This isn't really a Zabbix question, so it may get better responses on a more appropriate forum.

You don't say anything about what OS or distro you're using, but you did tag RHEL 8.4. Red Hat backports security patches from later versions to the packaged version they supply with a particular version of their distro, so even though Apache may report as "2.4.37", it may have security patches from much later versions already incorporated. IT Security scanning tools often can't tell that, though, so they falsely report that the software has a security problem, even when the problem has been remediated.

What you need to do is look at the release version of the Red Hat Package you're using, then check with either your Satellite server (if you're using Satellite) or with https://access.redhat.com, and verify that the exact package release you are running has fixes for all the CVEs that your IT Security team is concerned with. Note that if you're only running RHEL 8.4, it might not be up to date. RHEL 8.6 has been out for a while and there have been updated httpd packages released with additional fixes.

You may also want to look at the man page for yum (or dnf, on RHEL they're basically the same) and look at the "--security" option.

Much appreciated your response Tim. Sorry about that, newbie. Yes I am running RHEL 8.6. I've updated my system so it is patched all the way, we are using Satellite but I have already downloaded/promoted all recent ERRATA. I also downloaded and compiled apache which works but was just not sure why Zabbix URL is inaccessible. I was not sure if this was an apache issue or Zabbix but I can also reach out to the apache community. Thank you for the response.

If you're running RHEL 8.6 and you've promoted all errata, then your apache install on the Zabbix system should already be patched for all security issues that have a CVE #. You didn't need to (and in my opinion, should not have) built apache from source and installed it on the system. As long as you're installing security errata on a regular basis, Red Hat should be keeping the 2.4.37 version secure, by backporting any necessary security fixes. You just need to convince your security folks that their security scans are reporting false positives.

You can check what CVEs are addressed by any particular package release using the Content->Errata search in Satellite, or using access.redhat.com's errata search.

Regarding your compiled Apache httpd: if you used the same options as far as layout and features that are typical for a RHEL 8 system, then Zabbix should run fine with it. It's probably an apache configuration issue (maybe a mix of Red Hat and from-source config? Or perhaps some config is missing or not being loaded from the directory where it's installed?). You may have to increase logging and dig through the debug logs to figure out what the problem is.

Thanks Tim. I appreciate the replies. I'll turn on increased debugging/logging and see where that leads me.