Installing and setting up Zabbix 6.4 with OpenResty
published on
Before we get started just remember that this tutorial is aimed at installing Zabbix 6.4. If you are trying to install an earlier version for some reason then feel free to see Monitoring your servers with Zabbix 6 instead.
Installing PHP 8.2
The first thing we are going to do is to install PHP 8.2. For the purposes of Zabbix run the following three commands:
sudo add-apt-repository ppa:ondrej/nginx
sudo apt-get update
sudo apt install openssl php8.2-{common,cli,bz2,zip,curl,intl,mysql,snmp,memcached,imagick,gd,imap,ldap,soap,tidy,xml,gd,gmp,pspell,mbstring,opcache,fpm,ssh2,imap,redis,apcu,mcrypt,bcmath}
Now configure PHP 8.2
We need to make some changes to the /etc/php/8.2/fpm/php.ini file (see below). Make sure to add your own timezone if it is different to the one I have used.
output_buffering = Offexpose_php = offmax_execution_time = 300max_input_time = 300max_input_vars = 1000memory_limit = 512Mpost_max_size = 16Mupload_max_filesize = 2Mallow_url_fopen = Offdate.timezone = Europe/Londonopcache.enable=1opcache.memory_consumption=128opcache.max_accelerated_files=10000opcache.revalidate_freq=200opcache.save_comments=1
Once these changes have been made run sudo systemctl restart php8.2-fpm to put them into effect.
Now lets install OpenResty
First run the following two commands:
cd ~
sudo apt install wget gnupg ca-certificates
We now need to install the certificates. I asume you are using Ubuntu 22 or higher.
First run wget -O - https://openresty.org/package/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/openresty.gpg.
If you are using an x64 processor (if you aren't sure use this command) then run this command:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list > /dev/null
If you are using an arm processor then use this command
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/arm64/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list > /dev/null
Once you have done this you can now install OpenResty using the following commands
sudo apt update
sudo apt install openresty openresty-resty openresty-restydoc openresty-opm openresty-zlib openresty-pcre luarocks
sudo systemctl enable openresty
sudo systemctl start openresty
Inital OpenResty configuration
I set up my OpenResty installations in a consistent way and so I will first create a new nginx.conf file with the following commands
sudo mv /usr/local/openresty/nginx/conf/nginx.{conf,original}
sudo nano /usr/local/openresty/nginx/conf/nginx.confI then add the following content to the file before saving and returning to the command line
user www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /usr/local/openresty/nginx/logs/nginx.pid;
events {
worker_connections 4096;
use epoll;
epoll_events 512;
multi_accept on;
}
http {
server_tokens off;
# change my_server to whatever text you wish to use
# this can also go in the server block if you wish to change this per site
#more_set_headers "Server: my_server";
include mime.types;
default_type application/octet-stream;
charset utf-8;
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/openresty/access.log combined;
error_log /var/log/openresty/error.log warn;
client_body_buffer_size 16K;
client_header_buffer_size 1m;
client_max_body_size 8m;
large_client_header_buffers 4 8k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
gzip_disable "MSIE [1-6]\.";
reset_timedout_connection on;
keepalive_timeout 20s;
keepalive_requests 30;
client_header_timeout 10;
client_body_timeout 10;
send_timeout 10s;
# aio on;
directio 4m;
directio_alignment 512;
open_file_cache max=1000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
include ../sites/*;
}
I continue configuring OpenResty with the following commands
sudo mkdir /usr/local/openresty/nginx/sites
sudo mkdir /var/log/openresty
sudo echo 'fastcgi_param HTTP_PROXY "";' | sudo tee -a /usr/local/openresty/nginx/conf/fastcgi.conf
sudo echo 'fastcgi_param HTTP_PROXY "";' | sudo tee -a /usr/local/openresty/nginx/conf/fastcgi_params
sudo nano /usr/local/openresty/nginx/sites/default.conf
and then add the following in the open editor window
server {
# Listen on port 80.
listen 80 default_server;
listen [::]:80 default_server;
# The document root.
root /usr/local/openresty/nginx/html/default;
# Add index.php if you are using PHP.
index index.html index.htm;
# The server name, which isn't relevant in this case, because we only have one.
server_name _;
