Skip to content


 Zabbix
 Grafana
 Prometheus
 Threejs and TypeScript
 SocketIO and TypeScript
 Blender Topological Earth
 Sweet Home 3D
 Design Patterns Python
 Design Patterns TypeScript
   
 Course Coupon Codes
Three.js and TypeScript
Kindle Edition
$9.99 $14.99 Paperback 
$29.99 $34.99




Design Patterns in TypeScript
Kindle Edition
$9.99 $14.99 Paperback
$19.99 $24.99




Design Patterns in Python
Kindle Edition
$9.99 $14.99 Paperback
$19.99 $24.99




Configure SSL for Zabbix Server Front end

Video Lecture

Configure SSL for Zabbix Server Front end Configure SSL for Zabbix Server Front end Configure SSL for Zabbix Server Front end

Description

The Zabbix Server doesn't have any transport encryption enabled yet, so any messages passed between our browser and the server are in plain text. We should secure our server asap with an SSL certificate.

I create the certificate using options provided by LetsEncrypt. This has the added benefit of being free.

So, we need to ssh onto the Zabbix Server and install Certbot

Ubuntu 20.04 with Apache

Enable the universe repository

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo apt-get update

Install Certbot with the python3 apache plugin

sudo apt-get install certbot python3-certbot-apache

then get the certificate

sudo certbot --apache -d zabbix.seanwasere.com

Follow the prompts, and at the end your Zabbix Server will have an SSL certificate bound and accessed via https.

I can then visit my new Zabbix Server on Ubuntu 20.04 with SSL and a domain name at

https://zabbix.seanwasere.com

Ubuntu SSL

Centos 7 and Apache

yum install epel-release
yum install certbot python2-certbot-apache mod_ssl

Open the file /etc/httpd/conf.d/zabbix.conf

nano /etc/httpd/conf.d/zabbix.conf

If you are using the Apache server option, then add a virtual host for your domain name to the bottom of the file,

eg, my domain name was zabbix-centos7.seanwasere.com, so I added,

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#
# Zabbix monitoring system php web frontend
#

Alias /zabbix /usr/share/zabbix

<Directory "/usr/share/zabbix">
    Options FollowSymLinks
    AllowOverride None
    Require all granted

    <IfModule mod_php5.c>
        php_value max_execution_time 300
        php_value memory_limit 128M
        php_value post_max_size 16M
        php_value upload_max_filesize 2M
        php_value max_input_time 300
        php_value max_input_vars 10000
        php_value always_populate_raw_post_data -1
        php_value date.timezone Europe/London
    </IfModule>
</Directory>

<Directory "/usr/share/zabbix/conf">
    Require all denied
</Directory>

<Directory "/usr/share/zabbix/app">
    Require all denied
</Directory>

<Directory "/usr/share/zabbix/include">
    Require all denied
</Directory>

<Directory "/usr/share/zabbix/local">
    Require all denied
</Directory>


<VirtualHost *:80>
    DocumentRoot "/usr/share/zabbix"
    ServerName your-zabbix-server-domain-name.tld
</VirtualHost>

Save the changes, and restart apache and check status that it is running

sudo service httpd restart
sudo service httpd status

Then execute the certbot command

sudo certbot --apache

I am then prompted to select the domain name, answer other questions, and I also select to redirect http to https.

I can then visit my new Zabbix Server on Centos7 with SSL and a domain name at

https://zabbix-centos7.seanwasere.com

Centos7 SSL

Nginx

Follow the commands layed out for you on the Certbot website.

Eg, choose Nginx on Centos/RHEL7

After the setup, you may need to manually set the location of the certificate and private key in the zabbix.conf file.

On one of my Centos servers, it was

nano /etc/nginx/conf.d/zabbix_ssl.conf

Update the properties to reflect the locations of your new SSL cert and private key

    ssl_certificate      /etc/letsencrypt/live/your-zabbix-server-url.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/your-zabbix-server-url.tld/privkey.pem;

And restart Nginx

sudo service nginx restart

Visit https://your-zabbix-server-url.tld

Using Existing SSL Certificates

You may already have purchased an SSL certificate and key through another SSL provider other than Certbot.

You can configure Apache to use your existing certificate and key instead.

On Ubuntu 20.04 and using the Apache web sever, you can create a new VirtualHost record that the Apache server will use when restarted.

Create a new file in the /etc/apache2/sites-enabled/ folder and name it something like your-domain-name.tld.conf

sudo nano /etc/apache2/sites-enabled/my-domain-name.com.conf

And in that file you would have something similar to

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName my-domain-name.com
  ServerAlias *
  DocumentRoot /var/www/html
  SSLEngine On
  SSLCertificateFile /path-to-certificate/fullchain.pem
  SSLCertificateKeyFile /path-to-certificate-key/privkey.pem
</VirtualHost>
</IfModule>

Your domain name will be different than mine.

Also ensure that you already have a valid certificate and key file from the service that you purchased the SSL certificate from. Place the certificate and key into a folder on your server and update the references in the above VirtualHost example.

Restart your Apache server and check status

sudo service apache2 restart
sudo service apache2 status

Visit https://your-domain-name.com in the browser and you should see a padlock in the address bar.

Using Custom Port Other Than 443

You can modify the VirtualHost record to use a different port other than 443, for example use port 12345.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<IfModule mod_ssl.c>
<VirtualHost *:12345>
  ServerName my-domain-name.com
  ServerAlias *
  DocumentRoot /var/www/html
  SSLEngine On
  SSLCertificateFile /path-to-certificate/fullchain.pem
  SSLCertificateKeyFile /path-to-certificate-key/privkey.pem
</VirtualHost>
</IfModule>

You will also need to tell Apache to listen on the other port.

Open the file \etc\apache2\ports.conf and add a new line for Listen 12345 between the ssl_module tags.

eg,

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Listen 80

<IfModule ssl_module>
    Listen 443
    Listen 12345
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

and then restart the apache server

sudo service apache2 restart
sudo service apache2 status

And now visit

https://your-domain-name.com:12345

This should work in your browser provided that you don’t also have a firewall blocking port 12345 somewhere on the journey between your browser and the apache server.

To verify that apache is in fact listening on port 12345, or whichever other port you desired, use the ss command.

sudo ss -tulpn | grep :12345

You should see a response outlining the process pid and username.