Hardening Zabbix Server installation using Apache VirtualHosts and Let’s Encrypt certificates

Posted on by Thiago Crepaldi

Last Updated on December 30, 2024 by Thiago Crepaldi

In my previous post, we went through the process of installing Zabbix Server on a Debian LXC container. Although it works alright, it doesn’t come with HTTPS support out of the box. It also has an “ugly” /zabbix in the end of the URL.

In this short post, we are going through the steps of changing the Apache settings to add a HTTP Virtual Host that will replace the /zabbix Alias. Next, we are going to create a second VirtualHost with the SSL support enabled through Let’s Encrypt certificates

I will assume you know how to issue a Let’s Encrypt certificate on your pfSense and have it available on your LXC container already.

Creating an HTTP VirtualHost on your Apache

The first step is editing the current Apache.conf file that comes with Zabbix and comment out the Alias directive and replace it with a proper VirtualHost. The main benefit will be that you can access zabbix through http://zabbix.lan.mydomain.com instead of http://zabbix.lan.mydomain.com/zabbix. You will also have a chance to setup other aliases (say adding a www. variant) and configure separate log files for Zabbix, in case you host more websites on the same server (I don’t recommend having more than one website per container for security reasons).

Edit /etc/zabbix/apache.conf and replace the “Alias /zabbix /usr/share/zabbix” directive by a Virtual Host, as shown below:

# vim /etc/zabbix/apache.conf

<VirtualHost *:80>
    ServerAdmin admin@lan.mydomain.com
    ServerName zabbix.lan.mydomain.com
    ServerAlias www.zabbix.lan.mydomain.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Redirect permanent / https://zabbix.lan.mydomain.com/
</VirtualHost>


# Define /zabbix alias, this is the default
#<IfModule mod_alias.c>
#    Alias /zabbix /usr/share/zabbix
#</IfModule>

Type your email for ServerAdmin if your have followed the SMTP configuration post. Set the ServerName and, optionally, ServerAlias with Zabbix URLs. Keep all the existing <Directory > entries unchanged!

The configuration above is merely redirecting any HTTP request to the HTTPS counterpart. If you don’t want to setup HTTPS, but just get rid of the /zabbix suffix, replace Redirect permanent / https://zabbix.lan.mydomain.com/ by DocumentRoot /usr/share/zabbix

Creating an HTTPS VirtualHost on your Apache

Assuming your Let’s Encrypt certificates are stored at /etc/zabbix/letsencrypt/zabbix.{fullchain,key}, let’s add another VirtualHost:

# vim /etc/zabbix/apache.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin admin@lan.mydomain.com
        ServerName zabbix.lan.mydomain.com
        ServerAlias www.zabbix.lan.mydomain.com
        DocumentRoot /usr/share/zabbix
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/zabbix/letsencrypt/zabbix.fullchain
        SSLCertificateKeyFile /etc/zabbix/letsencrypt/zabbix.key

        <FilesMatch ".(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
    </VirtualHost>
</IfModule>

Similar to the HTTP section, we have created a VirtualHost and specified a ServerAdmin, ServerName and ServerAlias. The difference is that this VirtualHost is surrounded by a <IfModule mod_ssl.c> and port 443 as the entry point. You can see SSLEngine on and SSLCertificate* entries setting the full path to the fullchain certificate and private key.

Finally, let’s restart apache to apply the changes!

# systemctl restart apache2

Now you can visit http:// or https://zabbix.lan.mydomain.com and be protected by SSL certificates! Note that this encrypt the communication between your browser and the Zabbix frontend. It doesn’t encrypt communication between Zabbix server and the Agents/Proxies. Encrypting communication between Server and Agent is a topic for the next post, though 🙂

Optional: Extra hardening stuff

It is worth mentioning that Zabbix also have a Best practices for secure Zabbix setup, which I recommend. Most of the topics there are covered above, but there are some extras that you could implement on your on.

In special, you can restrict access to top_passwords.txt:

# vim /etc/zabbix/apache.conf

<Files "top_passwords.txt">  
  Order Allow,Deny
  Deny from all
</Files>

8 thoughts on “Hardening Zabbix Server installation using Apache VirtualHosts and Let’s Encrypt certificates

  1. Pingback: Monitoring Supermicro servers through SNMP using Zabbix Server - Geek is the Way!
  2. Pingback: Monitoring Unifi APs through SNMP using Zabbix Server - Geek is the Way!
  3. Pingback: Monitoring Synology NAS through SNMP using Zabbix Server - Geek is the Way!
  4. Pingback: Monitoring APC UPS through SNMP using Zabbix Server - Geek is the Way!
  5. Pingback: Monitoring Agentless Servers on Zabbix Server through ICMP Ping - Geek is the Way!
  6. Pingback: Configuring Zabbix Agents on Linux servers - Geek is the Way!
  7. Pingback: Monitoring pfSense Server using Zabbix Agent - Geek is the Way!
  8. Pingback: Monitoring FreeBSD Server using Zabbix Agent - Geek is the Way!

Leave a Reply