Communication between Zabbix components is done in plaintext by default. In many environments, that is not a significant problem, but monitoring over the Internet in plaintext is likely not a good approach—transferred data could be read or manipulated by malicious parties. In previous Zabbix versions, there was no built-in solution, and various VPN, stunnel, and SSH port-forwarding solutions were being used. Such solutions can still be used, but 3.0 is the first Zabbix version to provide built-in encryption. In this chapter, we will set up several of the components to use different types of encryption.
For Zabbix communication encryption, two types are supported:
The pre-shared key (PSK) type is very easy to set up but is likely harder to scale. Certificate-based encryption can be more complicated to set up but easier to manage on a larger scale and potentially more secure.
This encryption is supported between all Zabbix components—server, proxy, agent, and even zabbix_sender
and zabbix_get
.
For outgoing connections (such as server-to-agent or proxy-to-server), only one type may be used (no encryption, and PSK or certificate-based). For incoming connections, multiple types may be accepted. This way, an agent could work with encryption by default for active or passive items from the server and then work without encryption with zabbix_get
for debugging.
Behind the scenes, Zabbix encryption can use one of three different libraries: OpenSSL
, GnuTLS
, or mbedTLS
. Which one to choose? If using packages, the easiest and safest is to start with whichever the packages are compiled with. If compiling from source, choose the one that is easiest to compile with. In both cases, that is likely to be the library that is endorsed by the packagers and maintained well. The Zabbix team has made a significant effort to implement support for all three libraries in as similar a way as possible from the user perspective. There could be differences regarding support for some specific features, but those are likely to be more obscure ones—if such problems do come up later, switching from one library to another should be as easy as recompiling the daemons. While in most cases it would likely not matter much which library you are using, it's a good idea to know that—one good reason for supporting these three different libraries is also the ability to switch to a different library if the currently used one has a security vulnerability.
In this chapter, we will try out encryption with Zabbix server and zabbix_sender
first and then move on to encrypting agent traffic using both PSK and certificate-based encryption. If you have installed from packages, your server most likely already supports encryption. Verify that by looking at the server and agent startup messages:
TLS support: YES
If you compiled from source and TLS support is not present, recompile the server and agent by adding one of these parameters: --with-openssl
, --with-gnutls
, or --with-mbedtls
.