diff --git a/README.md b/README.md index 60b341d7b..4baa94ffd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ ![logo](https://assets.zabbix.com/img/logo/zabbix_logo_500x131.png) +![CI](https://github.com/zabbix/zabbix-docker/workflows/CI/badge.svg?branch=trunk&event=release) +![CI](https://github.com/zabbix/zabbix-docker/workflows/CI/badge.svg?branch=trunk&event=push) + # What is Zabbix? Zabbix is an enterprise-class open source distributed monitoring solution. diff --git a/web-apache-mysql/alpine/README.md b/web-apache-mysql/alpine/README.md index 5075b064c..9585f2eb6 100644 --- a/web-apache-mysql/alpine/README.md +++ b/web-apache-mysql/alpine/README.md @@ -190,6 +190,10 @@ The variable allows to activate host verification. Available since 5.0.0. The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/apache2`` @@ -198,6 +202,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-apache-mysql` images come in many flavors, each designed for a specific use case. diff --git a/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini b/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini index b060e4689..5dfff39cd 100644 --- a/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini +++ b/web-apache-mysql/alpine/conf/etc/php7/conf.d/99-zabbix.ini @@ -1,8 +1,8 @@ -max_execution_time=300 -memory_limit=128M -post_max_size=16M -upload_max_filesize=2M -max_input_time=300 +max_execution_time = ${ZBX_MAXEXECUTIONTIME} +memory_limit = ${ZBX_MEMORYLIMIT} +post_max_size = ${ZBX_POSTMAXSIZE} +upload_max_filesize = ${ZBX_UPLOADMAXFILESIZE} +max_input_time = ${ZBX_MAXINPUTTIME} ; always_populate_raw_post_data=-1 -max_input_vars=10000 -; date.timezone=Europe/Riga +max_input_vars = 10000 +date.timezone = ${PHP_TZ} diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-apache-mysql/alpine/docker-entrypoint.sh b/web-apache-mysql/alpine/docker-entrypoint.sh index dd9a0792c..69c292e41 100755 --- a/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/web-apache-mysql/alpine/docker-entrypoint.sh @@ -57,67 +57,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - # Check prerequisites for MySQL database check_variables() { : ${DB_SERVER_HOST:="mysql-server"} @@ -229,54 +168,38 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php7/conf.d/99-zabbix.ini" + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - update_config_var "$PHP_CONFIG_FILE" "max_execution_time" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "memory_limit" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "post_max_size" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "upload_max_filesize" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "max_input_time" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "date.timezone" "${PHP_TZ}" + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-apache-mysql/centos/README.md b/web-apache-mysql/centos/README.md index 5075b064c..9585f2eb6 100644 --- a/web-apache-mysql/centos/README.md +++ b/web-apache-mysql/centos/README.md @@ -190,6 +190,10 @@ The variable allows to activate host verification. Available since 5.0.0. The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/apache2`` @@ -198,6 +202,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-apache-mysql` images come in many flavors, each designed for a specific use case. diff --git a/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf b/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-apache-mysql/centos/docker-entrypoint.sh b/web-apache-mysql/centos/docker-entrypoint.sh index 323cc08ba..8332b1eda 100755 --- a/web-apache-mysql/centos/docker-entrypoint.sh +++ b/web-apache-mysql/centos/docker-entrypoint.sh @@ -57,67 +57,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - # Check prerequisites for MySQL database check_variables() { : ${DB_SERVER_HOST:="mysql-server"} @@ -229,21 +168,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -251,39 +179,36 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-apache-mysql/ubuntu/README.md b/web-apache-mysql/ubuntu/README.md index 5075b064c..9585f2eb6 100644 --- a/web-apache-mysql/ubuntu/README.md +++ b/web-apache-mysql/ubuntu/README.md @@ -190,6 +190,10 @@ The variable allows to activate host verification. Available since 5.0.0. The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/apache2`` @@ -198,6 +202,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-apache-mysql` images come in many flavors, each designed for a specific use case. diff --git a/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini b/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini index be93bd73a..5dfff39cd 100644 --- a/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini +++ b/web-apache-mysql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini @@ -1,9 +1,8 @@ -max_execution_time=300 -memory_limit=128M -post_max_size=16M -upload_max_filesize=2M -max_input_time=300 -always_populate_raw_post_date=-1 -max_input_vars=10000 -; date.timezone=Europe/Riga -;session.save_path=/var/lib/php/session +max_execution_time = ${ZBX_MAXEXECUTIONTIME} +memory_limit = ${ZBX_MEMORYLIMIT} +post_max_size = ${ZBX_POSTMAXSIZE} +upload_max_filesize = ${ZBX_UPLOADMAXFILESIZE} +max_input_time = ${ZBX_MAXINPUTTIME} +; always_populate_raw_post_data=-1 +max_input_vars = 10000 +date.timezone = ${PHP_TZ} diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-apache-mysql/ubuntu/docker-entrypoint.sh b/web-apache-mysql/ubuntu/docker-entrypoint.sh index 1a2616df9..698a5c258 100755 --- a/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -57,67 +57,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - # Check prerequisites for MySQL database check_variables() { : ${DB_SERVER_HOST:="mysql-server"} @@ -229,55 +168,38 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - PHP_CONFIG_FILE="/etc/php/7.4/apache2/conf.d/99-zabbix.ini" + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - update_config_var "$PHP_CONFIG_FILE" "max_execution_time" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "memory_limit" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "post_max_size" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "upload_max_filesize" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "max_input_time" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "date.timezone" "${PHP_TZ}" + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") - - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-apache-pgsql/alpine/README.md b/web-apache-pgsql/alpine/README.md index 6108945d5..c02a20c00 100644 --- a/web-apache-pgsql/alpine/README.md +++ b/web-apache-pgsql/alpine/README.md @@ -184,6 +184,10 @@ The variable allows to specify the full path to a valid TLS certificate authorit The variable allows to activate host verification. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/apache2`` @@ -192,6 +196,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-apache-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini b/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini index b060e4689..5dfff39cd 100644 --- a/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini +++ b/web-apache-pgsql/alpine/conf/etc/php7/conf.d/99-zabbix.ini @@ -1,8 +1,8 @@ -max_execution_time=300 -memory_limit=128M -post_max_size=16M -upload_max_filesize=2M -max_input_time=300 +max_execution_time = ${ZBX_MAXEXECUTIONTIME} +memory_limit = ${ZBX_MEMORYLIMIT} +post_max_size = ${ZBX_POSTMAXSIZE} +upload_max_filesize = ${ZBX_UPLOADMAXFILESIZE} +max_input_time = ${ZBX_MAXINPUTTIME} ; always_populate_raw_post_data=-1 -max_input_vars=10000 -; date.timezone=Europe/Riga +max_input_vars = 10000 +date.timezone = ${PHP_TZ} diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php index a964548fa..920b8ab1c 100644 --- a/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'POSTGRESQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-apache-pgsql/alpine/docker-entrypoint.sh b/web-apache-pgsql/alpine/docker-entrypoint.sh index 87251c25f..c52ee4145 100755 --- a/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -57,67 +57,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -213,54 +152,38 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php7/conf.d/99-zabbix.ini" + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - update_config_var "$PHP_CONFIG_FILE" "max_execution_time" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "memory_limit" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "post_max_size" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "upload_max_filesize" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "max_input_time" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "date.timezone" "${PHP_TZ}" + export DB_SERVER_TYPE="POSTGRESQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-apache-pgsql/centos/README.md b/web-apache-pgsql/centos/README.md index 6108945d5..c02a20c00 100644 --- a/web-apache-pgsql/centos/README.md +++ b/web-apache-pgsql/centos/README.md @@ -184,6 +184,10 @@ The variable allows to specify the full path to a valid TLS certificate authorit The variable allows to activate host verification. