/env_vars/.env_web b/env_vars/.env_web index ae7aaa624..a3ecb88ea 100644 --- a/env_vars/.env_web +++ b/env_vars/.env_web @@ -39,3 +39,6 @@ ZBX_SERVER_NAME=Composed installation # PHP_FPM_PM_MIN_SPARE_SERVERS=5 # PHP_FPM_PM_MAX_SPARE_SERVERS=35 # PHP_FPM_PM_MAX_REQUESTS=0 + +#WEB_REAL_IP_FROM= +#WEB_REAL_IP_HEADER=