{
if (
	((${'zabbix-server'}{'status'} || 'disabled') eq 'enabled') &&
	((${'zabbix-server'}{'WebAccess'} || 'local') ne 'disabled')){

my $access = (${'zabbix-server'}{'WebAccess'} || 'local') eq 'public' ?
        'all granted':"ip $localAccess $externalSSLAccess";

my $tz = ${'TimeZone'} || 'Europe/Paris';

$OUT .=<<"HERE";
#-------------------------------------------#
# Zabbix monitoring system php web frontend #
#-------------------------------------------#

Alias /zabbix /usr/share/zabbix

<Directory "/usr/share/zabbix">
Header set Content-Security-Policy: "default-src 'self' *.openstreetmap.org; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://services.zabbix.com ; img-src 'self' data: *.openstreetmap.org; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self';"
Header set Referrer-Policy "strict-origin-when-cross-origin"
    SSLRequireSSL on
    Options FollowSymLinks
    AllowOverride None
    #AddType application/x-httpd-php .php
    <FilesMatch .php>
	SetHandler "proxy:unix:/var/run/php-fpm/php84-zabbix-server.sock|fcgi://localhost"
    </FilesMatch>
    Require $access
</Directory>

<Directory "/usr/share/zabbix/include">
    Require all denied
    <files *.php>
        Require all denied
    </files>
</Directory>

<Directory "/usr/share/zabbix/include/classes">
    Require all denied
    <files *.php>
        Require all denied
    </files>
</Directory>

HERE
}
}
