0x01 前言
既然使用了proxy,那就说明需要与zabbix server进行通讯。默认情况下的zabbix流量都是未加密的明文数据,为了安全起见,我选择使用数字证书进行加密。
其实也可以配置预共享密钥(PSK)进行加密的,但是相比之下,数字证书的加密强度比PSK的要高。
0x02 准备
首先要准备好server – proxy – client环境,配置过程可以参考以下文章:
0x03 证书
zabbix套件在传输层进行加密(TLS),需要分别配置数字证书。以下是我使用的三个域名:
- server:web–t.t.com
- proxy:zabbix–proxy–t1.t.com
- client:zabbix–client–t1
先在server主机上将所有证书一并生成,先生成CA证书:
#新建文件夹 [root@web-t1 ~]# mkdir /root/crt/ca/ #进入文件夹 [root@web-t1 ~]# cd /root/crt/ca/ #建立ca key openssl genrsa 4096 > ca.key #建立ca证书 openssl req -new -x509 -nodes -days 3650 -key ca.key -subj /C=CN/ST=HongKong/L=HongKong/O=OdinELK/OU=OdinIT/CN=OdinCA/[email protected] > ca.crt
然后签发服务器证书,证书的CN字段请使用域名:
#新建文件夹 [root@web-t1 ~]# mkdir /root/crt/web-t1.t.com/ #进入文件夹 [root@web-t1 ~]# cd /root/crt/web-t1.t.com/ #生成key与csr openssl req -newkey rsa:2048 -days 3650 -nodes -keyout web-t1.t.com.key -subj /C=CN/ST=HongKong/L=HongKong/O=OdinELK/OU=OdinIT/CN=web-t1.t.com/[email protected] > web-t1.t.com.csr #生成证书 openssl x509 -req -in web-t1.t.com.csr -days 3650 -CA ../ca/ca.crt -CAkey ../ca/ca.key -set_serial 01 > web-t1.t.com.crt
然后是proxy证书:
#新建文件夹 [root@web-t1 ~]# mkdir /root/crt/zabbix-proxy-t1.t.com/ #进入文件夹 [root@web-t1 ~]# cd /root/crt/zabbix-proxy-t1.t.com/ #生成key与csr openssl req -newkey rsa:2048 -days 3650 -nodes -keyout zabbix-proxy-t1.t.com.key -subj /C=CN/ST=HongKong/L=HongKong/O=OdinELK/OU=OdinIT/CN=zabbix-proxy-t1.t.com/[email protected] >zabbix-proxy-t1.t.com.csr #生成证书 openssl x509 -req -in zabbix-proxy-t1.t.com.csr -days 3650 -CA ../ca/ca.crt -CAkey ../ca/ca.key -set_serial 01 > zabbix-proxy-t1.t.com.crt
最后是client:
#新建文件夹 [root@web-t1 ~]# mkdir /root/crt/zabbix-client-t1/ #进入文件夹 [root@web-t1 ~]# cd /root/crt/zabbix-client-t1/ #生成key与csr openssl req -newkey rsa:2048 -days 3650 -nodes -keyout zabbix-client-t1.t.comkey -subj /C=CN/ST=HongKong/L=HongKong/O=OdinELK/OU=OdinIT/CN=zabbix-client-t1.t.com/[email protected] >zabbix-client-t1.t.com.csr #生成证书 openssl x509 -req -in zabbix-client-t1.t.com.csr -days 3650 -CA ../ca/ca.crt -CAkey ../ca/ca.key -set_serial 01 > zabbix-client-t1.t.com.crt
还需要吧CA证书分别复制到server、proxy与client的目录中:
[root@web-t1 ~]# \cp -f /root/crt/ca/ca.crt /root/crt/*
最终这些目录结构如下:
[root@web-t1 ~]# ll crt/* crt/ca: total 8 -rw-r--r-- 1 root root 2110 Apr 29 16:14 ca.crt -rw-r--r-- 1 root root 3243 Apr 29 16:14 ca.key crt/web-t1.t.com: total 16 -rw-r--r-- 1 root root 2110 Apr 29 16:22 ca.crt -rw-r--r-- 1 root root 1643 Apr 29 16:20 web-t1.t.com.crt -rw-r--r-- 1 root root 1062 Apr 29 16:20 web-t1.t.com.csr -rw-r--r-- 1 root root 1704 Apr 29 16:20 web-t1.t.com.key crt/zabbix-client-t1: total 16 -rw-r--r-- 1 root root 2110 Apr 29 16:23 ca.crt -rw-r--r-- 1 root root 1655 Apr 29 16:22 