ZCP_day_1_slides_Part2.pdf
Document Details
Uploaded by SpellboundTropicalIsland
2023
Tags
Full Transcript
NGINX MONITORING Zabbix has built-in templates to monitor Nginx that work without any scripts: Y P Templates are named Nginx by HTTP Nginx Plus by HTTP Nginx by Zabbix agent O C Collects metrics by polling ngx_http_stub_status_module T N Supports HTTPS and redirects Steps to set up NGINX: E...
NGINX MONITORING Zabbix has built-in templates to monitor Nginx that work without any scripts: Y P Templates are named Nginx by HTTP Nginx Plus by HTTP Nginx by Zabbix agent O C Collects metrics by polling ngx_http_stub_status_module T N Supports HTTPS and redirects Steps to set up NGINX: E D Modify /etc/nginx/conf.d/zabbix.conf file and add a new location section: U T location = /basic_status { stub_status; allow <IP of your Zabbix server/proxy>; deny all; } S Restart NGINX: systemctl restart nginx 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 21 NGINX MONITORING Set up steps in Zabbix frontend: Y P Create a new host and link the template "Nginx by HTTP" If HTTPS protocol is used, modify user macros: {$NGINX.STUB_STATUS.PORT} = 443 {$NGINX.STUB_STATUS.SCHEME} = https Macro {$NGINX.DROP_RATE.MAX.WARN} E D {$NGINX.RESPONSE_TIME.MAX.WARN} U T {$NGINX.STUB_STATUS.PATH} S {$NGINX.STUB_STATUS.PORT} {$NGINX.STUB_STATUS.SCHEME} 6.0 Certified Professional ● Day 1 T N Default value O C Description 1 The critical rate of the dropped connections for trigger expression 10 The Nginx maximum response time in seconds for trigger expression basic_status The path of Nginx stub_status page 80 The port of Nginx stub_status host or container http The protocol (http or https) of Nginx stub_status host or container © 2023 by Zabbix. All rights reserved Theory 22 PRACTICAL SETUP Y P 1) Install MySQL 8 community edition database server and create a Zabbix database: Create database schema and two users: zabbix_srv zabbix_web Load initial Zabbix DB schema T N 2) Install Zabbix server with MySQL support User for MySQL: zabbix_srv O C E D 3) Install Zabbix frontend on NGINX + php-fpm + PHP 8.0 User to connect to MySQL database: zabbix_web U T 4) Secure Zabbix frontend Create a new Zabbix Super Admin user in frontend named "student-XX" Assign the student-XX user to the "Zabbix administrators" group Change the default Admin password to "Adm1nP455w0rD" S 5) Configure the firewall to allow server, NGINX and DB connections. 6) Make sure that all the components work. Day 1 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 30 minutes Practical task No: 1 23 Y P T N O C E D HTTPS for Zabbix frontend U T S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 10 minutes 24 HTTPS PROTOCOL HTTPS (Hypertext Transfer Protocol Secure): Y P SSL (Secure Sockets Layer) standard technology for keeping a connection secure. TLS (Transport Layer Security) is an updated, more secure, version of SSL. Benefits: T N O C Protocols used to wrap normal traffic in a protected, encrypted wrapper Servers and the clients can exchange information safely E D Less concern that messages will be intercepted and read by a third party U T Certificate system: S Assists users in verifying identity of the sites that they are connecting with The details of the certificate can be viewed by clicking on the symbol in the browser bar 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 25 SSL CERTIFICATE TYPES Types of SSL certificates: Y P Self-Signed SSL Certificates May be appropriate if you do not have a domain name associated with your server O C Trusted CA (Certificate Authority) signed SSL Certificates Recommended for a production environment Some authorities provide free SSL certificates (Let's Encrypt, ZeroSSL, etc.) T N Self signed E D Encryption + + + -* + + No browser warnings - + Authentication - + Free Easy to obtain U T S Signed by trusted CA 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 26 CERTIFICATES AND KEYS Create a secure directory for the private key: # mkdir -p /etc/ssl/private/ # chmod 0750 /etc/ssl/private Y P O C If you have obtained a trusted CA certificate, just copy the files to the directory. .key is a private-key of the certificate .crt contains a public key that will be included in the certificate T N Some certificate authorities provide automatic scripts for SSL E D If a self-signed certificate is used, generate it from the command line: openssl req \ -newkey rsa:2048 -nodes -keyout /etc/ssl/private/zabbix.key \ -x509 -days 1825 -out /etc/ssl/certs/zabbix.crt \ -subj '/CN=localhost' U T S Secure your certificate files: # chmod 400 /etc/ssl/private/zabbix.key # chmod 400 /etc/ssl/certs/zabbix.crt 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 27 SSL CONFIGURATION Rename the existing configuration file to zbx-ssl.conf: Y P # mv /etc/nginx/conf.d/zabbix.conf /etc/nginx/conf.d/zbx-ssl.conf Configure HTTPS by adding these lines to etc/nginx/conf.d/zbx-ssl.conf: "listen" needs to be changed from 80 to 443 ssl listen ssl ssl_certificate ssl_certificate_key 443 ssl; on; /etc/ssl/certs/zabbix.crt; /etc/ssl/private/zabbix.key; T N O C E D Create /etc/nginx/conf.d/zabbix.conf to redirect all the HTTP traffic to HTTPS Traffic redirection is needed if someone accesses the site using HTTP protocol U T server { listen 80; return 301 https://$host$request_uri?; } S Reload Nginx configuration to apply your changes: # systemctl reload nginx 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 28 WEB BROWSER With a trusted certificate, a lock symbol will be displayed in the address bar: Y P Certificate is trusted by the web browser Connection between the browser and the web server is encrypted https://zabbix.example.com T N O C E D With a self-signed certificate, a warning message will be displayed Certificate is not trusted by the web browser U T Connection is still encrypted using the certificate key S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 29 SECURITY TUNING SSL configuration can be tuned to improve security and performance: Y P Enable HTTP/2 Share SSL session cache between all worker processes Allow only the latest protocols Allow only the most secure ciphers # Enable HTTP/2 listen # SSL/TLS configuration ssl_session_cache ssl_protocols ssl_ciphers ssl_prefer_server_ciphers ssl_stapling E D U T S 6.0 Certified Professional ● Day 1 T N 443 ssl http2; O C shared:SSL:10m; TLSv1.2 TLSv1.3; 'EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4'; on; on; © 2023 by Zabbix. All rights reserved Theory 30 PRACTICAL SETUP Y P 1) Configure Zabbix frontend with HTTPS: Allow HTTPS traffic through firewall Generate SSL certificate using Certbot from Let's Encrypt 2) Check that frontend is available via HTTPS T N Check web certificate details 3) Create a new host to monitor Nginx: Name: Zabbix frontend Link template: Nginx by HTTP Configure it to use HTTPS connection E D U T S 6.0 Certified Professional ● Day 1 O C © 2023 by Zabbix. All rights reserved 15 minutes Practical task No: 2 31 Y P T N O C E D Docker / Podman images U T S 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved 10 minutes 32 DOCKER IMAGES Docker delivers a container platform to deploy and run applications: Y P Zabbix provides Docker images for each Zabbix component Zabbix components are provided on Ubuntu, Alpine Linux and CentOS base images O C Zabbix components are separated into different images: MySQL and PostgreSQL database support Apache2 and Nginx web server support E D U T S 6.0 Certified Professional ● Day 1 T N © 2023 by Zabbix. All rights reserved Theory 33 DOCKER IMAGES Go to Zabbix download > Zabbix containers page and choose a repository: Y P T N Zabbix Docker Component Repositories E D U T S O C Zabbix Docker Repository GitHub i https://www.zabbix.com/container_images 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 34 DOCKER COMMAND REFERENCE Add a Docker repository: Y P # dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo Install Docker: # dnf -y install docker-ce --nobest Start Docker and add it to startup: T N # systemctl start docker && systemctl enable docker List of all the containers: O C E D # docker ps -a U T Check logs of a running container: # docker logs [-f] student-XX-proxy S Restart a container: # docker stop student-XX-proxy # docker start student-XX-proxy 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 35 ENVIRONMENT VARIABLES All Zabbix docker images provide environment variables to control configuration: Y P Different naming method is used than in Zabbix configuration files, for example: DBHost DBPort DB_SERVER_HOST DB_SERVER_PORT O C All the environment variables are listed in each component repository, for example: T N ZBX_SERVICEMANAGERSYNCFREQUENCY=60 # Available since 6.0.0 ZBX_HISTORYSTORAGEURL= # Available since 3.4.0 ZBX_HISTORYSTORAGETYPES=uint,dbl,str,log,text # Available since 3.4.0 ZBX_STARTPOLLERS=5 ZBX_IPMIPOLLERS=0 ZBX_STARTPREPROCESSORS=3 # Available since 3.4.0 ZBX_STARTPOLLERSUNREACHABLE=1 ZBX_STARTTRAPPERS=5 ZBX_STARTPINGERS=1 ZBX_STARTDISCOVERERS=1 ZBX_STARTHISTORYPOLLERS=5 # Available since 5.4.0 ZBX_STARTHTTPPOLLERS=1 ZBX_STARTTIMERS=1 .......... U T E D i S https://hub.docker.com/r/zabbix/zabbix-server-mysql 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 36 ACTIVE PROXY EXAMPLE Start Zabbix proxy (active) instance: Y P # docker run --name student-XX-proxy --network=bridge --restart unless-stopped -itd \ --env ZBX_PROXYMODE=0 --env ZBX_SERVER_HOST=172.17.0.1 -p 10061:10051 \ --env ZBX_HOSTNAME=student-XX-proxy zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest O C --name name to the container --network connect the container to a host network --restart restart if stopped unexpectedly T N E D -p publish a container's port to the host -itd U T --env S zabbix-proxy-sqlite3 keep STDIN open; allocate a pseudo-TTY; run in background set configuration variables for Zabbix (Hostname, Proxy mode etc) base image Tag: alpine-6.0-latest alpine 6.0 OS version for image Zabbix major version 6.0 Certified Professional ● Day 1 © 2023 by Zabbix. All rights reserved Theory 37 TLS EXAMPLE Start Zabbix proxy (active) instance with PSK encryption: Y P Generate a PSK: mkdir -p /root/zabbix-docker/enc cd /root/zabbix-docker/enc openssl rand -hex 32 > proxy.key T N Start Zabbix proxy (active) instance with TLS: O C E D # docker run --name student-XX-proxy --network=bridge -itd -p 10061:10051 \ -v /root/zabbix-docker/enc:/var/lib/zabbix/enc --env ZBX_TLSPSKFILE=proxy.key \ --env ZBX_TLSPSKIDENTITY=p_psk --env ZBX_TLSCONNECT=psk \ --env ZBX_TLSACCEPT=psk --env ZBX_PROXYMODE=0 \ --env ZBX_SERVER_HOST=172.17.0.1 --restart unless-stopped \ --env ZBX_HOSTNAME=student-XX-proxy zabbix/zabbix-proxy-sqlite3:alpine-6.0-latest U T S Day 3 1 6.0 Certified Professional ● Day © 2023 by Zabbix. All rights reserved Theory 38 Y P E DHigh Availability U T S 6.0 Certified Professional ● Day 1 T N O C © 2023 by Zabbix. All rights reserved 30 minutes 39 NATIVE HA SOLUTION Zabbix offers native HA solution: Y P Easy to set up using Zabbix documentation Does not require expertise in HA architecture Officially supported by Zabbix Uses Zabbix database to check the node status E D U T S 6.0 Certified Professional ● Day 1 T N © 2023 by Zabbix. All rights reserved O C Z Z Z Theory 40