Zabbix如何實現Server和Agent的通信加密

一、加密介紹

1、總覽

    Zabbix版本從3.0之後，開始支持Zabbix server, Zabbix proxy, Zabbix agent, zabbix_sender and zabbix_get之間的通信加密，加密方式有預共享密鑰(PSK)和證書加密。

    加密配置是可選項，一些proxies和agents可以使用證書認證加密通信，另外一些可以使用PSK加密通信，而剩餘的可以不使用加密進行通信。

    關於porxy的配置設備，我這裏就不在介紹了，大家可以去看官方文檔。

    但是並不是所有的通信都進行了加密，下面的幾點就是沒有覆蓋到。

• Private keys are stored in plain text in files readable by Zabbix components during startup.

• Pre-shared keys are entered in Zabbix frontend and stored in Zabbix database in plain text.

• Built-in encryption does not protect communications:

• between web server running Zabbix frontend and user web browser,

• between Zabbix frontend and Zabbix server,

• between Zabbix server (proxy) and Zabbix database.

• Currently each encrypted connection opens with a full TLS handshake, no session caching and tickets are implemented.

• Adding encryption increases time of checks and actions, depending on network latency.
  For example, if packet delay is 100ms then opening a TCP connection and sending unencrypted request takes around 200ms.
  With encryption about 1000 ms are added for establishing TLS connection.
  Timeouts may need to be increased, otherwise some items and actions running remote scripts on agents may work with unencrypted connections but fail with timeout with encrypted.

• Encryption is not supported by network discovery. Zabbix agent checks performed by network discovery will be unencrypted and if Zabbix agent is configured to reject unencrypted connections such checks will not succeed.

2、編譯支持加密功能

    要想支持加密功能，我們必須在編譯安裝的時候把加密庫編譯進Zabbix裏面。

    編譯的時候加上 --with-openssl

./configure \
--prefix=/usr/local/zabbix \
--sysconfdir=/etc/zabbix \
--enable-server \
--enable-agent \
--with-mysql \
--with-net-snmp \
--with-libcurl \
--with-openssl

二、使用預共享密鑰(PSK)

1、生成psk

# openssl rand -hex 32
af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429

2、配置agent

    創建一個文件/etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.psk，存入剛剛生成的psk。

    編輯/etc/zabbix/zabbix_agentd.conf，添加如下內容。

TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.psk
TLSPSKIdentity=PSK 001

    然後重啓agent，在server上面測試看看加密連接。

zabbix_get -s 127.0.0.1 -k "system.cpu.load[all,avg1]" --tls-connect=psk --tls-psk-identity="PSK 001" --tls-psk-file=/etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.psk

    測試下來沒有什麼問題，那我們就配置WEB頁面。

    等待一段時間，就生效了哦。

三、使用證書通信加密

待完成……

                             

參考文檔：https://www.zabbix.com/documentation/3.2/manual/encryption/using_pre_shared_keys