Zabbix: enable ssl on web-frontend (nginx)

This post is about to enable ssl on the Zabbix web-frontend. My server is running on the following components:

  • Debian 12 (bookworm)
  • Zabbix Server version 6.4.13
  • Webserver nginx/1.22.1

step 1: create a self-signed certificate.

skip this step if you use a certificate signed by a (public) CA.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

step 2: define the locations for the cert-files

nano /etc/nginx/snippets/self-signed.conf
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

step 3: define ssl-parameters

nano /etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

step 4: Generate the dhparam.pem file

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

step 5: enable ssl in Zabbix config file

nano /etc/nginx/conf.d/zabbix.conf
server {
#       listen       8080;
        listen       443 ssl;
        server_name  server.example.com;
        include      snippets/self-signed.conf;
        include      snippets/ssl-params.conf;

step 6: Restart NGINX

systemctl restart nginx

Leave a Reply

Your email address will not be published. Required fields are marked *