I was able to pull up the aforementioned guide using an internet archive

(http://web.archive.org/web/201401270...ations-stunnel)


I have stunnel running on both my server and my proxy. However, I cannot get my agent on the proxy side to succesfully connect back to the server. I think it's something as simple as the ports that I'm listening on and forwarding to. I have seen this board is littered with this same type of question with very little concrete answers in return. I believe this is a critical component that is not documented well from the stunnel or zabbix side. Someone who is knowlodgeable in this area giving an example would probably save a lot of trouble, or zabbix including some type of encryption in their agent/server or proxy/server communication.

Hi there,

Forgive me for not answering your question specifically, but I may have an alternate solution for you.

Are you aware that an official encryption implementation for Zabbix is currently under development? I believe it will be released in version 2.5.

I even heard that it was available now for testing/feedback, but I just downloaded the 2.5 source to check myself and cannot see any reference to encryption...? Perhaps someone else can shed light on this.

Anyway, check out the "Feature Request" and "Spec" on the roadmap (TLS and PSK encryption between Zabbix components):


The Developers were commenting on their progress as recently as yesterday in the Feature Request:


So if you can hold out a little longer, perhaps this will solve your problem.

Hope this helps.

-Timbo

Timbo thanks for the info, it's a good thing they are building some encryption into this product. In the interim as I wait for that feature I feel like I'm very close to getting stunnel working for me. I have a Zabbix Server in our datacenter and a proxy server in an operating center. I want the zabbix agents in the operating center to connect to the proxy and that connection to be forwarded over to the server. That part works fine natively. The confusing part for me is inserting stunnel into the mix.

I have stunnel configured and working on both the server and proxy. I can telnet from the proxy to the server on the forwarded port and i see the stunnel connection open up. I don't need the agents to talk to the proxy over stunnel, just the connection from the proxy across the WAN to the server needs to be encrypted. The stunnel config on my proxy (client side) has this:

[zabbix]
accept = 10051
connect = zabbix.example.com:10055

The server has this:

[zabbix]
accept =10055
connect =10051

My confusion is that on the zabbix agent side connecting to the proxy it's set to connect to the default port of 10051. But stunnel and zabbix cannot listen on the same port on the proxy server, so that communication is basically forwarded from the proxy to the server without ever reaching the zabbix application within the proxy. I know this sounds confusing as I think I've spun myself around in a circle so much I don't know which way is up. Please help

I fixed my issue. I'm going to write a comprehensive guide and come back and post it here for everyone. SElinux being enabled on centos was my issue all along!!!

That's awesome, good to hear you solved the problem. It's always so frustrating while you're working on it, but so satisfying when you work it out!

I would love to see a comprehensive guide for Zabbix over Stunnel (so would a lot of other people). So please post back here if you manage to put one together.

-Timbo

Hello,

I have written an Up-to-Date guide that you can use for implementing Zabbix With Zabbix securly, using Stunnel.

The Design:


The 3 parted Blog post:



If you have any comments, please let me know and I'll try to implement them in the guide.

I wanted to provide an update on stunnel and zabbix. I've had trouble for quite a while with the queue getting very backed up. The proxy busy data sender process was always high. It turns out the extra overhead added by stunnel caused me problems between the zabbix server and proxy separated over the internet. I switched to running the proxy over a site to site vpn between firewalls, and the problem has gone away. This may not happen for everyone, but it definitely caused issues for me.