Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-27202

Unclear documentation regarding NGINX security, SameSite attribute

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • 7.0.22rc1, 7.4.6rc1, 8.0.0alpha2 (master)
    • Frontend (F)
    • None
    • Support backlog

      Hello,
      Documentation which can be found under this link:
      https://www.zabbix.com/documentation/7.4/en/manual/best_practices/security/web_server#enforcing-secure-and-samesite-session-cookies-in-zabbix

      Provides users with those reccomendations regarding Nginx:

      1. Secure cookies

Setting the secure flag ensures that cookies are only transmitted over HTTPS, preventing exposure over unencrypted connections.

To enable secure cookies in Zabbix, add or modify the following setting in the web server configuration:

For Nginx:

proxy_cookie_path / "/; Secure";

2. Configuring the SameSite attribute

Web server settings can also enforce the SameSite attribute:

For Nginx (version 1.19.3+):

proxy_cookie_flags ~ samesite=Strict; # Replace ~ with 'zbx_session' for specificity

      Issue is that those settings will not work with default Zabbix's nginx configuration - default Zabbix's nginx configuration from package "zabbix-nginx-conf" does not really use nginx module "ngx_http_proxy_module", there is no setting like for example:

      location / {
    proxy_pass       http://localhost:8000;

      Default configuration file uses FastCGI module, to use PHP-FPM:

              location ~ [^/]\.php(/|$) {
                fastcgi_pass    unix:/run/php-fpm/zabbix.sock;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index   index.php;

      params like "proxy_cookie_path" would only work only for proxied server - quote from nginx documentation:

      Syntax:	proxy_cookie_path off;
proxy_cookie_path path replacement;
Context:	http, server, location

Sets a text that should be changed in the path attribute of the “Set-Cookie” header fields of a proxied server response. Suppose a proxied server returned the “Set-Cookie” header field with the attribute “path=/two/some/uri/”. The directive

      In zabbix case, fastcgi_pass is used, so any "proxy_*" setting will just not work, since it's not used.
      this would be fine if user have one "public" NGINX which is doing reverse-proxy pushing requests to internal webserver,
      https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value

      As expected outcome it will be great to clarify documentation, and possibly implement "samesite=strict" on PHP level, since some of "security" features for cookies are already implemented in default 7.4 installations:

      curl -I -k https://192.168.99.88/
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Nov 2025 07:37:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/8.2.28

Set-Cookie: zbx_session=cut; secure; HttpOnly               <-- secure and httponly already set; in NGINX only https configured, nothing else

      https://www.zabbix.com/documentation/current/en/manual/web_interface/cookies

            zabbix.dev Zabbix Development Team
            tgrzechulski Tomasz Grzechulski
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: