LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Listen 8443

<VirtualHost *:8443>
    DocumentRoot /usr/share/zabbix/

    ServerName zabbix

    DirectoryIndex ${HTTP_INDEX_FILE}

    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-httpd-php-source .phps

    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # intermediate configuration
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off

    SSLCertificateFile /etc/ssl/apache2/ssl.crt
    SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
    # SSLCACertificatePath /etc/ssl/apache2/chain/

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"

    <LocationMatch "/(ping|status)">
        Order Allow,Deny
        Allow from all

        SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
    </LocationMatch>

    <Directory "/usr/share/zabbix">
        Options FollowSymLinks
        AllowOverride None
        Require all granted

        <FilesMatch \.(php|phar)$>
            SetHandler "proxy:unix:/tmp/php-fpm.sock|fcgi://localhost"
        </FilesMatch>

        <filesMatch "\.(ico)$">
            ExpiresActive On
            ExpiresDefault "access plus 1 year"
            Header append Cache-Control "public"
        </filesMatch>

        <filesMatch "\.(js|css|png|jpg|jpeg|gif|xml|txt)$">
            ExpiresActive On
            ExpiresDefault "access plus 14 day"
            Header append Cache-Control "public"
        </filesMatch>
    </Directory>

    <Directory "/usr/share/zabbix/conf">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/app">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/include">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/local">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/locale">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/vendor">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>
</VirtualHost>