####### TLS-RELATED PARAMETERS ####### ### Option: TLSConnect # How the proxy should connect to Zabbix server. Used for an active proxy, ignored on a passive proxy. # Only one value can be specified: # unencrypted - connect without encryption # psk - connect using TLS and a pre-shared key # cert - connect using TLS and a certificate # # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) # Default: # TLSConnect=unencrypted TLSConnect=${ZBX_TLSCONNECT} ### Option: TLSAccept # What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. # Multiple values can be specified, separated by comma: # unencrypted - accept connections without encryption # psk - accept connections secured with TLS and a pre-shared key # cert - accept connections secured with TLS and a certificate # # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) # Default: # TLSAccept=unencrypted TLSAccept=${ZBX_TLSACCEPT} ### Option: TLSCAFile # Full pathname of a file containing the top-level CA(s) certificates for # peer certificate verification. # # Mandatory: no # Default: # TLSCAFile= TLSCAFile=${ZBX_TLSCAFILE} ### Option: TLSCRLFile # Full pathname of a file containing revoked certificates. # # Mandatory: no # Default: # TLSCRLFile= TLSCRLFile=${ZBX_TLSCRLFILE} ### Option: TLSServerCertIssuer # Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= TLSServerCertIssuer=${ZBX_TLSSERVERCERTISSUER} ### Option: TLSServerCertSubject # Allowed server certificate subject. # # Mandatory: no # Default: # TLSServerCertSubject= TLSServerCertSubject=${ZBX_TLSSERVERCERTSUBJECT} ### Option: TLSCertFile # Full pathname of a file containing the proxy certificate or certificate chain. # # Mandatory: no # Default: # TLSCertFile= TLSCertFile=${ZBX_TLSCERTFILE} ### Option: TLSKeyFile # Full pathname of a file containing the proxy private key. # # Mandatory: no # Default: # TLSKeyFile= TLSKeyFile=${ZBX_TLSKEYFILE} ### Option: TLSPSKIdentity # Unique, case sensitive string used to identify the pre-shared key. # # Mandatory: no # Default: # TLSPSKIdentity= TLSPSKIdentity=${ZBX_TLSPSKIDENTITY} ### Option: TLSPSKFile # Full pathname of a file containing the pre-shared key. # # Mandatory: no # Default: # TLSPSKFile= TLSPSKFile=${ZBX_TLSPSKFILE} ####### For advanced users - TLS ciphersuite selection criteria ####### ### Option: TLSCipherCert13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. # Override the default ciphersuite selection criteria for certificate-based encryption. # # Mandatory: no # Default: # TLSCipherCert13= TLSCipherCert13=${ZBX_TLSCIPHERCERT13} ### Option: TLSCipherCert # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. # Override the default ciphersuite selection criteria for certificate-based encryption. # Example for GnuTLS: # NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 # Example for OpenSSL: # EECDH+aRSA+AES128:RSA+aRSA+AES128 # # Mandatory: no # Default: # TLSCipherCert= TLSCipherCert=${ZBX_TLSCIPHERCERT} ### Option: TLSCipherPSK13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. # Override the default ciphersuite selection criteria for PSK-based encryption. # Example: # TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 # # Mandatory: no # Default: # TLSCipherPSK13= TLSCipherPSK13=${ZBX_TLSCIPHERPSK13} ### Option: TLSCipherPSK # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. # Override the default ciphersuite selection criteria for PSK-based encryption. # Example for GnuTLS: # NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL # Example for OpenSSL: # kECDHEPSK+AES128:kPSK+AES128 # # Mandatory: no # Default: # TLSCipherPSK= TLSCipherPSK=${ZBX_TLSCIPHERPSK} ### Option: TLSCipherAll13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. # Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. # Example: # TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 # # Mandatory: no # Default: # TLSCipherAll13= TLSCipherAll13=${ZBX_TLSCIPHERALL13} ### Option: TLSCipherAll # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. # Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. # Example for GnuTLS: # NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 # Example for OpenSSL: # EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 # # Mandatory: no # Default: # TLSCipherAll= TLSCipherAll=${ZBX_TLSCIPHERALL}