Added encryption support between server and frontend

Author: dotneft

Dockerfiles/proxy-mysql/README.md

@@ -219,6 +219,7 @@ ZBX_UNREACHABLEPERIOD=45
 ZBX_UNAVAILABLEDELAY=60
 ZBX_UNREACHABLEDELAY=15
 ZBX_LOGSLOWQUERIES=3000
+ZBX_TLSLISTEN= # Available since 7.4.0
 ZBX_TLSCONNECT=unencrypted
 ZBX_TLSACCEPT=unencrypted
 ZBX_TLSCAFILE=

Dockerfiles/proxy-sqlite3/README.md

@@ -172,6 +172,7 @@ ZBX_UNREACHABLEPERIOD=45
 ZBX_UNAVAILABLEDELAY=60
 ZBX_UNREACHABLEDELAY=15
 ZBX_LOGSLOWQUERIES=3000
+ZBX_TLSLISTEN= # Available since 7.4.0
 ZBX_TLSCONNECT=unencrypted
 ZBX_TLSACCEPT=unencrypted
 ZBX_TLSCAFILE=
@@ -196,7 +197,6 @@ ZBX_TLSCIPHERPSK13= # Available since 4.4.7
 ZBX_WEBDRIVERURL= # Available since 7.0.0
 ZBX_STARTBROWSERPOLLERS=1 # Available since 7.0.0
 ZBX_STARTSNMPPOLLERS=1 # Available since 7.0.0
-
 ```
 
 Default values of these variables are specified after equal sign.

Dockerfiles/server-mysql/README.md

@@ -208,6 +208,7 @@ ZBX_LOGSLOWQUERIES=3000
 ZBX_STARTPROXYPOLLERS=1
 ZBX_PROXYCONFIGFREQUENCY=10
 ZBX_PROXYDATAFREQUENCY=1
+ZBX_TLSLISTEN= # Available since 7.4.0
 ZBX_TLSCAFILE=
 ZBX_TLSCA=
 ZBX_TLSCRLFILE=
@@ -222,6 +223,10 @@ ZBX_TLSCIPHERCERT= # Available since 4.4.7
 ZBX_TLSCIPHERCERT13= # Available since 4.4.7
 ZBX_TLSCIPHERPSK= # Available since 4.4.7
 ZBX_TLSCIPHERPSK13= # Available since 4.4.7
+ZBX_TLS_FRONTENDACCEPT= # Available since 7.4.0
+ZBX_FRONTENDALLOWEDIP= # Available since 7.4.0
+ZBX_TLSFRONTENDCERTISSUER= # Available since 7.4.0
+ZBX_TLSFRONTENDCERTSUBJECT= # Available since 7.4.0
 ZBX_WEBDRIVERURL= # Available since 7.0.0
 ZBX_STARTBROWSERPOLLERS=1 # Available since 7.0.0
 ZBX_STARTSNMPPOLLERS=1 # Available since 7.0.0

Dockerfiles/server-pgsql/README.md

@@ -209,6 +209,7 @@ ZBX_LOGSLOWQUERIES=3000
 ZBX_STARTPROXYPOLLERS=1
 ZBX_PROXYCONFIGFREQUENCY=10
 ZBX_PROXYDATAFREQUENCY=1
+ZBX_TLSLISTEN= # Available since 7.4.0
 ZBX_TLSCAFILE=
 ZBX_TLSCA=
 ZBX_TLSCRLFILE=
@@ -223,6 +224,10 @@ ZBX_TLSCIPHERCERT= # Available since 4.4.7
 ZBX_TLSCIPHERCERT13= # Available since 4.4.7
 ZBX_TLSCIPHERPSK= # Available since 4.4.7
 ZBX_TLSCIPHERPSK13= # Available since 4.4.7
+ZBX_TLS_FRONTENDACCEPT= # Available since 7.4.0
+ZBX_FRONTENDALLOWEDIP= # Available since 7.4.0
+ZBX_TLSFRONTENDCERTISSUER= # Available since 7.4.0
+ZBX_TLSFRONTENDCERTSUBJECT= # Available since 7.4.0
 ZBX_WEBDRIVERURL= # Available since 7.0.0
 ZBX_STARTBROWSERPOLLERS=1 # Available since 7.0.0
 ZBX_STARTSNMPPOLLERS=1 # Available since 7.0.0

Dockerfiles/web-apache-mysql/README.md

@@ -241,6 +241,16 @@ ZBX_VAULTDBPATH= # Available since 5.2.0
 ZBX_VAULTURL=https://127.0.0.1:8200 # Available since 5.2.0
 VAULT_TOKEN= # Available since 5.2.0
 
+ZBX_SERVER_TLS_ACTIVE=false # Available since 7.4.0
+ZBX_SERVER_TLS_CAFILE= # Available since 7.4.0
+ZBX_SERVER_TLS_CA= # Available since 7.4.0
+ZBX_SERVER_TLS_KEYFILE= # Available since 7.4.0
+ZBX_SERVER_TLS_KEY= # Available since 7.4.0
+ZBX_SERVER_TLS_CERTFILE= # Available since 7.4.0
+ZBX_SERVER_TLS_CERT= # Available since 7.4.0
+ZBX_SERVER_TLS_CERT_ISSUER= # Available since 7.4.0
+ZBX_SERVER_TLS_CERT_SUBJECT= # Available since 7.4.0
+
 Allowed PHP-FPM configuration options:
 PHP_FPM_PM=dynamic
 PHP_FPM_PM_MAX_CHILDREN=50
@@ -262,6 +272,10 @@ Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4
 
 The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0.
 
+### ``/var/lib/zabbix/enc``
+
+The volume is used to store TLS related files. These file names are specified using ``ZBX_SERVER_TLS_CAFILE``, ``ZBX_SERVER_TLS_KEYFILE`` and ``ZBX_SERVER_TLS_CERTFILE`` variables. Additionally it is possible to use environment variables ``ZBX_SERVER_TLS_CA``, ``ZBX_SERVER_TLS_KEY`` and ``ZBX_SERVER_TLS_CERT`` with plaintext values. Available since 7.4.0.
