Added EXPOSE_WEB_SERVER_INFO variable to control web server / php ver…

…sions expose

Dockerfiles/web-apache-mysql/README.md

@@ -134,12 +134,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av
 
 ### `ENABLE_WEB_ACCESS_LOG`
 
-The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output.
+The variable sets the Access Log directive for Web server. By default, value corresponds to standard output.
 
 ### `HTTP_INDEX_FILE`
 
 The variable controls default index page. By default, `index.php`.
 
+### `EXPOSE_WEB_SERVER_INFO`
+
+The variable allows to hide Web server and PHP versions. By default, `on`.
+
 ### `ZBX_MAXEXECUTIONTIME`
 
 The varable is PHP ``max_execution_time`` option. By default, value is `300`.

Dockerfiles/web-apache-mysql/alpine/conf/etc/php83/conf.d/99-zabbix.ini

@@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME}
 ; always_populate_raw_post_data=-1
 max_input_vars = 10000
 date.timezone = ${PHP_TZ}
+; https://www.php.net/manual/en/security.hiding.php
+expose_php = ${EXPOSE_WEB_SERVER_INFO}

Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/apache2/httpd.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -226,8 +228,22 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/apache2/httpd.conf"
+ "$HTTPD_CONF_FILE"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-mysql/centos/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -242,8 +244,22 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/httpd/conf/httpd.conf"
+ "$HTTPD_CONF_FILE"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-mysql/ol/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -242,8 +244,22 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/httpd/conf/httpd.conf"
+ "$HTTPD_CONF_FILE"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-mysql/ubuntu/conf/etc/php/8.1/apache2/conf.d/99-zabbix.ini

@@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME}
 ; always_populate_raw_post_data=-1
 max_input_vars = 10000
 date.timezone = ${PHP_TZ}
+; https://www.php.net/manual/en/security.hiding.php
+expose_php = ${EXPOSE_WEB_SERVER_INFO}

Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/apache2/apache2.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -226,11 +228,25 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/apache2/apache2.conf"
+ "$HTTPD_CONF_FILE"
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
  "/etc/apache2/conf-available/other-vhosts-access-log.conf"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-pgsql/README.md

@@ -138,12 +138,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av
 
 ### `ENABLE_WEB_ACCESS_LOG`
 
-The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output.
+The variable sets the Access Log directive for Web server. By default, value corresponds to standard output.
 
 ### `HTTP_INDEX_FILE`
 
 The variable controls default index page. By default, `index.php`.
 
+### `EXPOSE_WEB_SERVER_INFO`
+
+The variable allows to hide Web server and PHP versions. By default, `on`.
+
 ### `ZBX_MAXEXECUTIONTIME`
 
 The varable is PHP ``max_execution_time`` option. By default, value is `300`.

Dockerfiles/web-apache-pgsql/alpine/conf/etc/php83/conf.d/99-zabbix.ini

@@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME}
 ; always_populate_raw_post_data=-1
 max_input_vars = 10000
 date.timezone = ${PHP_TZ}
+; https://www.php.net/manual/en/security.hiding.php
+expose_php = ${EXPOSE_WEB_SERVER_INFO}

Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/apache2/httpd.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -213,8 +215,22 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/apache2/httpd.conf"
+ "$HTTPD_CONF_FILE"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-pgsql/centos/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -229,8 +231,22 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/httpd/conf/httpd.conf"
+ "$HTTPD_CONF_FILE"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-pgsql/ol/conf/etc/php-fpm.d/zabbix.conf

@@ -1,5 +1,8 @@
 [zabbix]
 
+; https://www.php.net/manual/en/security.hiding.php
+php_value[expose_php] = ${EXPOSE_WEB_SERVER_INFO}
+
 listen = /tmp/php-fpm.sock
 
 clear_env = no

Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/httpd/conf/httpd.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -229,8 +231,22 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/httpd/conf/httpd.conf"
+ "$HTTPD_CONF_FILE"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-apache-pgsql/ubuntu/conf/etc/php/8.1/apache2/conf.d/99-zabbix.ini

@@ -6,3 +6,5 @@ max_input_time = ${ZBX_MAXINPUTTIME}
 ; always_populate_raw_post_data=-1
 max_input_vars = 10000
 date.timezone = ${PHP_TZ}
+; https://www.php.net/manual/en/security.hiding.php
+expose_php = ${EXPOSE_WEB_SERVER_INFO}

Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh

@@ -23,6 +23,8 @@ fi
 ZABBIX_ETC_DIR="/etc/zabbix"
 # Web interface www-root directory
 ZABBIX_WWW_ROOT="/usr/share/zabbix"
+# Apache main configuration file
+HTTPD_CONF_FILE="/etc/apache2/apache2.conf"
 
 # usage: file_env VAR [DEFAULT]
 # as example: file_env 'MYSQL_PASSWORD' 'zabbix'
@@ -217,11 +219,25 @@ prepare_zbx_web_config() {
  if [ "${ENABLE_WEB_ACCESS_LOG,,}" == "false" ]; then
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
- "/etc/apache2/apache2.conf"
+ "$HTTPD_CONF_FILE"
  sed -ri \
  -e 's!^(\s*CustomLog)\s+\S+!\1 /dev/null!g' \
  "/etc/apache2/conf-available/other-vhosts-access-log.conf"
  fi
+
+ : ${EXPOSE_WEB_SERVER_INFO:="on"}
+ if [ "${EXPOSE_WEB_SERVER_INFO}" = "off" ]; then
+ sed -i \
+ -e "s/^\(\s*ServerTokens\).*\$/\1 Prod/g" \
+ "$HTTPD_CONF_FILE"
+ else
+ EXPOSE_WEB_SERVER_INFO="on"
+ fi
+
+ export EXPOSE_WEB_SERVER_INFO=${EXPOSE_WEB_SERVER_INFO}
+ sed -i \
+ -e "s/^\(\s*ServerSignature\).*\$/\1 ${EXPOSE_WEB_SERVER_INFO^}/g" \
+ "$HTTPD_CONF_FILE"
 }
 
 #################################################

Dockerfiles/web-nginx-mysql/README.md

@@ -135,12 +135,16 @@ Use IEEE754 compatible value range for 64-bit Numeric (float) history values. Av
 
 ### `ENABLE_WEB_ACCESS_LOG`
 
-The variable sets the Access Log directive for Web-server. By default, value corresponds to standard output.
+The variable sets the Access Log directive for Web server. By default, value corresponds to standard output.
 
 ### `HTTP_INDEX_FILE`
 
 The variable controls default index page. By default, `index.php`.
 
+### `EXPOSE_WEB_SERVER_INFO`
+
+The variable allows to hide Web server and PHP versions. By default, `on`.
+
 ### `ZBX_MAXEXECUTIONTIME`
 
 The varable is PHP ``max_execution_time`` option. By default, value is `300`.

Dockerfiles/web-nginx-mysql/alpine/conf/etc/nginx/nginx.conf

@@ -65,7 +65,7 @@ http {
  ignore_invalid_headers on;
 
  index index.php;
- server_tokens  off;
+ server_tokens {EXPOSE_WEB_SERVER_INFO};
 
  include /etc/nginx/http.d/*.conf;
 }