Installing Zabbix 1.8.19 From Source on Debian Wheezy with PHP Frontend and HTTPS (LAMP Stack)

We have a Zabbix v1.8.X (with MySQL) server hosted on a Debian Squeeze VM. This VM is being migrated to Debian Wheezy, and therefore requires Zabbix to be moved as well.

However, due to security related issues Zabbix packages were removed from Wheezy. Check this article to get more information if interested.

So, what we are going to do is to install Zabbix 1.8.19 from source, and restore the database backup we have created on a Squeeze VM.

The plan is as below:

  1. Install pre-required software.
  2. Restore Zabbix 1.8 database from a backup.
  3. Download, configure and compile Zabbix 1.8.19 source code.
  4. Create directories, copy and modify configuration files.
  5. Install Apache and PHP for Zabbix web interface.
  6. Generate and install a self-signed SSL certificate for secure HTTPS browsing.
  7. Configure Apache and PHP settings.

Install Pre-required Software

The Debian version we’ll be working with today:

# uname -rv
3.2.0-4-686-pae #1 SMP Debian 3.2.51-1

Update package list:

# apt-get update

C compiler, make, libcurl and snmp libraries:

# apt-get install wget gcc make libcurl4-gnutls-dev libsnmp-dev libnet-snmp-perl

MySQL database and its libraries:

# apt-get install mysql-server libmysqld-dev libmysqlclient-dev

Create Zabbix MySQL User and Restore Zabbix Database From a Backup

Login to MySQL server as root and create a new zabbix database. Create a new MySQL user for zabbix called “zbuser” and grant all privileges on zabbix database.

# mysql -uroot -p
mysql> CREATE DATABASE zabbix;
mysql> GRANT ALL PRIVILEGES ON zabbix.* TO "zbuser"@"localhost" IDENTIFIED BY "zbpass";
mysql> FLUSH PRIVILEGES;
mysql> SHOW grants FOR 'zbuser'@'localhost';
+------------------------------------------------------------------------------+
| Grants for [email protected]                                                  |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'zbuser'@'localhost' IDENTIFIED BY PASSWORD '*1[...]A' |
| GRANT ALL PRIVILEGES ON `zabbix`.* TO 'zbuser'@'localhost'                   |
+------------------------------------------------------------------------------+
2 rows in set (0.03 sec)

mysql> quit;

Restore the database from a backup file:

# mysql -uzbuser -p zabbix < zabbix_backup.sql

Configure and Compile the Source Code

Download the source code:

# cd ~
# wget http://netcologne.dl.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stable/1.8.19/zabbix-1.8.19.tar.gz

Extract the archive file:

# tar xvfz zabbix-1.8.19.tar.gz

Change into extracted directory and configure:

# cd zabbix-1.8.19
# ./configure --enable-server --enable-agent --with-mysql --with-net-snmp \
 --with-libcurl --with-ldap --enable-ipv6

Make and install everything:

# make install

Create and Modify Configuration Files and Directories

Create zabbix user:

# useradd -d /var/run/zabbix -s /bin/false zabbix

Create a folder to store configuration files:

# mkdir /etc/zabbix

Also create a folder to keep pid files:

# mkdir /var/run/zabbix
# chown zabbix:zabbix /var/run/zabbix

Checking where we are:

# pwd 
/root/zabbix-1.8.19

Copy default configuration templates for server and agent:

# cp ./misc/conf/zabbix_agentd.conf /etc/zabbix/ 
# cp ./misc/conf/zabbix_server.conf /etc/zabbix/

Remove world permissions as the server config file will contain MySQL password:

# chmod 0750 /etc/zabbix/zabbix_server.conf

Create directories to keep logs:

# mkdir /var/log/zabbix-agent /var/log/zabbix-server 
# chown zabbix:zabbix /var/log/zabbix-agent /var/log/zabbix-server

Server configuration file should look as below:

# cat /etc/zabbix/zabbix_server.conf 
ListenPort=10051
ListenIP=0.0.0.0
LogFile=/var/log/zabbix-server/zabbix_server.log 
DebugLevel=2
PidFile=/var/run/zabbix/zabbix_server.pid 
DBHost=localhost 
DBName=zabbix 
DBUser=zbuser 
DBPassword=zbpass
DBPort=3306 
HousekeepingFrequency=24
DisableHousekeeping=0 
Timeout=3

Agent configuration file should look as below:

# cat /etc/zabbix/zabbix_agent.conf
ListenPort=10050
ListenIP=0.0.0.0
PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix-agent/zabbix_agentd.log
LogFileSize=0
Server=127.0.0.1,localhost

Copy init scripts:

# cp ./misc/init.d/debian/zabbix-server /etc/init.d/
# cp ./misc/init.d/debian/zabbix-agent /etc/init.d/

Change the default PID file for server. Open /etc/init.d/zabbix-server and make changes as below:

#PID=/tmp/$NAME.pid
PID=/var/run/zabbix/$NAME.pid
DIR=/var/run/zabbix

# add this to ensure the folder is created
if [ ! -d "$DIR" ]; then
        mkdir /var/run/zabbix
        chown zabbix:zabbix /var/run/zabbix
fi

Now change the default PID file for agent. Open /etc/init.d/zabbix-agent and make changes as below:

