Zabbix server port 10051 is blocked in firewall and need to use only 80 port

Question

I have a zabbix server installed in ubuntu 18.04 in AWS cloud and setup the domain & SSL.

The AWS server has a nginx web server running in port 80 & 443 and apache2 is configured in 7526. Only port 80 & 443 is enabled in AWS security group for security reasons. So apache2 is also not accessible from outside world.

I have configured the zabbix server in apache2 and having a nginx proxy to connect to the zabbix server from outside world. Zabbix front end works perfectly after this proxy in nginx.

I have system located in various places so decided to connect it to the zabbix server via Active check. In Active check the zabbix agent connects to the zabbix server via 10051 port by default. I can't open a new port in the AWS firewall due to security reasons.

How can I connect the zabbix server and the zabbix agent for active checks?.

Note : For testing I enabled 10051 port in AWS firewall and the zabbix agent can able to connect to the server

EDITED

Please see my zabbix_agentd.conf file with the configuration of the ServerActive parameter.

As you can see now app.myoffice.com is now enabled and zabbix tries to connect to the default 10051 port so it fails to connect to the server since only port 80 & 443 is active in firewall

Can I give the serverActive=https://example.mydomain.com/zabbixserver/app like this? If yes then how is it?

how's about to verify if zabix is really running on port you told with `lsof -i :` — djdomi, May 29 '21 at 11:44
I confirmed that by enabling the port temporarily see my note in the question — Achuthan, May 31 '21 at 03:56
But what's then the issue, you say `I confirm` but don't show details, so, how should we help you? If you don't tell what Service is running on which Port? (see my first comment) Not that you accidentally bound the Port on IPv6 and trying accessing it via IPv4 or similar... You don't need to open extra ports, in case you use NGINX as reverse-proxy for accessing any Ports, you either use Sub-Domains or a Virtual Subfolder. — djdomi, May 31 '21 at 04:23
I hope you are not understanding my question. all configs are working and the application is also working good when there is no firewall. If i turn ON the firewall then the front_end application is working since i have setup nginx proxy and the hosts are unable to connect to the zabbix server. — Achuthan, May 31 '21 at 05:00
HOW do you connect to the stuff, please EXPLAIN to show us configs etc, how should we know about HOW you work with YOUR environment?? :-) My Glass ball is broken currently ;-) Usually you connect via Localhost over NGINX reverseproxy to anykind and dont need to open any ports expect 80/443 usually — djdomi, May 31 '21 at 13:11
I have added my config file here, I think thats what you asked for. What is your question then?? I asked my question here and there is no response for that question... — Achuthan, Jun 01 '21 at 03:48

score 2 · Answer 1 · answered Jun 04 '21 at 10:56

2

Neither zabbix server, nor zabbix agent support listening on ports lower than 1024.

Official documentation for server and agent clearly states supported port range.

Server:

Parameter	Mandatory	Range	Default	Description
ListenPort	no	1024-32767	10051	Listen port for trapper.

Agent:

Parameter	Mandatory	Range	Default	Description
ListenPort	no	1024-32767	10050	Agent will listen on this port for connections from the server.

Also, ports lower than 1024 are priviliged, so normal users are not allowed to run servers on them.
Additionally, ports 80 and 443 are reserved for HTTP and HTTPS respectively. Zabbix agent uses it's own, JSON based protocol ^[source]. While technically possible, listening for two different protocols on same port causes a lot of issues.

Your best, and possibly only, solution is to open traffic on ports 10050 and 10051.

answered Jun 04 '21 at 10:56

I didn't speak anything about the port here, Can I give the serverActive=https://mydomain.example.com/zabbixserver/app like this? If yes then how is it? – Achuthan Jun 07 '21 at 13:06
I don't really understand what you mean. what is `/zabbixserver` and what is `/app` in this URL? Is `mydomain.example.com/zabbixserver/app` your `zabbix-server` endpoint? – Jun 07 '21 at 13:25
Yes, By default zabbix connects to 10051 port of the server, but I want to connect it to this endpoint I already internally redirected this end point to 10051 port.... Since I don't want to open the traffics in port 10050 & 10051 – Achuthan Jun 07 '21 at 16:00
Oh ok, I misunderstood you. Yes, you should be able to do this. I can't promise you it will work out-of-the-box, as I never had to do something like this. Please add a comment if it worked or not. I will try to find a workaround if it didn't. – Jun 07 '21 at 16:50
It didn't, When i try to add a URL like i mentioned above the zabbix agent is not starting... – Achuthan Jun 08 '21 at 04:29
The zabbix agent will connect to the zabbix server directly, not to the frontend. ServerActive option is to be used with an IP or a hostname, not a URL. You can either set ip:port or hostname:port as an argument, but nothing else. You can check the Zabbix Agent configuration file manual over there : https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_agentd – SBO Jul 21 '21 at 07:58

score 0 · Answer 2 · answered Dec 10 '21 at 21:58

I use haproxy to expose my services together with generating service specific TLS certificates (with SNI), and I love it since I then just connect to https://someservice.example.com/ and no longer care about what ports any of my services actually use.

For zabbix I think the following should be the minimum you need to configure:

frontend hafrontend
    bind *:443 ssl crt /etc/haproxy/certs_and_keys
    mode http
    default_backend zabbix_backend
    use_backend zabbix_backend if { ssl_fc_sni zabbix.example.com }

backend zabbix_backend
    mode http
    server zabbix_server 127.0.0.1:10051

although possibly with some more magic if you need to use a url like https://example.mydomain.com/zabbixserver/app rather than just https://example.mydomain.com/ (the above is all I have learned about configuring haproxy and has been all I have ever needed).

Certificates generated via Makefile (file locations possibly Centos specific):


# Root CA

example.com.key:
    openssl genrsa -out $@ 4096
    openssl rsa -in $@ -noout -text

example.com.crt: example.com.key
    openssl req -new -x509 -days 7500 -key $^ -out $@ -subj '/C=XX/L=Example/CN=example.com'

/etc/pki/ca-trust/source/anchors/example.com.pem: example.com.crt example.com.key
    cat $^ > $@
    update-ca-trust

/etc/haproxy/certs_and_keys/example.com.pem: example.com.crt example.com.key
    cat $^ > $@


# Host cert

zabbix.example.com.key:
    openssl genrsa -out $@ 4096
    openssl rsa -in $@ -noout -text

zabbix.example.com.csr: zabbix.example.com.key
    bash -c "openssl req -new -key $^ -out $@ -extensions san -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName=DNS:zabbix.example.com') -subj '/C=XX/L=Example/CN=zabbix.example.com'"
    openssl req -in $@ -noout -text

zabbix.example.com.crt: zabbix.example.com.csr
    openssl x509 -days 365 -req -in $^ -out $@ -CA example.com.crt -CAkey example.com.key -CAcreateserial

/etc/haproxy/certs_and_keys/zabbix.example.com.pem: zabbix.example.com.crt zabbix.example.com.key
    cat $^ > $@

Did you actually try this? Afaik the communication between Zabbix server and agent does not use http and needs TCP directly. — Gerald Schneider, Dec 11 '21 at 06:58
No I have not tried, and you are probably correct in that the communication is based on pure tcp rather than http. My answer was based on the premise that https://example.mydomain.com/zabbixserver/app was the target, but probably this is not possible. — hlovdal, Dec 11 '21 at 19:19

Zabbix server port 10051 is blocked in firewall and need to use only 80 port

2 Answers2