Deployment Overview of Zabbix server on Server¶

Prerequisites and Basic Requirements¶

The deployment requires a server running Ubuntu 22.04. The installation process assumes the following conditions are met:

Operating System: Ubuntu 22.04
Privileges: Root access or sudo privileges are required to install packages and manage services.
Locale: The en_US.UTF-8 locale must be generated and available on the system.
Network: The server must be reachable for DNS record updates (A record) and web access.
Ports:
- Port 8080: Used by the Apache web server for the Zabbix frontend.
- Port 80 and 443: Used by the Nginx reverse proxy for SSL termination and HTTP redirection.

File and Directory Structure¶

The application and its components utilize the following directory structure on the server:

/etc/zabbix/: Contains the main Zabbix server configuration file (zabbix_server.conf).
/etc/apache2/: Contains Apache web server configurations, including ports.conf.
/usr/share/zabbix-sql-scripts/: Stores the SQL scripts required for database initialization.
/root/nginx/: Contains the Docker Compose configuration for the Nginx proxy.
/data/nginx/: Stores Nginx user configurations and environment variables.
/etc/letsencrypt/: Mount point for SSL certificates managed by Certbot.

Application Installation Process¶

The Zabbix server is installed using the official Zabbix repository for Ubuntu 22.04. The process involves downloading the repository package, installing dependencies, and configuring the database.

Repository Setup: The zabbix-release package is downloaded from https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest+ubuntu22.04_all.deb and installed.
Package Installation: The following packages are installed via apt:
- zabbix-server-mysql
- zabbix-frontend-php
- zabbix-apache-conf
- zabbix-sql-scripts
- zabbix-agent
- python3-mysqldb
- mariadb-server
- locales
Database Initialization:
- The mariadb service is enabled and started.
- Anonymous users and the test database are removed for security.
- A database named zabbix is created with utf8mb4 character set.
- A database user named zabbix is created with full privileges on the zabbix database.
- The initial schema is imported from /usr/share/zabbix-sql-scripts/mysql/server.sql.gz.
Configuration Updates:
- The Zabbix server configuration file (/etc/zabbix/zabbix_server.conf) is updated to include the database password.
- The Apache configuration (/etc/apache2/ports.conf) is modified to listen on port 8080 instead of the default port 80.

Access Rights and Security¶

Security measures are applied during the database setup and service configuration:

Database Security:
- Anonymous MySQL users are removed.
- The default test database is deleted.
- The MySQL root user password is set to match the system SSH password for local connections (127.0.0.1, ::1, localhost).
- The zabbix database user is granted all privileges specifically on the zabbix database.
Service Isolation:
- The Zabbix frontend is configured to run on port 8080, separating it from the standard HTTP port used by the reverse proxy.
- The log_bin_trust_function_creators setting in MySQL is temporarily enabled during schema import and disabled immediately afterward.

Databases¶

The application uses a local MariaDB database for data storage.

Database Name: zabbix
Character Set: utf8mb4
Collation: utf8mb4_bin
User: zabbix
Host: localhost
Connection Method: The Zabbix server connects to the database using the credentials defined in /etc/zabbix/zabbix_server.conf.
Storage Location: Data is stored in the default MariaDB data directory managed by the mariadb service.

Docker Containers and Their Deployment¶

A Docker container is deployed to manage SSL certificates and act as a reverse proxy using Nginx and Certbot.

Image: jonasal/nginx-certbot:latest
Deployment Method: Docker Compose
Configuration File: /root/nginx/compose.yml
Service Details:
- Name: nginx
- Restart Policy: unless-stopped
- Network Mode: host
- Environment:
  - CERTBOT_EMAIL: Set to [email protected]
  - Additional environment variables are loaded from /data/nginx/nginx-certbot.env
- Volumes:
  - nginx_secrets (external volume) mounted to /etc/letsencrypt
  - /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d

To start the container, the following command is executed in the /root/nginx directory:

docker compose up -d

Proxy Servers¶

The deployment includes an Nginx reverse proxy configured via Docker to handle SSL termination and traffic routing.

Software: Nginx with Certbot integration.
SSL Management: Certbot is used to generate and renew SSL certificates.
Configuration:
- Custom user configurations are placed in /data/nginx/user_conf.d.
- SSL certificates are stored in the nginx_secrets volume mounted at /etc/letsencrypt.
Domain Handling: The setup supports custom domains via the Nginx configuration, with DNS records managed externally (A record addition).

Permission Settings¶

File and directory permissions are set as follows during the deployment:

/root/nginx/: Owned by root:root with mode 0644.
/root/nginx/compose.yml: Owned by root:root with mode 0644.
/root/zabbix-release_latest+ubuntu22.04_all.deb: Mode 0644.
System services (zabbix-server, zabbix-agent, apache2, mariadb) are managed by systemd and run with appropriate system privileges.

Starting, Stopping, and Updating¶

Services are managed using systemd for the native components and Docker Compose for the proxy.

Zabbix Services:
- Start/Restart: systemctl restart zabbix-server
- Start/Restart: systemctl restart zabbix-agent
- Start/Restart: systemctl restart apache2
- Enable on Boot: systemctl enable zabbix-server, systemctl enable zabbix-agent, systemctl enable apache2
Database Service:
- Start/Restart: systemctl restart mariadb
- Enable on Boot: systemctl enable mariadb
Docker Proxy:
- Start: docker compose up -d (executed from /root/nginx)
- Stop: docker compose down (executed from /root/nginx)
- Update: Pull the latest image and restart the container using docker compose pull followed by docker compose up -d.