zabbix3.0 配置加密连接

个人学习笔记，谢绝转载！！！

原文：https://www.cnblogs.com/wshenjin/p/12884622.html

---

pre-shared keys加密

生成PSK string

openssl rand -hex 32 > ssl/zabbix_agentd.psk
chown zabbix:zabbix ssl/zabbix_agentd.psk 

配置agentd

 TLSConnect=psk
 TLSAccept=psk
 TLSPSKFile=/etc/zabbix/ssl/zabbix_agentd.psk
 TLSPSKIdentity=zab_psk_agent  #PSK identity

配置web

zabbix_get用法:

 zabbix_get \
    -s 192.168.31.129\
    -p 32050 -k"system.cpu.load[all,avg1]"\
    --tls-connect=psk\
    --tls-psk-identity="zab_psk_agent"\
    --tls-psk-file=/etc/zabbix/ssl/zabbix_agentd.psk

证书加密

证书需要用同一个CA签署的，过程参考：https://www.cnblogs.com/wshenjin/p/12519455.html
配置agentd

TLSConnect=cert
TLSAccept=cert
TLSCAFile=/etc/zabbix/ssl/cacert.pem
TLSCertFile=/etc/zabbix/ssl/zabbix_agentd.crt
TLSKeyFile=/etc/zabbix/ssl/zabbix_agentd.key

配置server

TLSCAFile=/etc/zabbix/ssl/cacert.pem
TLSCertFile=/etc/zabbix/ssl/zabbix_server.crt
TLSKeyFile=/etc/zabbix/ssl/zabbix_server.key

配置web

逆序查看证书中的subject等信息：

# openssl x509 -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname -in zabbix_agentd.crt 
issuer= emailAddress=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
subject= emailAddress=root@zabbix.com,CN=zabbix agentd,OU=zabbix agentd,O=linux company,ST=GuangDong,C=CN
# openssl x509 -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname -in zabbix_server.crt 
issuer= emailAddress=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
subject= emailAddress=root@zabbix.com,CN=zabbix server,OU=zabbix server,O=linux company,ST=GuangDong,C=CN

效果

参考

https://www.zabbix.com/documentation/3.4/zh/manual/encryption/using_certificates
https://blog.csdn.net/clm_sky/article/details/90574779