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/apache2`` @@ -192,6 +196,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-apache-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf b/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php index a964548fa..920b8ab1c 100644 --- a/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'POSTGRESQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-apache-pgsql/centos/docker-entrypoint.sh b/web-apache-pgsql/centos/docker-entrypoint.sh index 01fd2fd1c..74611f8fa 100755 --- a/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/web-apache-pgsql/centos/docker-entrypoint.sh @@ -60,67 +60,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -216,21 +155,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -238,39 +166,36 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="POSTGRESQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-apache-pgsql/ubuntu/README.md b/web-apache-pgsql/ubuntu/README.md index 6108945d5..c02a20c00 100644 --- a/web-apache-pgsql/ubuntu/README.md +++ b/web-apache-pgsql/ubuntu/README.md @@ -184,6 +184,10 @@ The variable allows to specify the full path to a valid TLS certificate authorit The variable allows to activate host verification. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/apache2`` @@ -192,6 +196,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Apache2 [documentation](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-apache-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini b/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini index b5356c3da..5dfff39cd 100644 --- a/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini +++ b/web-apache-pgsql/ubuntu/conf/etc/php/7.4/apache2/conf.d/99-zabbix.ini @@ -1,9 +1,8 @@ -max_execution_time=300 -memory_limit=128M -post_max_size=16M -upload_max_filesize=2M -max_input_time=300 -always_populate_raw_post_date=-1 -max_input_vars=10000 -; date.timezone=Europe/Riga -session.save_path=/var/lib/php/sessions +max_execution_time = ${ZBX_MAXEXECUTIONTIME} +memory_limit = ${ZBX_MEMORYLIMIT} +post_max_size = ${ZBX_POSTMAXSIZE} +upload_max_filesize = ${ZBX_UPLOADMAXFILESIZE} +max_input_time = ${ZBX_MAXINPUTTIME} +; always_populate_raw_post_data=-1 +max_input_vars = 10000 +date.timezone = ${PHP_TZ} diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index a964548fa..920b8ab1c 100644 --- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'POSTGRESQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/web-apache-pgsql/ubuntu/docker-entrypoint.sh index d539e4727..3cdef0052 100755 --- a/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -60,68 +60,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -221,55 +159,38 @@ clear_deploy() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - PHP_CONFIG_FILE="/etc/php/7.4/apache2/conf.d/99-zabbix.ini" + export DB_SERVER_TYPE="POSTGRESQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - update_config_var "$PHP_CONFIG_FILE" "max_execution_time" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "memory_limit" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "post_max_size" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "upload_max_filesize" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "max_input_time" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "date.timezone" "${PHP_TZ}" + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") - - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-nginx-mysql/alpine/README.md b/web-nginx-mysql/alpine/README.md index dd4e19910..1ff799c38 100644 --- a/web-nginx-mysql/alpine/README.md +++ b/web-nginx-mysql/alpine/README.md @@ -191,6 +191,10 @@ The variable allows to activate host verification. Available since 5.0.0. The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/nginx`` @@ -199,6 +203,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-nginx-mysql` images come in many flavors, each designed for a specific use case. diff --git a/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf b/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf +++ b/web-nginx-mysql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-nginx-mysql/alpine/docker-entrypoint.sh b/web-nginx-mysql/alpine/docker-entrypoint.sh index cc39a235c..49f0d2714 100755 --- a/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -59,83 +59,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - -update_config_multiple_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - - var_value="${var_value%\"}" - var_value="${var_value#\"}" - - local IFS=, - local OPT_LIST=($var_value) - - for value in "${OPT_LIST[@]}"; do - update_config_var $config_path $var_name $value true - done -} - # Check prerequisites for MySQL database check_variables() { : ${DB_SERVER_HOST:="mysql-server"} @@ -164,7 +87,7 @@ check_variables() { [ -n "${MYSQL_USER}" ] && CREATE_ZBX_DB_USER=true # If root password is not specified use provided credentials - : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}}.... + : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}} [ "${MYSQL_ALLOW_EMPTY_PASSWORD}" == "true" ] || DB_SERVER_ROOT_PASS=${DB_SERVER_ROOT_PASS:-${MYSQL_PASSWORD}} DB_SERVER_ZBX_USER=${MYSQL_USER:-"zabbix"} DB_SERVER_ZBX_PASS=${MYSQL_PASSWORD:-"zabbix"} @@ -249,22 +172,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php7/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -272,39 +183,36 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-nginx-mysql/centos/README.md b/web-nginx-mysql/centos/README.md index 47cbabda6..6ceea099a 100644 --- a/web-nginx-mysql/centos/README.md +++ b/web-nginx-mysql/centos/README.md @@ -193,6 +193,10 @@ The variable allows to activate host verification. Available since 5.0.0. The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0. >>>>>>> master +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/nginx`` @@ -201,6 +205,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-nginx-mysql` images come in many flavors, each designed for a specific use case. diff --git a/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf b/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/web-nginx-mysql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-nginx-mysql/centos/docker-entrypoint.sh b/web-nginx-mysql/centos/docker-entrypoint.sh index 5ee6b6b9d..22cc9ddb7 100755 --- a/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/web-nginx-mysql/centos/docker-entrypoint.sh @@ -59,83 +59,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - -update_config_multiple_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - - var_value="${var_value%\"}" - var_value="${var_value#\"}" - - local IFS=, - local OPT_LIST=($var_value) - - for value in "${OPT_LIST[@]}"; do - update_config_var $config_path $var_name $value true - done -} - # Check prerequisites for MySQL database check_variables() { : ${DB_SERVER_HOST:="mysql-server"} @@ -164,7 +87,7 @@ check_variables() { [ -n "${MYSQL_USER}" ] && CREATE_ZBX_DB_USER=true # If root password is not specified use provided credentials - : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}}.... + : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}} [ "${MYSQL_ALLOW_EMPTY_PASSWORD}" == "true" ] || DB_SERVER_ROOT_PASS=${DB_SERVER_ROOT_PASS:-${MYSQL_PASSWORD}} DB_SERVER_ZBX_USER=${MYSQL_USER:-"zabbix"} DB_SERVER_ZBX_PASS=${MYSQL_PASSWORD:-"zabbix"} @@ -249,22 +172,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -272,39 +183,36 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-nginx-mysql/ubuntu/README.md b/web-nginx-mysql/ubuntu/README.md index 47cbabda6..6ceea099a 100644 --- a/web-nginx-mysql/ubuntu/README.md +++ b/web-nginx-mysql/ubuntu/README.md @@ -193,6 +193,10 @@ The variable allows to activate host verification. Available since 5.0.0. The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0. >>>>>>> master +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/nginx`` @@ -201,6 +205,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-nginx-mysql` images come in many flavors, each designed for a specific use case. diff --git a/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf b/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf +++ b/web-nginx-mysql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/web-nginx-mysql/ubuntu/docker-entrypoint.sh index 422a66a12..89dcfe779 100755 --- a/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -59,83 +59,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - -update_config_multiple_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - - var_value="${var_value%\"}" - var_value="${var_value#\"}" - - local IFS=, - local OPT_LIST=($var_value) - - for value in "${OPT_LIST[@]}"; do - update_config_var $config_path $var_name $value true - done -} - # Check prerequisites for MySQL database check_variables() { : ${DB_SERVER_HOST:="mysql-server"} @@ -164,7 +87,7 @@ check_variables() { [ -n "${MYSQL_USER}" ] && CREATE_ZBX_DB_USER=true # If root password is not specified use provided credentials - : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}}.... + : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}} [ "${MYSQL_ALLOW_EMPTY_PASSWORD}" == "true" ] || DB_SERVER_ROOT_PASS=${DB_SERVER_ROOT_PASS:-${MYSQL_PASSWORD}} DB_SERVER_ZBX_USER=${MYSQL_USER:-"zabbix"} DB_SERVER_ZBX_PASS=${MYSQL_PASSWORD:-"zabbix"} @@ -249,22 +172,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php/7.4/fpm/pool.