Enable PSK Encryption for Zabbix Proxy
Video Lecture
Description
This time I set up PSK encryption specifically for communications between the Zabbix Server and the Zabbix Proxy.
Enabling PSK encryption for Agents behind a Proxy, only encrypts communications between the Agent and the Proxy.
If your agents are in a DMZ then you may not desire encryption. But you should at least also encrypt the communications between the Zabbix Server and Proxy if it travels across a public network.
In the video, I am using a Raspberry PI with the pi user that is not a root user.
There are extra considerations when you are not a root user.
So, after using SSH to logon to the Raspberry Pi as the pi user, the commands were,
sudo openssl rand -hex 32 > secret.psk
Read and copy the contents of the new secret.psk for later. You will enter it into the Zabbix UI.
cat secret.psk
Note that this file was created in the /home/pi/ folder with the owner and group being pi:pi.
Now to make a new home folder for the zabbix user.
sudo mkdir /home/zabbix
Now to move the new secret.psk to /home/zabbix
sudo mv secret.psk /home/zabbix/
Now to change the ownership of the /home/zabbix directory and it all its files to the zabbix:zabbix user and group.
sudo chown -R zabbix:zabbix /home/zabbix
Next to edit the proxy configuration file.
sudo nano /etc/zabbix/zabbix_proxy.conf
Edit the properties,
TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=[any text that is safe to use since it won't be encrypted. I used `raspberrypi`]
TLSPSKFile=/home/zabbix/secret.psk
Restart the proxy and check its status.
sudo service zabbix-proxy restart
sudo service zabbix-proxy status
Now to configure the proxy information in the Zabbix UI to use the PSK encryption with the same identity and secret that you've added to the zabbix_proxy.conf.