#PID=/tmp/$NAME.pid
PID=/var/run/zabbix/$NAME.pid
DIR=/var/run/zabbix

# add this to ensure the folder is created
if [ ! -d "$DIR" ]; then
        mkdir /var/run/zabbix
        chown zabbix:zabbix /var/run/zabbix
fi

Start Zabbix Server and Agent

Start server daemon:

# service zabbix-server start
Starting Zabbix server daemon: zabbix_server

Start agent daemon:

# service zabbix-agent start
Starting Zabbix agent daemon: zabbix_agentd

Check that both daemons are running:

# netstat -nltp | grep zabbix
tcp        0      0 0.0.0.0:10050     0.0.0.0:*   LISTEN  31813/zabbix_agentd
tcp        0      0 0.0.0.0:10051     0.0.0.0:*   LISTEN  31760/zabbix_server

Install Zabbix WEB Interface

We’ll need a php capable webserver for this:

# apt-get install apache2 php5 libapache2-mod-php5 php5-mysql php5-gd openssl ssl-cert

Get rid of annoying “could not reliably determine the server’s fully qualified domain name” warning:

# echo "ServerName localhost" >> /etc/apache2/apache2.conf

Create a subdirectory for Zabbix virtual host:

# mkdir /var/www/zabbix

Copy php frontend files:

# cd /root/zabbix-1.8.19/frontends/php
# cp -a ./ /var/www/zabbix

Change permissions:

# chown -R root:root /var/www/zabbix

Generate and Install a Self-Signed SSL Certificate

We want to push everything through a secure TLS/SSL connection.

# mkdir /etc/ssl/webserver && cd /etc/ssl/webserver

Generate a self-signed certificate:

# openssl req -new -x509 -days 1825 -sha256 -nodes -out ./server.crt \
-keyout ./server.key

Make the private key readable by the root user only:

# chmod 0600 ./server.key

Configure Apache to Use the Certificate

Open /etc/apache2/sites-available/default-ssl and change the lines below:

SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem 
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

to the following:

SSLCertificateFile    /etc/ssl/webserver/server.crt 
SSLCertificateKeyFile /etc/ssl/webserver/server.key

Enable Apache TLS/SSL Support

When we talk about SSL, we actually refer to TLS. SSL is an older version of cryptographic protocols for encrypting data across the internet.

# a2enmod ssl 
# a2ensite default-ssl
# service apache2 restart

Enable Apache Rewrite Module

We’ll force all requests coming to a standard HTTP port 80 to be forwarded to a secure HTTPS 443 port:

# a2enmod rewrite

Open:

# vim /etc/apache2/sites-available/default

And add the following lines in red:

<VirtualHost *:80>
        ServerAdmin [email protected]

        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
[...]

Restart Apache:

# service apache2 restart

Some Information Disclosure Related Apache Tuning

Hide apache version and signature from being shown online. Open /etc/apache2/conf.d/security and change the following parameters:

ServerSignature off
ServerTokens prod

Reload apache to pick up configuration changes:

# service apache2 reload

Configure PHP Settings

Create non world-writeable directories for temporary HTTP uploaded files as well as php session:

# mkdir -p -m 0750 /var/www/php_dir/temp
# mkdir -p -m 0750 /var/www/php_dir/session
# chown -R www-data:www-data /var/www/php_dir

Open /etc/php5/apache2/php.ini and modify the following settings as per below:

open_basedir = Off
expose_php = Off
max_execution_time = 600
max_input_time = 600
memory_limit = 256M
display_errors = Off
display_startup_errors = Off
register_globals = Off
post_max_size = 32M
magic_quotes_gpc = Off
upload_tmp_dir = "/var/www/php_dir/temp"
upload_max_filesize = 16M
max_file_uploads = 5
allow_url_fopen = Off
allow_url_include = Off
date.timezone = "Europe/London"
session.save_path = "/var/www/php_dir/session"
# service apache2 reload

Now we need to point a web browser to https://localhost/zabbix and finish the installation. Checklist should look as below:

zabbix-18-checklistWe will need to copy the zabbix.conf.php file to the /var/www/zabbix/conf/ directory as the webserver does not have write access to it. Once finished the installation, we can log in by using an existing web account.

Configure Iptables

# iptables -A INPUT -p tcp -m multiport --dport 80,443,10051 -j ACCEPT

Related Posts

Upgrade Zabbix 1.8 to 2.2 on Ubuntu

SNMP on Mikrotik RB751G-2HnD Router

2 thoughts on “Installing Zabbix 1.8.19 From Source on Debian Wheezy with PHP Frontend and HTTPS (LAMP Stack)

  1. Hi Tomas. I found your post very usefull so I’d like to start with a huge TANK YOU! I’m new to Zabbix and I’d like to replace self-signed cert for one of my own as we host our own internal Enterprise CA/PKI infrastructure. Would you please guide me in the steps to perform for this? Once again, thank you so much.

    • Hi Fernando, thanks, I’m glad you found this post useful.

      As for replacing a self-signed certificate, it depends on where your current certificates are stored. In simple words, just replace old certificates with new ones using the same naming, reload all relevant services which use those certificates and you are all set.

Leave a Reply

Your email address will not be published. Required fields are marked *