# When we try to access this site...
location / {
# ... first attempt to serve request as file, then as a directory,
# then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# Redirect server error pages to the static page /50x.html.
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/openresty/nginx/html;
}
}Once done I will finish the inital OpenResty configuration with the following commands
sudo mkdir /usr/local/openresty/nginx/html/default sudo mv /usr/local/openresty/nginx/html/index.html /usr/local/openresty/nginx/html/default
sudo systemctl restart openresty
Now we install MariaDB
I will install MariaDB for the Zabbix datatbase using the following commands
sudo apt-get install curl software-properties-common dirmngr ca-certificates apt-transport-https
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.5
sudo apt install mariadb-server mariadb-client
sudo systemctl enable mariadb
sudo mysql_secure_installation
I then create the database that Zabbix will need by running sudo mysql -u root -p and entering the following commands at the MariaDB prompt (make sure to add your own strong password)
create database zabbix character set utf8mb4 collate utf8mb4_bin;
create user zabbix@localhost identified by 'password';
grant all privileges on zabbix.* to zabbix@localhost;
set global log_bin_trust_function_creators = 1;
FLUSH PRIVILEGES;
exit
Next I run sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf and make sure the below commands are present and uncommented
bind-address = 127.0.0.1
local-infile = 0
Finally I restart MariaDB with sudo systemctl restart mariadb.
Now it is time to install the Zabbix 6.4 server
Run the following commands. Be aware that the last one may take a while to complete.
cd ~
wget https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_6.4-1%2Bubuntu$(lsb_release -sr)_all.deb
sudo dpkg -i zabbix-release_6.4-1*.deb
sudo apt update
sudo apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts
zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uzabbix -p zabbix
Next, we need to configure a couple more things.
The first being in MariaDB so run sudo mysql -uroot -p and enter the following commands
set global log_bin_trust_function_creators = 0;
exit
Now edit the /etc/zabbix/zabbix_server.conf file, find the DBPassword line and add the password to your Zabbix database.
Install and confgure the Zabbix agent
The Zabbix agent can be installed by running sudo apt install zabbix-agent2. The agent is what actually gets the data and passes it to the server for storing and display (in the fronteend).
On this occasion the agent configuration file should already contain a hostname of Zabbix server so you shouldn't need to do anything else here.
This would need changing on any other server you install the agent on but that is a different tutorial.
Enable the configuration you have made so far
The following two commands will restart PHP, OpenResty, the Zabbix server and the Zabbix agent (and make sure they start when the server is rebooted)
sudo systemctl restart php8.2-fpm zabbix-server zabbix-agent2 openresty
sudo systemctl enable zabbix-server zabbix-agent2 openresty
I would also make sure that your firewall allows access to ports 80, 443, 10050 and 10051.
If you want to recieve email notifications it will be necessary to open port 465 or 587 also.
Now set up the NGinx Zabbix server block
To do this run sudo nano /usr/local/openresty/nginx/sites/zabbix.conf and add the following commands (making sure to update the server_name directive)
server {
listen 80;
# listen [::]:80;
# server_name example.com;
root /usr/share/zabbix;
index index.php;
location = /favicon.ico {
log_not_found off;
}
location / {
try_files $uri $uri/ =404;
}
location /assets {
access_log off;
expires 10d;
}
location ~ /\.ht {
deny all;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
location /vendor {
deny all;
return 404;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/var/run/php/zabbix.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}Now lets reload OpenResty to activate this server block by running sudo systemctl reload openresty.
Obtain a TLS certifcate
Run the following commands to obtain a TLS certificate so your site runs over HTTPS
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --webroot -w /usr/share/zabbix -d [domain]
Now update the server block by running sudo nano /usr/local/openresty/nginx/sites/zabbix.conf, deleting the current contents and adding the following commands (making sure to update the server_name and certificate lines)
server {
listen 80;
# listen [::]:80;
server_name [domain_goes_here];
# Allow access to the ACME Challenge for Let's Encrypt <- <3
location ~ /\.well-known\/acme-challenge {
allow all;
}
return 301 https://[domain_goes_here]$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name [domain_goes_here];
root /usr/share/zabbix;
index index.php;
access_log /var/log/openresty/access.log combined;
error_log /var/log/openresty/error.log warn;
ssl_certificate /etc/letsencrypt/live/[domain_goes_here]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[domain_goes_here]/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
location = /favicon.ico {
log_not_found off;
}
location / {
try_files $uri $uri/ =404;
}
location /assets {
access_log off;
expires 10d;
}
location ~ /\.ht {
deny all;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
location /vendor {
deny all;
return 404;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/var/run/php/zabbix.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}Finally, reload OpenResty (sudo systemctl reload openresty) to activate the changes.
Finishing setup
The last step to complete the intial installation and configuration of Zabbix is now to visit https://[server hostname]/setup.php in your browser and answer all the questions.
Once you have completed this you can login using the following credentials
User : Admin
Password: zabbix
Now that you are logged in it is recccomended to change the Admin user password.
To do this click on the Users menu on the left then on the Users option displayed. Now click on the Admin username, then on Change password.
Complete the steps and you should have made your new Zabbix 6.4 installation a bit more secure.