zabbix-client-t1.t.com.crt -rw-r--r-- 1 root root 1074 Apr 29 16:22 zabbix-client-t1.t.com.csr -rw-r--r-- 1 root root 1708 Apr 29 16:22 zabbix-client-t1.t.key crt/zabbix-proxy-t1.t.com: total 16 -rw-r--r-- 1 root root 2110 Apr 29 17:12 ca.crt -rw-r--r-- 1 root root 1655 Apr 29 16:21 zabbix-proxy-t1.t.com.crt -rw-r--r-- 1 root root 1074 Apr 29 16:21 zabbix-proxy-t1.t.com.csr -rw-r--r-- 1 root root 1708 Apr 29 16:21 zabbix-proxy-t1.t.key
准备好证书,还需要将文件夹分别放置到适当的位置,首先是server:
[root@web-t1 ~]# cp -r /root/crt/web-t1.t.com/ /usr/local/zabbix/crt
然后是proxy,在这里我使用sftp传输证书文件:
#新建文件夹 [root@zabbix-proxy-t1 ~]# mkdir /usr/local/zabbix/crt #通过sftp登入server [root@zabbix-proxy-t1 ~]# sftp web-t1.t.com [email protected]'s password: Connected to web-t1.t.com. #获取证书 sftp> get /root/crt/zabbix-proxy-t1.t.com/ /usr/local/zabbix/crt/ #输出内容 Fetching /root/crt/zabbix-proxy-t1.t.com/ to /usr/local/zabbix/crt/zabbix-proxy-t1.t.com Cannot download non-regular file: /root/crt/zabbix-proxy-t1.t.com/ sftp> get /root/crt/zabbix-proxy-t1.t.com/* /usr/local/zabbix/crt/ Fetching /root/crt/zabbix-proxy-t1.t.com/ca.crt to /usr/local/zabbix/crt/ca.crt /root/crt/zabbix-proxy-t1.t.com/ca.crt 100% 2110 2.1KB/s 00:00 Fetching /root/crt/zabbix-proxy-t1.t.com/zabbix-proxy-t1.t.com.crt to /usr/local/zabbix/crt/zabbix-proxy-t1.t.com.crt /root/crt/zabbix-proxy-t1.t.com/zabbix-proxy-t1.t.com.crt 100% 1655 1.6KB/s 00:00 Fetching /root/crt/zabbix-proxy-t1.t.com/zabbix-proxy-t1.t.com.csr to /usr/local/zabbix/crt/zabbix-proxy-t1.t.com.csr /root/crt/zabbix-proxy-t1.t.com/zabbix-proxy-t1.t.com.csr 100% 1074 1.1KB/s 00:00 Fetching /root/crt/zabbix-proxy-t1.t.com/zabbix-proxy-t1.t.key to /usr/local/zabbix/crt/zabbix-proxy-t1.t.key /root/crt/zabbix-proxy-t1.t.com/zabbix-proxy-t1.t.key #退出sftp sftp> exit
用同样的办法将数字证书放置到client中:
#通过sftp登入server [root@zabbix-client-t1 ~]# sftp [email protected] [email protected]'s password: Connected to web-t1.t.com. #获取证书 sftp> get /root/crt/zabbix-client-t1/* /usr/local/zabbix/crt/ #输出内容 Fetching /root/crt/zabbix-client-t1/ca.crt to /usr/local/zabbix/crt/ca.crt /root/crt/zabbix-client-t1/ca.crt 100% 2110 2.1KB/s 00:00 Fetching /root/crt/zabbix-client-t1/zabbix-client-t1.t.com.crt to /usr/local/zabbix/crt/zabbix-client-t1.t.com.crt /root/crt/zabbix-client-t1/zabbix-client-t1.t.com.crt 100% 1655 1.6KB/s 00:00 Fetching /root/crt/zabbix-client-t1/zabbix-client-t1.t.com.csr to /usr/local/zabbix/crt/zabbix-client-t1.t.com.csr /root/crt/zabbix-client-t1/zabbix-client-t1.t.com.csr 100% 1074 1.1KB/s 00:00 Fetching /root/crt/zabbix-client-t1/zabbix-client-t1.t.key to /usr/local/zabbix/crt/zabbix-client-t1.t.key /root/crt/zabbix-client-t1/zabbix-client-t1.t.key 100% 1708 1.7KB/s 00:00 #退出sftp sftp> exit