+
 # The image variants
 
 The `zabbix-web-apache-mysql` images come in many flavors, each designed for a specific use case.

Dockerfiles/web-apache-mysql/alpine/Dockerfile

@@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
 ENV TERM=xterm \
     ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
     ZABBIX_CONF_DIR="/etc/zabbix" \
+    ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
     ZABBIX_WWW_ROOT="/usr/share/zabbix"
 
 LABEL org.opencontainers.image.authors="Alexey Pustovalov <[email protected]>" \
@@ -77,11 +78,13 @@ RUN set -eux && \
             --uid 1997 \
             --ingroup zabbix \
             --shell /sbin/nologin \
-            --home /var/lib/zabbix/ \
+            --home ${ZABBIX_USER_HOME_DIR} \
         zabbix && \
     mkdir -p ${ZABBIX_CONF_DIR} && \
     mkdir -p ${ZABBIX_CONF_DIR}/web && \
     mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
+    mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
+    mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
     rm -f "/etc/apache2/conf.d/default.conf" && \
     rm -f "/etc/apache2/conf.d/ssl.conf" && \
     rm -f "/etc/apache2/conf.d/info.conf" && \
@@ -103,9 +106,9 @@ RUN set -eux && \
     chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
     chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
     chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
-    chown --quiet -R zabbix:root /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
-    chgrp -R 0 /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
-    chmod -R g=u /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
+    chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
+    chgrp -R 0 ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
+    chmod -R g=u ${ZABBIX_USER_HOME_DIR} /etc/apache2/ /etc/php84/php-fpm.d/ /etc/php84/php-fpm.conf && \
     chown --quiet -R zabbix:root /var/lib/php/session/ && \
     chgrp -R 0 /var/lib/php/session/ && \
     chmod -R g=u /var/lib/php/session/

Dockerfiles/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php

@@ -105,3 +105,10 @@
 $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
 
 $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
+
+$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
+$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
+$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
+$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
+$ZBX_SERVER_TLS['CERTIFICATE_ISSUER']  = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
+$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');

Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh

@@ -9,6 +9,9 @@ if [ "${DEBUG_MODE,,}" == "true" ]; then
     set -o xtrace
 fi
 
+# Internal directory for TLS related files, used when TLS*File specified as plain text values
+ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal"
+
 # Default Zabbix installation name
 # Used only by Zabbix web-interface
 : ${ZBX_SERVER_NAME:="Zabbix docker"}
@@ -66,6 +69,22 @@ file_env() {
     unset "$fileVar"
 }
 
+file_process_from_env() {
+    local var_name=$1
+    local file_name=$2
+    local var_value=$3
+
+    if [ ! -z "$var_value" ]; then
+        echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name"
+        file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}"
+    fi
+
+    export "$var_name"="$file_name"
+
+    # Remove variable with plain text data
+    unset "${var_name%%FILE}"
+}
+
 # Check prerequisites for MySQL database
 check_variables() {
     if [ ! -n "${DB_SERVER_SOCKET}" ]; then