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -272,39 +183,36 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-nginx-pgsql/alpine/README.md b/web-nginx-pgsql/alpine/README.md index 82fa63502..098e13f09 100644 --- a/web-nginx-pgsql/alpine/README.md +++ b/web-nginx-pgsql/alpine/README.md @@ -184,6 +184,10 @@ The variable allows to specify the full path to a valid TLS certificate authorit The variable allows to activate host verification. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/nginx`` @@ -192,6 +196,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-nginx-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf b/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf +++ b/web-nginx-pgsql/alpine/conf/etc/php7/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php index a964548fa..920b8ab1c 100644 --- a/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'POSTGRESQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-nginx-pgsql/alpine/docker-entrypoint.sh b/web-nginx-pgsql/alpine/docker-entrypoint.sh index 4454b43a7..9956ce804 100755 --- a/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -62,83 +62,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - -update_config_multiple_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - - var_value="${var_value%\"}" - var_value="${var_value#\"}" - - local IFS=, - local OPT_LIST=($var_value) - - for value in "${OPT_LIST[@]}"; do - update_config_var $config_path $var_name $value true - done -} - # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -235,22 +158,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php7/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -258,39 +169,34 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="POSTGRESQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-nginx-pgsql/centos/README.md b/web-nginx-pgsql/centos/README.md index 82fa63502..098e13f09 100644 --- a/web-nginx-pgsql/centos/README.md +++ b/web-nginx-pgsql/centos/README.md @@ -184,6 +184,10 @@ The variable allows to specify the full path to a valid TLS certificate authorit The variable allows to activate host verification. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/nginx`` @@ -192,6 +196,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-nginx-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf b/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf +++ b/web-nginx-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php index a964548fa..920b8ab1c 100644 --- a/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'POSTGRESQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-nginx-pgsql/centos/docker-entrypoint.sh b/web-nginx-pgsql/centos/docker-entrypoint.sh index 28a7bd845..88e2b01ca 100755 --- a/web-nginx-pgsql/centos/docker-entrypoint.sh +++ b/web-nginx-pgsql/centos/docker-entrypoint.sh @@ -62,83 +62,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - -update_config_multiple_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - - var_value="${var_value%\"}" - var_value="${var_value#\"}" - - local IFS=, - local OPT_LIST=($var_value) - - for value in "${OPT_LIST[@]}"; do - update_config_var $config_path $var_name $value true - done -} - # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -235,22 +158,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -258,39 +169,34 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="POSTGRESQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/web-nginx-pgsql/ubuntu/Dockerfile b/web-nginx-pgsql/ubuntu/Dockerfile index 07738ed9f..150ccebc4 100644 --- a/web-nginx-pgsql/ubuntu/Dockerfile +++ b/web-nginx-pgsql/ubuntu/Dockerfile @@ -59,7 +59,7 @@ RUN set -eux && \ rm -rf /var/cache/nginx/ && \ rm -f /etc/php/7.4/fpm/pool.d/www.conf && \ ln -sf /dev/fd/2 /var/log/nginx/error.log && \ - DEBIAN_FRONTEND=noninteractive apt-get -y purge curl gpg dirmngr gpg-agent && \ + DEBIAN_FRONTEND=noninteractive