Configure SSL for Zabbix Server Front end

Video Lecture

Configure SSL for Zabbix Server Front end Configure SSL for Zabbix Server Front end Configure SSL for Zabbix Server Front end

Description

The Zabbix Server doesn't have any transport encryption enabled yet, so any messages passed between our browser and the server are in plain text. We should secure our server asap with an SSL certificate.

I create the certificate using options provided by LetsEncrypt. This has the added benefit of being free.

So, we need to ssh onto the Zabbix Server and install Certbot

Ubuntu 20.04 with Apache

Enable the universe repository

1
2
3
4
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo apt-get update

Install Certbot with the python3 apache plugin

1
sudo apt-get install certbot python3-certbot-apache

then get the certificate

1
sudo certbot --apache -d zabbix.seanwasere.com

Follow the prompts, and at the end your Zabbix Server will have an SSL certificate bound and accessed via https.

I can then visit my new Zabbix Server on Ubuntu 20.04 with SSL and a domain name at

https://zabbix.seanwasere.com

Ubuntu SSL

Centos 7 and Apache

1
yum install epel-release
1
yum install certbot python2-certbot-apache mod_ssl

Open the file /etc/httpd/conf.d/zabbix.conf

1
nano /etc/httpd/conf.d/zabbix.conf

If you are using the Apache server option, then add a virtual host for your domain name to the bottom of the file,

eg, my domain name was zabbix-centos7.seanwasere.com, so I added,

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#
# Zabbix monitoring system php web frontend
#

Alias /zabbix /usr/share/zabbix

<Directory "/usr/share/zabbix">
    Options FollowSymLinks
    AllowOverride None
    Require all granted

    <IfModule mod_php5.c>
        php_value max_execution_time 300
        php_value memory_limit 128M
        php_value post_max_size 16M
        php_value upload_max_filesize 2M
        php_value max_input_time 300
        php_value max_input_vars 10000
        php_value always_populate_raw_post_data -1
        php_value date.timezone Europe/London
    </IfModule>
</Directory>

<Directory "/usr/share/zabbix/conf">
    Require all denied
</Directory>

<Directory "/usr/share/zabbix/app">
    Require all denied
</Directory>

<Directory "/usr/share/zabbix/include">
    Require all denied
</Directory>

<Directory "/usr/share/zabbix/local">
    Require all denied
</Directory>


<VirtualHost *:80>
    DocumentRoot "/usr/share/zabbix"
    ServerName your-zabbix-server-domain-name.tld
</VirtualHost>

Save the changes, and restart apache and check status that it is running

1
2
sudo service httpd restart
sudo service httpd status

Then execute the certbot command

1
sudo certbot --apache

I am then prompted to select the domain name, answer other questions, and I also select to redirect http to https.

I can then visit my new Zabbix Server on Centos7 with SSL and a domain name at

https://zabbix-centos7.seanwasere.com

Centos7 SSL

Nginx

Follow the commands layed out for you on the Certbot website.

Eg, choose Nginx on Centos/RHEL7

After the setup, you may need to manually set the location of the certificate and private key in the zabbix.conf file.

On one of my Centos servers, it was

1
nano /etc/nginx/conf.d/zabbix_ssl.conf

Update the properties to reflect the locations of your new SSL cert and private key

1
2
    ssl_certificate      /etc/letsencrypt/live/your-zabbix-server-url.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/your-zabbix-server-url.tld/privkey.pem;

And restart Nginx

1
sudo service nginx restart

Visit https://your-zabbix-server-url.tld