@@ -254,6 +273,14 @@ prepare_zbx_php_config() {
 
     : ${ZBX_ALLOW_HTTP_AUTH:="true"}
     export ZBX_ALLOW_HTTP_AUTH=${ZBX_ALLOW_HTTP_AUTH}
+
+    : ${ZBX_SERVER_TLS_ACTIVE:="0"}
+    export ZBX_SERVER_TLS_ACTIVE=${ZBX_SERVER_TLS_ACTIVE}
+    file_process_from_env "ZBX_SERVER_TLS_CAFILE" "${ZBX_SERVER_TLS_CAFILE}" "${ZBX_SERVER_TLS_CA}"
+    file_process_from_env "ZBX_SERVER_TLS_KEYFILE" "${ZBX_SERVER_TLS_KEYFILE}" "${ZBX_SERVER_TLS_KEY}"
+    file_process_from_env "ZBX_SERVER_TLS_CERTFILE" "${ZBX_SERVER_TLS_CERTFILE}" "${ZBX_SERVER_TLS_CERT}"
+    export ZBX_SERVER_TLS_CERT_ISSUER=${ZBX_SERVER_TLS_CERT_ISSUER}
+    export ZBX_SERVER_TLS_CERT_SUBJECT=${ZBX_SERVER_TLS_CERT_SUBJECT}
 }
 
 prepare_zbx_config() {

Dockerfiles/web-apache-mysql/centos/Dockerfile

@@ -15,6 +15,7 @@ ARG ZBX_SOURCES=https://git.zabbix.com/scm/zbx/zabbix.git
 ENV TERM=xterm \
     ZBX_VERSION=${ZBX_VERSION} ZBX_SOURCES=${ZBX_SOURCES} \
     ZABBIX_CONF_DIR="/etc/zabbix" \
+    ZABBIX_USER_HOME_DIR="/var/lib/zabbix" \
     ZABBIX_WWW_ROOT="/usr/share/zabbix"
 
 LABEL org.opencontainers.image.authors="Alexey Pustovalov <[email protected]>" \
@@ -88,11 +89,13 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \
             -g zabbix \
             --uid 1997 \
             --shell /sbin/nologin \
-            --home-dir /var/lib/zabbix/ \
+            --home-dir ${ZABBIX_USER_HOME_DIR} \
         zabbix && \
     mkdir -p ${ZABBIX_CONF_DIR} && \
     mkdir -p ${ZABBIX_CONF_DIR}/web && \
     mkdir -p ${ZABBIX_CONF_DIR}/web/certs && \
+    mkdir -p ${ZABBIX_USER_HOME_DIR}/enc && \
+    mkdir -p ${ZABBIX_USER_HOME_DIR}/enc_internal && \
     rm -f "/etc/httpd/conf.d/default.conf" && \
     rm -f "/etc/httpd/conf.d/ssl.conf" && \
     rm -f "/etc/httpd/conf.d/autoindex.conf" && \
@@ -115,9 +118,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \
     chown --quiet -R zabbix:root ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
     chgrp -R 0 ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
     chmod -R g=u ${ZABBIX_CONF_DIR}/ ${ZABBIX_WWW_ROOT}/include/defines.inc.php ${ZABBIX_WWW_ROOT}/modules/ && \
-    chown --quiet -R zabbix:root /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
-    chgrp -R 0 /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
-    chmod -R g=u /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
+    chown --quiet -R zabbix:root ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
+    chgrp -R 0 ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
+    chmod -R g=u ${ZABBIX_USER_HOME_DIR}/ /etc/httpd/ /etc/php-fpm.d/ /etc/php-fpm.conf && \
     chown --quiet -R zabbix:root /run/httpd/ /var/lib/php/session/ && \
     chgrp -R 0 /run/httpd/ /var/lib/php/session/ && \
     chmod -R g=u /run/httpd/ /var/lib/php/session/ && \

Dockerfiles/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php

@@ -105,3 +105,10 @@
 $SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings, true) : array();
 
 $ALLOW_HTTP_AUTH = getenv('ZBX_ALLOW_HTTP_AUTH') == 'true' ? true: false;
+
+$ZBX_SERVER_TLS['ACTIVE'] = getenv('ZBX_SERVER_TLS_ACTIVE') == 'true' ? '1': '0';
+$ZBX_SERVER_TLS['CA_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CAFILE')) ? getenv('ZBX_SERVER_TLS_CAFILE') : '';
+$ZBX_SERVER_TLS['KEY_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_KEYFILE')) ? getenv('ZBX_SERVER_TLS_KEYFILE') : '';
+$ZBX_SERVER_TLS['CERT_FILE'] = file_exists(getenv('ZBX_SERVER_TLS_CERTFILE')) ? getenv('ZBX_SERVER_TLS_CERTFILE') : '';
+$ZBX_SERVER_TLS['CERTIFICATE_ISSUER']  = getenv('ZBX_SERVER_TLS_CERT_ISSUER');
+$ZBX_SERVER_TLS['CERTIFICATE_SUBJECT'] = getenv('ZBX_SERVER_TLS_CERT_SUBJECT');