Securing your Zabbix 6.4 server with HTTP auth
published on
Once you have installed Zabbix 6.4, whether you have used the instructions found Installing and setting up Zabbix 6.4 with OpenResty or somewhere else on the web, you will have a working copy of Zabbix you can access from anywhere.
The problem is that so can everyone else. There are a lot of bots on the web that are looking to gain access to servers so that they can take them over for their own purposes.
One way of helping to limit the chance of this happening is to use strong passwords. Another way would be to create a new account under a different name, set it up as an admin account and disable the default admin account. Again, make sure to use strong passwords.
Yet another way of protecting your Zabbix 6.4 installation is to use HTTP auth. This is where you will see a dialog box appear whenever you visit the site asking for a username and password.
Unlike the Zabbix login screen this one comes from the server itself and the server shouldn't respond to any other requests until a valid username and password are entered.
Setting up HTTP auth
The first thing we need to do is to install the software necessary to do this. This can be done with a simple sudo apt install apache2-utils command.
Now we need to store the credentials somewhere safe so that the server knows which ones are valid.
Presuming you have followed my earlier post, Installing and setting up Zabbix 6.4 with OpenResty, you can add the Admin account using the following command
htpasswd -c /usr/local/openresty/nginx/.htpasswd Admin
You will be asked for a password. Once entered you will be asked to repeat it to make sure you entered it correctly. This sets up the credentials for the Admin account.
If you then want to set up another set of credentials you need to run the following command (where [username] is the username of the Zabbix account you are adding credentials for)
htpasswd /usr/local/openresty/nginx/.htpasswd [username]
Update the server block
To make sure that OpenResty / NGinx asks for the credentials open the server block configuration file which can be found in /usr/local/openresty/nginx/sites, find the section that reads as below
location / {
try_files $uri $uri/ =404;
}and update it to look like this
location / {
auth_basic "Admin Area";
auth_basic_user_file /usr/local/openresty/nginx/.htpasswd;
try_files $uri $uri/ =404;
}then restart OpenResty with sudo systemctl restart openresty.
Configure Zabbix 6.4
If you are happy entering the account credentials once to get past the HTTP auth request then again to log in to Zabbix you can stop here.
However, if you would prefer to only have to enter the credentials once then we need to do a little bit of configuration inside Zabbix.
Once you have logged in to the Zabbix frontend click on the Users menu on the left and then on Authentication and then finally on HTTP settings at the top of the screen.
Now make sure there is a tick next to Enable HTTP authentication and change the Default login form option to HTTP login form.
Click on Update and your changes should be saved.
Now, if you close your browser, then open a new one and visit your Zabbix site you will only be asked to enter your account credentials once (at the HTTP auth stage).