apt-get -y purge gpg dirmngr gpg-agent && \ apt-get -y autoremove && \ apt-get -y clean && \ rm -rf /var/lib/apt/lists/* diff --git a/web-nginx-pgsql/ubuntu/README.md b/web-nginx-pgsql/ubuntu/README.md index 82fa63502..098e13f09 100644 --- a/web-nginx-pgsql/ubuntu/README.md +++ b/web-nginx-pgsql/ubuntu/README.md @@ -184,6 +184,10 @@ The variable allows to specify the full path to a valid TLS certificate authorit The variable allows to activate host verification. Available since 5.0.0. +## `ZBX_SSO_SETTINGS` + +The variable allows to specify custom SSO settings in JSON format. Available since 5.0.0. + ## Allowed volumes for the Zabbix web interface container ### ``/etc/ssl/nginx`` @@ -192,6 +196,10 @@ The volume allows to enable HTTPS for the Zabbix web interface. The volume must Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files. +### ``/etc/zabbix/web/certs`` + +The volume allows to use custom certificates for SAML authentification. The volume must contains three files ``sp.key``, ``sp.crt`` and ``idp.crt``. Available since 5.0.0. + # The image variants The `zabbix-web-nginx-pgsql` images come in many flavors, each designed for a specific use case. diff --git a/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf b/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf +++ b/web-nginx-pgsql/ubuntu/conf/etc/php/7.4/fpm/pool.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index a964548fa..920b8ab1c 100644 --- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'POSTGRESQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/web-nginx-pgsql/ubuntu/docker-entrypoint.sh index dad9542a5..697f464a5 100755 --- a/web-nginx-pgsql/ubuntu/docker-entrypoint.sh +++ b/web-nginx-pgsql/ubuntu/docker-entrypoint.sh @@ -62,83 +62,6 @@ file_env() { unset "$fileVar" } -escape_spec_char() { - local var_value=$1 - - var_value="${var_value//\\/\\\\}" - var_value="${var_value//[$'\n']/}" - var_value="${var_value//\//\\/}" - var_value="${var_value//./\\.}" - var_value="${var_value//\*/\\*}" - var_value="${var_value//^/\\^}" - var_value="${var_value//\$/\\\$}" - var_value="${var_value//\&/\\\&}" - var_value="${var_value//\[/\\[}" - var_value="${var_value//\]/\\]}" - - echo "$var_value" -} - -update_config_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - local is_multiple=$4 - - if [ ! -f "$config_path" ]; then - echo "**** Configuration file '$config_path' does not exist" - return - fi - - echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... " - - # Remove configuration parameter definition in case of unset parameter value - if [ -z "$var_value" ]; then - sed -i -e "/^$var_name=/d" "$config_path" - echo "removed" - return - fi - - # Remove value from configuration parameter in case of double quoted parameter value - if [ "$var_value" == '""' ]; then - sed -i -e "/^$var_name=/s/=.*/=/" "$config_path" - echo "undefined" - return - fi - - # Escaping characters in parameter value and name - var_value=$(escape_spec_char "$var_value") - var_name=$(escape_spec_char "$var_name") - - if [ "$(grep -E "^$var_name=" $config_path)" ] && [ "$is_multiple" != "true" ]; then - sed -i -e "/^$var_name=/s/=.*/=$var_value/" "$config_path" - echo "updated" - elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then - sed -i -e "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path" - echo "added first occurrence" - else - sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path" - echo "added" - fi - -} - -update_config_multiple_var() { - local config_path=$1 - local var_name=$2 - local var_value=$3 - - var_value="${var_value%\"}" - var_value="${var_value#\"}" - - local IFS=, - local OPT_LIST=($var_value) - - for value in "${OPT_LIST[@]}"; do - update_config_var $config_path $var_name $value true - done -} - # Check prerequisites for PostgreSQL database check_variables() { file_env POSTGRES_USER @@ -235,22 +158,10 @@ prepare_web_server() { } prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php/7.4/fpm/pool.