How-To Articles

Zabbix 7 LTS Install and Setup with Nginx & LetsEncrypt SSL on Ubuntu 24.04

Daniel Bender

7 min read
Zabbix 7 LTS Install and Setup with Nginx & LetsEncrypt SSL on Ubuntu 24.04
Zabbix 7 LTS just released in the last couple weeks!

Zabbix 7 LTS is here, and its been a while since I checked out the Zabbix Platform and wanted to see the improvements they have made. Specifically one of the more popular and touted features of version 7 is the Web Synthetic monitoring, RUM type features. I have used other DevOp's platforms for this purposes, so wanted to check it out for myself. In doing so, I found the lack of documentation to do a full Zabbix 7 install on a cloud VM/VPS with NGINX specifically lacking anywhere online.

It seems to me that Apache seems to be the more popular platform being used by users of Zabbix, as well as the howto articles online, none of them having Nginx with LetsEncrypt SSL configuration. So I figured this would be a good opportunity to make an official and complete installation tutorial.

Prerequisites

This tutorial is going to be using the latest, just released version of Ubuntu Server, 22.04 and the newest Zabbix 7 LTS Release, that came out on June 4th.

You will need to have a Cloud or Local VM setup using Ubuntu 22.04 that is up to date, so make sure to "apt update/upgrade"before starting.

The other important part is when you create your Cloud VPS/VM, obtain or use your static IP to create a DNS A record with the subdomain or domain name you will be using for the Zabbix Web Frontend. Lastly, make sure ports 80, 443 http/https are open for SSL etc. So lets get started.

Installing Zabbix 7 base components and files

In this case we will have the Zabbix Server, Front end and agent and Nginx. In the later section we will be installing and configuring Nginx with LetsEncrypt using Certbot.

Install the Zabbix Repository and get the Zabbix 7 .deb installation files

💡
wget https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_7.0-1+ubuntu24.04_all.deb
💡
dpkg -i zabbix-release_7.0-1+ubuntu24.04_all.deb
💡
apt update

Next Install the Zabbix Server, Frontend and Agent

💡
 apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent

Install MySQL as Zabbix doesn't actually install and start the database service for you

💡
apt install mysql-server

Make Sure MySQL is running before the next step

💡
systemctl status mysql

Create the initial database

💡
mysql -uroot -p

It will ask for a password, pick a password of your choice

Once in the MySql Cli enter the following:

💡
create database zabbix character set utf8mb4 collate utf8mb4_bin;
💡
create user zabbix@localhost identified by 'YOURPASSWORD';
💡
grant all privileges on zabbix.* to zabbix@localhost;
💡
set global log_bin_trust_function_creators = 1;
💡
quit;

Import initial scheme and data. You will be prompted for the password you chose above

💡
zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uzabbix -p zabbix

Note: Be patient it will look like its frozen and not doing anything, wait until it returns to the prompt.

Disable log_bin_trust_function_creators option after import of scheme

💡
mysql -uroot -p
💡
set global log_bin_trust_function_creators = 0;
💡
quit;

Configure the database for Zabbix Server. Edit the file located at /etc/zabbix/zabbix_server.conf . Find the "DBPassword=" statement that is commented out, uncomment and enter your password you picked earlier.

Once done save the file and return to prompt

Configure PHP for Zabbix Frontend . Note: leave the listen8080; directive as is except for the uncomment, then change the server_name to your full DNS Domain record of the A record you setup at the start. In my case I am using "mon.netmanageit.com" as the Zabbix DNS Domain.

Edit the file /etc/zabbix/nginx.conf and uncomment the 'listen' and 'server_name" directive. Again, only uncomment listen directive, but do not change the content.

Save the file and return to the prompt

Start Zabbix Server and Agent Processes

💡
systemctl restart zabbix-server zabbix-agent nginx php8.3-fpm
💡
systemctl enable zabbix-server zabbix-agent nginx php8.3-fpm

Install Certbot and LetsEncrypt to automate obtaining your SSL for the domain and changing the nginx.conf file located in /etc/nginx/conf.d directory.

💡
apt install certbot
💡
apt install python3-certbot-nginx

Make sure you didn't make any mistakes editing the nginx.conf files earlier.

💡
nginx -t

Reload Nginx

💡
nginx -s reload

Launch certbot to automate the process of configuring and deploying SSL cert

💡
certbot --nginx

Enter your email address used for domain communicate notifications, hit Y to terms, Y or N to sharing email addy. Then select the domain you configured earlier, in this case 1:

Note: Make sure you have configured your VM firewall to allow HTTP port 80 and Port 443 to all before selecting 1. Or it will fail to deploy.

All set! Time to visit your Zabbix 7 Login Page for the first time!

Zabbix Login and Initial Configuration Wizard

Go to https://YOURDOMAIN.COM in my case https://mon.netmanageit.com you will be greeted with initial wizard to config.

Click Next Step to Begin

Click Next Step after all the checks pass, which they should.

Next leave all the default pre-populated text, but enter your chosen password in the Password Field and hit "Next Step".

Enter a Name for your Zabbix Server Instance and pick your Time Zone

Hit Next to finalize and finish on the Summary Screen, you then will be presented with your initial login! Congrats! The default username is - "Admin" and default password is - "zabbix"

Securing your Zabbix Instance!

First, change the default Admin Super Users password from default.

Click on users, the default Super User, and then click the Change password box.

Zabbix has native 2FA built in, but it is a little confusing to activate. Not very intuitive at all, but here are the basic steps. Create a user group that will have 2FA functionality. In this case lets call it "2fausers".

First set initial MFA settings

Click on MFA settings, then check "Enable multi-factor authentication" checkbox. Click "Add" and then fill in a name for 2fa configuration, hit add, and update to finish.

Once done click Add to Popup box. It will disappear and make sure you hit Blue Update button!

Next, create a User Group to attach the new 2fa settings configuration to.

Enter Group name, then click multi-factor and select your 2fa config "mine is "2fausers"

Click Add once you have everything set to add the new group.

Now we need to attach our default Admin Super User account to the 2fausers group. Click on Users, then the Super Admin user.

Now add the 2fa group we created earlier to the groups the user is a member of by hitting select button and clicking, or start typing name in the "type here to search" area. Then hit Update when done.

That is it, now logout, and then login, you will then be presented with the option to configure your 2FA!

Finish the TOTP setup and your done with 2FA

Improve HTTP Security Header configuration in NGINX.

Add these 2 new lines below "#server_tokens off;" in the /etc/nginx/nginx.conf file.

💡
add_header Strict-Transport-Security "max-age=63072000" always;
💡
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";

Save the file and then reload Nginx

Next scroll down to SSL Settings, we want to turn off TLS 1.0 and 1.1 support for good measure.

Delete TLSv1.0 and TLSv1.1 and you will be left with whats shown above

Now Save the file and restart Nginx

💡
systemctl restart nginx

Thats about it! I usually configure more HTTP Security headers to reach an A+ rating, but these are what Zabbix recommends. Feel free to experiment, but check the site to make sure it doesn't break any functionality.

Also, there are additional ports Zabbix will need to have opened to the server depending on the type of monitoring you will be doing. I was just playing with Web and Cloud monitoring.

To allow Zabbix client agent communication to the main Server, open ports 10051 and 10050 TCP.

Hope you enjoyed this article!

God Bless

Dan