0x04 server
在server端编辑zabbix_server.conf:
#打开文件 [root@web-t1 ~]# vim /usr/local/zabbix/etc/zabbix_server.conf #取消TLSCAFile字段的注释并填写CA证书的绝对路径 TLSCAFile=/usr/local/zabbix/crt/ca.crt #取消TLSCertFile字段的注释并填写server证书的绝对路径 TLSCertFile=/usr/local/zabbix/crt/web-t1.t.com.crt #取消TLSKeyFile字段的注释并填写server私钥的绝对路径 TLSKeyFile=/usr/local/zabbix/crt/web-t1.t.com.key
使用killall停止所有zabbix_server进程然后再启动:
#killall [root@web-t1 ~]# killall zabbix_server #启动 [root@web-t1 ~]# zabbix_server
检查日志中的启动情况:
[root@web-t1 ~]# ps -aux | grep zabbix zabbix 26024 0.0 0.1 151480 3188 ? S 16:26 0:00 zabbix_server zabbix 26028 0.0 0.1 151480 2540 ? S 16:26 0:00 zabbix_server: configuration syncer [synced configuration in 0.005151 sec, idle 60 sec] zabbix 26029 0.0 0.1 151472 2192 ? S 16:26 0:00 zabbix_server: db watchdog [synced alerts config in 0.001144 sec, idle 60 sec] zabbix 26030 0.0 0.2 258476 4820 ? S 16:26 0:00 zabbix_server: poller #1 [got 0 values in 0.000004 sec, idle 5 sec] zabbix 26032 0.0 0.2 258476 4820 ? S 16:26 0:00 zabbix_server: poller #2 [got 0 values in 0.000005 sec, idle 5 sec] zabbix 26033 0.0 0.2 258476 4820 ? S 16:26 0:00 zabbix_server: poller #3 [got 0 values in 0.000003 sec, idle 5 sec] zabbix 26034 0.0 0.2 258476 4820 ? S 16:26 0:00 zabbix_server: poller #4 [got 0 values in 0.000003 sec, idle 5 sec] zabbix 26035 0.0 0.2 258476 4820 ? S 16:26 0:00 zabbix_server: poller #5 [got 0 values in 0.000004 sec, idle 5 sec] zabbix 26036 0.0 0.2 258476 4820 ? S 16:26 0:00 zabbix_server: unreachable poller #1 [got 0 values in 0.000003 sec, idle 5 sec] zabbix 26037 0.0 0.2 154136 4928 ? S 16:26 0:05 zabbix_server: trapper #1 [processed data in 0.000006 sec, waiting for connection] zabbix 26038 0.0 0.2 154136 5200 ? S 16:26 0:05 zabbix_server: trapper #2 [processed data in 0.000821 sec, waiting for connection] zabbix 26039 0.0 0.2 154136 5184 ? S 16:26 0:05 zabbix_server: trapper #3 [processed data in 0.000952 sec, waiting for connection] zabbix 26040 0.0 0.2 154288 5096 ? S 16:26 0:05 zabbix_server: trapper #4 [processed data in 0.001088 sec, waiting for connection] zabbix 26041 0.0 0.2 154136 5132 ? S 16:26 0:05 zabbix_server: trapper #5 [processed data in 0.001016 sec, waiting for connection] zabbix 26042 0.0 0.0 153996 1856 ? S 16:26 0:00 zabbix_server: icmp pinger #1 [got 0 values in 0.000003 sec, idle 5 sec] zabbix 26043 0.0 0.1 151472 2180 ? S 16:26 0:00 zabbix_server: alerter [sent alerts: 0 success, 0 fail in 0.000468 sec, idle 30 sec] zabbix 26044 0.0 0.1 151764 2568 ? S 16:26 0:00 zabbix_server: housekeeper [deleted 0 hist/trends, 0 items, 0 events, 0 sessions, 0 alarms, 0 audit items in 0.001157 sec, idle for 1 hour(s)] zabbix 