From d2e374ba53a18fb1f6a82c8d0860ea7645c92bd4 Mon Sep 17 00:00:00 2001
From: Jan Garaj <jan.garaj@gmail.com>
Date: Tue, 19 Dec 2017 18:21:57 +0100
Subject: [PATCH] SSL nginx conf

---
 .../etc/nginx/hosts.d/ssl-nginx.conf          | 41 +++++++++++++++++++
 README.md                                     | 17 ++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 Dockerfile/dockbix-xxl/container-files-zabbix/etc/nginx/hosts.d/ssl-nginx.conf

diff --git a/Dockerfile/dockbix-xxl/container-files-zabbix/etc/nginx/hosts.d/ssl-nginx.conf b/Dockerfile/dockbix-xxl/container-files-zabbix/etc/nginx/hosts.d/ssl-nginx.conf
new file mode 100644
index 0000000..c3d14f9
--- /dev/null
+++ b/Dockerfile/dockbix-xxl/container-files-zabbix/etc/nginx/hosts.d/ssl-nginx.conf
@@ -0,0 +1,41 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+    ssl_certificate     /etc/nginx/ssl/dummy.crt;
+    ssl_certificate_key /etc/nginx/ssl/dummy.key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+
+    # modern configuration. tweak to your needs.
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+
+    # HSTS caching header
+    #add_header Strict-Transport-Security "max-age=31536000;";
+
+    # OCSP Stapling ---
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
+    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+
+    #resolver <IP DNS resolver>;
+    
+    # Zabbix/PHP config
+    root        /usr/local/src/zabbix/frontends/php;
+    index       index.php index.html;
+
+    include     /etc/nginx/conf.d/default-*.conf;
+    include     /data/conf/nginx/conf.d/default-*.conf;
+
+    # PHP backend is not in the default-*.conf file set,
+    # as some vhost might not want to include it.
+    include     /etc/nginx/conf.d/php-location.conf;
+}
diff --git a/README.md b/README.md
index 1d45daf..e748256 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,23 @@ docker run \
     --env="ZJ_enabled=true" \
     --env="ZS_StartJavaPollers=3" \
     monitoringartist/dockbix-xxl:latest
+
+## HTTPS; for more complex setup overwrite /etc/nginx/hosts.d/ssl-nginx.conf
+docker run \
+    -d \
+    --name dockbix \
+    -p 443:443 \
+    -p 10051:10051 \
+    -v /etc/localtime:/etc/localtime:ro \
+    -v /<PATH_TO_SSL_CERT>/<CERT_FILE>:/etc/nginx/ssl/dummy.crt:ro \
+    -v /<PATH_TO_SSL_KEY>/<KEY_FILE>:/etc/nginx/ssl/dummy.key:ro \
+    --link dockbix-db:dockbix.db \
+    --env="ZS_DBHost=dockbix.db" \
+    --env="ZS_DBUser=zabbix" \
+    --env="ZS_DBPassword=my_password" \
+    --env="XXL_zapix=true" \
+    --env="XXL_grapher=true" \
+    monitoringartist/dockbix-xxl:latest
 ```
 
 #### Up and Running with Docker Compose