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -258,39 +169,34 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="POSTGRESQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST=${ZBX_SERVER_HOST} + export ZBX_SERVER_PORT=${ZBX_SERVER_PORT:-"10051"} + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/${ZBX_SERVER_HOST}/g" \ - -e "s/{ZBX_SERVER_PORT}/${ZBX_SERVER_PORT}/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" diff --git a/zabbix-appliance/rhel/conf/etc/php-fpm.d/zabbix.conf b/zabbix-appliance/rhel/conf/etc/php-fpm.d/zabbix.conf index a4926f4ae..1d19fd099 100644 --- a/zabbix-appliance/rhel/conf/etc/php-fpm.d/zabbix.conf +++ b/zabbix-appliance/rhel/conf/etc/php-fpm.d/zabbix.conf @@ -2,6 +2,8 @@ listen = /tmp/php-fpm.sock +clear_env = no + pm = dynamic pm.max_children = 50 pm.start_servers = 5 @@ -16,10 +18,10 @@ php_admin_flag[log_errors] = on php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session -php_value[max_execution_time]= 300 -php_value[memory_limit]= 128M -php_value[post_max_size]= 16M -php_value[upload_max_filesize]= 2M -php_value[max_input_time]= 300 -php_value[max_input_vars]= 10000 -; php_value[date.timezone]= Europe/Riga +php_value[max_execution_time] = ${ZBX_MAXEXECUTIONTIME} +php_value[memory_limit] = ${ZBX_MEMORYLIMIT} +php_value[post_max_size] = ${ZBX_POSTMAXSIZE} +php_value[upload_max_filesize] = ${ZBX_UPLOADMAXFILESIZE} +php_value[max_input_time] = ${ZBX_MAXINPUTTIME} +php_value[max_input_vars] = 10000 +php_value[date.timezone] = ${PHP_TZ} diff --git a/zabbix-appliance/rhel/conf/etc/supervisor/conf.d/supervisord_web_nginx.conf b/zabbix-appliance/rhel/conf/etc/supervisor/conf.d/supervisord_web_nginx.conf index 56e330bae..5b10705cf 100644 --- a/zabbix-appliance/rhel/conf/etc/supervisor/conf.d/supervisord_web_nginx.conf +++ b/zabbix-appliance/rhel/conf/etc/supervisor/conf.d/supervisord_web_nginx.conf @@ -2,7 +2,7 @@ nodaemon = true [program:nginx] -command = /usr/sbin/%(program_name)s -g "daemon off;" -c /etc/nginx/%(program_name)s.conf +command = /usr/sbin/%(program_name)s -g "daemon off;error_log /dev/stdout info;" -c /etc/nginx/%(program_name)s.conf auto_start = true autorestart = true diff --git a/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php b/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php index 29f041457..920b8ab1c 100644 --- a/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php +++ b/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php @@ -2,37 +2,49 @@ // Zabbix GUI configuration file. global $DB, $HISTORY; -$DB['TYPE'] = 'MYSQL'; -$DB['SERVER'] = '{DB_SERVER_HOST}'; -$DB['PORT'] = '{DB_SERVER_PORT}'; -$DB['DATABASE'] = '{DB_SERVER_DBNAME}'; -$DB['USER'] = '{DB_SERVER_USER}'; -$DB['PASSWORD'] = '{DB_SERVER_PASS}'; +$DB['TYPE'] = getenv('DB_SERVER_TYPE'); +$DB['SERVER'] = getenv('DB_SERVER_HOST'); +$DB['PORT'] = getenv('DB_SERVER_PORT'); +$DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); +$DB['USER'] = getenv('DB_SERVER_USER'); +$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); // Schema name. Used for IBM DB2 and PostgreSQL. -$DB['SCHEMA'] = '{DB_SERVER_SCHEMA}'; +$DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); -$ZBX_SERVER = '{ZBX_SERVER_HOST}'; -$ZBX_SERVER_PORT = '{ZBX_SERVER_PORT}'; -$ZBX_SERVER_NAME = '{ZBX_SERVER_NAME}'; +$ZBX_SERVER = getenv('ZBX_SERVER_HOST'); +$ZBX_SERVER_PORT = getenv('ZBX_SERVER_PORT'); +$ZBX_SERVER_NAME = getenv('ZBX_SERVER_NAME'); // Used for TLS connection. -$DB['ENCRYPTION'] = {ZBX_DB_ENCRYPTION}; -$DB['KEY_FILE'] = '{ZBX_DB_KEY_FILE}'; -$DB['CERT_FILE'] = '{ZBX_DB_CERT_FILE}'; -$DB['CA_FILE'] = '{ZBX_DB_CA_FILE}'; -$DB['VERIFY_HOST'] = {ZBX_DB_VERIFY_HOST}; -$DB['CIPHER_LIST'] = '{ZBX_DB_CIPHER_LIST}'; +$DB['ENCRYPTION'] = getenv('ZBX_DB_ENCRYPTION') == 'true' ? true: false; +$DB['KEY_FILE'] = getenv('ZBX_DB_KEY_FILE'); +$DB['CERT_FILE'] = getenv('ZBX_DB_CERT_FILE'); +$DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); +$DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; +$DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. -$DB['DOUBLE_IEEE754'] = {DB_DOUBLE_IEEE754}; +$DB['DOUBLE_IEEE754'] = getenv('DB_DOUBLE_IEEE754') == 'true' ? true: false; $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; // Elasticsearch url (can be string if same url is used for all types). -$HISTORY['url'] = '{ZBX_HISTORYSTORAGEURL}'; +$history_url = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGEURL')); +$HISTORY['url'] = (json_decode($history_url)) ? json_decode($history_url) : $history_url; // Value types stored in Elasticsearch. -$HISTORY['types'] = {ZBX_HISTORYSTORAGETYPES}; +$storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); + +$HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types) : array(); + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +$SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : ''; +$SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : ''; +$SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : ''; + +$sso_settings = str_replace("'","\"",getenv('ZBX_SSO_SETTINGS')); +$SSO['SETTINGS'] = (json_decode($sso_settings)) ? json_decode($sso_settings) : array(); diff --git a/zabbix-appliance/rhel/docker-entrypoint.sh b/zabbix-appliance/rhel/docker-entrypoint.sh index 3dfa2d7f1..7d75983e0 100755 --- a/zabbix-appliance/rhel/docker-entrypoint.sh +++ b/zabbix-appliance/rhel/docker-entrypoint.sh @@ -527,22 +527,10 @@ update_zbx_config() { prepare_zbx_web_config() { - local server_name="" - echo "** Preparing Zabbix frontend configuration file" - ZBX_WWW_ROOT="/usr/share/zabbix" - ZBX_WEB_CONFIG="$ZABBIX_ETC_DIR/web/zabbix.conf.php" - PHP_CONFIG_FILE="/etc/php-fpm.d/zabbix.conf" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_execution_time]" "${ZBX_MAXEXECUTIONTIME:-"600"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[memory_limit]" "${ZBX_MEMORYLIMIT:-"128M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[post_max_size]" "${ZBX_POSTMAXSIZE:-"16M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[upload_max_filesize]" "${ZBX_UPLOADMAXFILESIZE:-"2M"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[max_input_time]" "${ZBX_MAXINPUTTIME:-"300"}" - update_config_var "$PHP_CONFIG_FILE" "php_value[date.timezone]" "${PHP_TZ}" - if [ "$(id -u)" == '0' ]; then echo "user = zabbix" >> "$PHP_CONFIG_FILE" echo "group = zabbix" >> "$PHP_CONFIG_FILE" @@ -550,40 +538,37 @@ prepare_zbx_web_config() { echo "listen.group = nginx" >> "$PHP_CONFIG_FILE" fi - ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + export ZBX_MAXEXECUTIONTIME=${ZBX_MAXEXECUTIONTIME:-"600"} + export ZBX_MEMORYLIMIT=${ZBX_MEMORYLIMIT:-"128M"} + export ZBX_POSTMAXSIZE=${ZBX_POSTMAXSIZE:-"16M"} + export ZBX_UPLOADMAXFILESIZE=${ZBX_UPLOADMAXFILESIZE:-"2M"} + export ZBX_MAXINPUTTIME=${ZBX_MAXINPUTTIME:-"300"} + export PHP_TZ=${PHP_TZ:-"Europe/Riga"} - # Escaping characters in parameter value - server_name=$(escape_spec_char "${ZBX_SERVER_NAME}") - server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}") - server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}") - history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}") - history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}") + export DB_SERVER_TYPE="MYSQL" + export DB_SERVER_HOST=${DB_SERVER_HOST} + export DB_SERVER_PORT=${DB_SERVER_PORT} + export DB_SERVER_DBNAME=${DB_SERVER_DBNAME} + export DB_SERVER_SCHEMA=${DB_SERVER_SCHEMA} + export DB_SERVER_USER=${DB_SERVER_ZBX_USER} + export DB_SERVER_PASS=${DB_SERVER_ZBX_PASS} + export ZBX_SERVER_HOST="localhost" + export ZBX_SERVER_PORT="10051" + export ZBX_SERVER_NAME=${ZBX_SERVER_NAME} - ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}") - ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}") - ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}") + export ZBX_DB_ENCRYPTION=${ZBX_DB_ENCRYPTION:-"false"} + export ZBX_DB_KEY_FILE=${ZBX_DB_KEY_FILE} + export ZBX_DB_CERT_FILE=${ZBX_DB_CERT_FILE} + export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} + export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} + + export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} + export ZBX_HISTORYSTORAGETYPES=${ZBX_HISTORYSTORAGETYPES:-"[]"} + + export ZBX_SSO_SETTINGS=${ZBX_SSO_SETTINGS:-""} - sed -i \ - -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \ - -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \ - -e "s/{DB_SERVER_DBNAME}/${DB_SERVER_DBNAME}/g" \ - -e "s/{DB_SERVER_SCHEMA}/${DB_SERVER_SCHEMA}/g" \ - -e "s/{DB_SERVER_USER}/$server_user/g" \ - -e "s/{DB_SERVER_PASS}/$server_pass/g" \ - -e "s/{ZBX_SERVER_HOST}/localhost/g" \ - -e "s/{ZBX_SERVER_PORT}/10051/g" \ - -e "s/{ZBX_SERVER_NAME}/$server_name/g" \ - -e "s/{ZBX_DB_ENCRYPTION}/${ZBX_DB_ENCRYPTION:-"false"}/g" \ - -e "s/{ZBX_DB_KEY_FILE}/${ZBX_DB_KEY_FILE}/g" \ - -e "s/{ZBX_DB_CERT_FILE}/${ZBX_DB_CERT_FILE}/g" \ - -e "s/{ZBX_DB_CA_FILE}/${ZBX_DB_CA_FILE}/g" \ - -e "s/{ZBX_DB_VERIFY_HOST}/${ZBX_DB_VERIFY_HOST:-"false"}/g" \ - -e "s/{ZBX_DB_CIPHER_LIST}/${ZBX_DB_CIPHER_LIST}/g" \ - -e "s/{DB_DOUBLE_IEEE754}/${DB_DOUBLE_IEEE754:-"true"}/g" \ - -e "s/{ZBX_HISTORYSTORAGEURL}/$history_storage_url/g" \ - -e "s/{ZBX_HISTORYSTORAGETYPES}/$history_storage_types/g" \ - "$ZBX_WEB_CONFIG" - if [ -n "${ZBX_SESSION_NAME}" ]; then cp "$ZBX_WWW_ROOT/include/defines.inc.php" "/tmp/defines.inc.php_tmp" sed "/ZBX_SESSION_NAME/s/'[^']*'/'${ZBX_SESSION_NAME}'/2" "/tmp/defines.inc.php_tmp" > "$ZBX_WWW_ROOT/include/defines.inc.php"