26045 0.0 0.1 151560 2664 ? S 16:26 0:00 zabbix_server: timer #1 [processed 1 triggers, 0 events in 0.000180 sec, 0 maintenances in 0.000000 sec, idle 30 sec] zabbix 26046 0.0 0.1 151472 2220 ? S 16:26 0:00 zabbix_server: http poller #1 [got 0 values in 0.000417 sec, idle 5 sec] zabbix 26047 0.0 0.2 255952 4820 ? S 16:26 0:00 zabbix_server: discoverer #1 [processed 0 rules in 0.000615 sec, idle 60 sec] zabbix 26048 0.0 0.1 151532 3072 ? S 16:26 0:00 zabbix_server: history syncer #1 [synced 0 items in 0.000001 sec, idle 1 sec] zabbix 26049 0.0 0.1 151616 3044 ? S 16:26 0:00 zabbix_server: history syncer #2 [synced 0 items in 0.000001 sec, idle 1 sec] zabbix 26050 0.0 0.1 151792 3276 ? S 16:26 0:00 zabbix_server: history syncer #3 [synced 0 items in 0.000001 sec, idle 1 sec] zabbix 26051 0.0 0.1 151532 3112 ? S 16:26 0:00 zabbix_server: history syncer #4 [synced 0 items in 0.000001 sec, idle 1 sec] zabbix 26052 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: escalator #1 [processed 0 escalations in 0.000716 sec, idle 3 sec] zabbix 26053 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000002 sec, idle 5 sec] zabbix 26055 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #2 [exchanged data with 0 proxies in 0.000003 sec, idle 5 sec] zabbix 26057 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #3 [exchanged data with 0 proxies in 0.000002 sec, idle 5 sec] zabbix 26058 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #4 [exchanged data with 0 proxies in 0.000002 sec, idle 5 sec] zabbix 26059 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #5 [exchanged data with 0 proxies in 0.000005 sec, idle 5 sec] zabbix 26060 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #6 [exchanged data with 0 proxies in 0.000003 sec, idle 5 sec] zabbix 26061 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #7 [exchanged data with 0 proxies in 0.000002 sec, idle 5 sec] zabbix 26062 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #8 [exchanged data with 0 proxies in 0.000012 sec, idle 5 sec] zabbix 26063 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #9 [exchanged data with 0 proxies in 0.000011 sec, idle 5 sec] zabbix 26064 0.0 0.1 151616 3272 ? S 16:26 0:00 zabbix_server: proxy poller #10 [exchanged data with 0 proxies in 0.000003 sec, idle 5 sec] zabbix 26065 0.0 0.0 151480 1856 ? S 16:26 0:00 zabbix_server: self-monitoring [processed data in 0.000004 sec, idle 1 sec] zabbix 26066 0.0 0.1 151472 2320 ? S 16:26 0:00 zabbix_server: task manager [processed 0 task(s) in 0.000264 sec, idle 5 sec] root 27569 0.0 0.0 112652 964 pts/0 S+ 18:40 0:00 grep --color=auto zabbix
0x05 proxy
同样在proxy主机上打开配置文件zabbix_proxy.conf进行修改:
