Zabbix: enable ssl on web-frontend (nginx)

This post is about to enable ssl on the Zabbix web-frontend. My server is running on the following components:

  • Debian 12 (bookworm)
  • Zabbix Server version 6.4.13
  • Webserver nginx/1.22.1

step 1: create a self-signed certificate.

skip this step if you use a certificate signed by a (public) CA.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

step 2: define the locations for the cert-files

nano /etc/nginx/snippets/self-signed.conf
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

step 3: define ssl-parameters

nano /etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

step 4: Generate the dhparam.pem file

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

step 5: enable ssl in Zabbix config file

nano /etc/nginx/conf.d/zabbix.conf
server {
#       listen       8080;
        listen       443 ssl;
        server_name  server.example.com;
        include      snippets/self-signed.conf;
        include      snippets/ssl-params.conf;

step 6: Restart NGINX

systemctl restart nginx

Running Zabbix Proxy on Synology (docker)

For Zabbix, it is possible to use a Zabbix proxy for scanning networks. One of the possibilities to run the proxy, is to use Docker. I have tested to run the Zabbix proxy in Docker (Container manager within my Synology NAS). It is very easy to use and the setup is pretty straightforward.

Below my findings and hopefully it can help you in any way if you want to do some testing with the Zabbix proxy like I do :-).

Below you find the docker compose file which I have used on my Synology NAS.

# Docker compose file for running zabbix-proxy on Docker
# Created by P. Bazelmans
# Modify ZBX_SERVER_HOST and ZBX_HOSTNAME for your own setup

version: '3'

services:
  zabbix-proxy:
    image: zabbix/zabbix-proxy-sqlite3:latest
    container_name: zabbix-proxy
    environment:
      - ZBX_SERVER_HOST=x.x.x.x:10051
      - ZBX_HOSTNAME=My-Proxy
      - ZBX_STARTPOLLERS=5
      - ZBX_STARTTRIGGERS=5
    ports:
      - "10051:10051"
    restart: unless-stopped

Create a project in Container Manager (Synology)

Create a new project in Container Manager and use the compose-file to setup the zabbix-proxy container.

Content is downloaded automatically…

When everything is OK, the project is started after the installation.

Now let’s check if the zabbix proxy gets connected to the Zabbix server.

Remember: the name of the proxy (as defined in the compose file) should be identical as the configured proxy name in the Zabbix server.