[root@zabbix-proxy-t1 ~]# vim /usr/local/zabbix/etc/zabbix_proxy.conf #取消注释TLSConnect字段并修改为cert TLSConnect=cert ##取消注释TLSAccept字段并修改为cert TLSAccept=cert #取消TLSCAFile字段的注释并填写CA证书的绝对路径 TLSCAFile=/usr/local/zabbix/crt/ca.crt ##取消TLSCertFile字段的注释并填写proxy证书的绝对路径 TLSCertFile=/usr/local/zabbix/crt/zabbix-proxy-t1.t.com.crt #取消TLSKeyFile字段的注释并填写proxy私钥的绝对路径 TLSKeyFile=/usr/local/zabbix/crt/zabbix-proxy-t1.t.com.key
使用killall停止所有zabbix_进程然后再启动:
#killall [root@zabbix-proxy-t1 ~]# killall zabbix_proxy #启动 [root@zabbix-proxy-t1 ~]# zabbix_proxy
检查启动情况:
[root@zabbix-proxy-t1 ~]# ps -aux | grep zabbix zabbix 24301 0.0 0.3 141160 3540 ? S 16:40 0:00 zabbix_proxy zabbix 24305 0.0 0.4 141412 4732 ? S 16:40 0:00 zabbix_proxy: configuration syncer [synced config 9238 bytes in 0.026664 sec, idle 300 sec] zabbix 24306 0.0 0.3 141296 3900 ? S 16:40 0:04 zabbix_proxy: heartbeat sender [sending heartbeat message success in 0.012053 sec, idle 10 sec] zabbix 24307 0.3 0.4 141416 4348 ? S 16:40 0:25 zabbix_proxy: data sender [sent 1 values in 0.013919 sec, idle 1 sec] zabbix 24308 0.0 0.5 248312 5796 ? S 16:40 0:04 zabbix_proxy: poller #1 [got 0 values in 0.000004 sec, idle 1 sec] zabbix 24309 0.0 0.5 248312 5812 ? S 16:40 0:04 zabbix_proxy: poller #2 [got 0 values in 0.000003 sec, idle 1 sec] zabbix 24310 0.0 0.5 248312 5808 ? S 16:40 0:04 zabbix_proxy: poller #3 [got 1 values in 0.011627 sec, idle 1 sec] zabbix 24311 0.0 0.5 248312 5800 ? S 16:40 0:04 zabbix_proxy: poller #4 [got 0 values in 0.000004 sec, idle 1 sec] zabbix 24312 0.0 0.5 248312 5812 ? S 16:40 0:04 zabbix_proxy: poller #5 [got 0 values in 0.000003 sec, idle 1 sec] zabbix 24313 0.0 0.5 248360 5868 ? S 16:40 0:00 zabbix_proxy: unreachable poller #1 [got 0 values in 0.000004 sec, idle 5 sec] zabbix 24314 0.0 0.3 141284 3404 ? S 16:40 0:00 zabbix_proxy: trapper #1 [processed data in 0.000000 sec, waiting for connection] zabbix 24315 0.0 0.3 141284 3404 ? S 16:40 0:00 zabbix_proxy: trapper #2 [processed data in 0.000000 sec, waiting for connection] zabbix 24316 0.0 0.3 141284 3404 ? S 16:40 0:00 zabbix_proxy: trapper #3 [processed data in 0.000000 sec, waiting for connection] zabbix 24317 0.0 0.3 141320 4028 ? S 16:40 0:00 zabbix_proxy: trapper #4 [processed data in 0.010555 sec, waiting for connection] zabbix 24318 0.0 0.3 141284 3404 ? S 16:40 0:00 zabbix_proxy: trapper #5 [processed data in 0.000000 sec, waiting for connection] zabbix 24319 0.0 0.1 143676 1880 ? S 16:40 0:00 zabbix_proxy: icmp pinger #1 [got 0 values in 0.000004 sec, idle 5 sec] zabbix 24320 0.0 0.2 141152 2524 ? S 16:40 0:00 zabbix_proxy: housekeeper [deleted 1885 records in 0.028891 sec, idle for 1 hour(s)] zabbix 24321 0.0 0.2 141152 2436 ? S 16:40 0:00 zabbix_proxy: http poller #1 [got 0 values in 0.000465 sec, idle 5 sec] zabbix 24322 0.0 0.4 245636 4772 ? S 16:40 0:00 zabbix_proxy: discoverer #1 [processed 0 rules in 0.000571 sec, idle 60 sec] zabbix 24323 0.0 0.2 141152 2712 ? S 16:40 0:00 zabbix_proxy: history syncer #1 [synced 0 items in 0.000004 sec, idle 1 sec] zabbix 24324 0.0 0.2 141152 2712 ? S 16:40 0:00 zabbix_proxy: history syncer #2 [synced 0 items in 0.000004 sec, idle 1 sec] zabbix 24325 0.0 0.2 141152 2712 ? S 16:40 0:00 zabbix_proxy: history syncer #3 [synced 0 items in 0.000003 sec, idle 1 sec] zabbix 24326 0.0 0.2 141152 2712 ? S 16:40 0:00 zabbix_proxy: history syncer #4 [synced 1 items in 0.001658 sec, idle 1 sec] zabbix 24327 0.0 0.1 141160 1876 ? S 16:40 0:00 zabbix_proxy: self-monitoring [processed data in 0.000004 sec, idle 1 sec] root 24583 0.0 0.0 112648 964 pts/0 R+ 18:56 0:00 grep --color=auto zabbix
0x06 client
最后是client的证书配置,这一部分的配置过程和以下文章中的类似:
打开agent的配置文件进行修改:
[root@zabbix-client-t1 ~]# vim /usr/local/zabbix/etc/zabbix_agentd.conf #取消注释TLSConnect字段并修改为cert TLSConnect=cert ##取消注释TLSAccept字段并修改为cert TLSAccept=cert #取消TLSCAFile字段的注释并填写CA证书的绝对路径 TLSCAFile=/usr/local/zabbix/crt/ca.crt ##取消TLSCertFile字段的注释并填写proxy证书的绝对路径 TLSCertFile=/usr/local/zabbix/crt/zabbix-client-t1.t.com.crt #取消TLSKeyFile字段的注释并填写proxy私钥的绝对路径 TLSKeyFile=/usr/local/zabbix/crt/zabbix-client-t1.t.com.key
再次使用killall停止所有agent进程然后启动:
#killall [root@zabbix-proxy-t1 ~]# killall zabbix_agentd #启动 [root@zabbix-proxy-t1 ~]# zabbix_agentd
检查启动情况:
[root@zabbix-client-t1 ~]# ps -aux | grep zabbix zabbix 16333 0.0 0.1 79992 1384 ? S 16:39 0:00 zabbix_agentd zabbix 16334 0.0 0.1 79992 1412 ? S 16:39 0:01 zabbix_agentd: collector [idle 1 sec] zabbix 16335 0.1 0.3 82312 3516 ? S 16:39 0:08 zabbix_agentd: listener #1 [waiting for connection] zabbix 16336 0.1 0.3 82312 3508 ? S 16:39 0:08 zabbix_agentd: listener #2 [waiting for connection] zabbix 16337 0.1 0.3 82312 3508 ? S 16:39 0:08 zabbix_agentd: listener #3 [waiting for connection] zabbix 16338 0.0 0.3 82324 3308 ? S 16:39 0:00 zabbix_agentd: active checks #1 [idle 1 sec] zabbix 16339 0.0 0.3 82324 3312 ? R 16:39 0:00 zabbix_agentd: active checks #2 [getting list of active checks] root 18117 0.0 0.0 112648 960 pts/0 R+ 18:55 0:00 grep --color=auto zabbix
0x07 配置
0x07.1 proxy
配置好服务后,还需要到控制面板中启用证书验证,首先配置proxy:
进入Administration –> Proxies中选择代理配置文件并到Encryption选项中将Connections from proxy勾选Certificate以启用proxy的证书加密。
因为我的proxy的模式为主动模式,所以当proxy会自动获取新的配置信息。如果你所设置的轮训间隔较长,那需要较长的时候才能成功同步。一旦同步成功后,显示如下:
0x07.2 client
如果使用agent,也需要手动启用证书加密:
点击update后需要等待一段时间,等待的时长由轮询时间设置所决定的。
如果一些正常,那么显示如下:
0x08 结语
配置过程非常简单,使用证书加密后,还能大大提高安全性。
