Zabbix Proxies (Proxy’s?)

Zabbix Proxy Servers are a useful addon to zabbix that extend the monitoring capabilities of a server to remote sites.
The three main reasons I believe they are useful are:

  1. WAN/Link Efficiency. Instead of having say 10 zabbix agents at a remote site all reporting back to your main server over the internet you can have each of them report to a local/lan zabbix proxy. That proxy then maintains a single connection to the main server and aggregates all the agents items back.
  2. Security. Monitoring SNMP or worse agents at a remote site would require SNMP over the internet in plaintext if SNMPv2 is the max supported version (and assuming you weren’t using a VPN). The Zabbix proxy collects SNMP data locally and then transmits it back to the server over a single PSK secured link.
  3. Resiliency/Reliability of data collection. If a remote site is at the end of a 3G data link (or worse ADSL) and has dropout issues a zabbix proxy can cache agents data inline with server configured intervals and report data back to the server when the connection is reestablished. The cache time is configurable on the proxy itself with 1 week being easily achieved for a small number of clients/checks.

Their are three big items to keep in mind when working with proxy’s.

  1. The Proxy acts as the server to all its agents. So agents will only communicate with their assigned proxy and never the main server.
  2. Zabbix Proxies receive a configuration from the server for which agents that need to query data from (/can expect to receive data from for active agents). This config check is run hourly (configurable). or can be forced with a “zabbix_proxy -R config_cache_reload” on the proxy side.
  3. Calculated items are still calculated on the main server, regardless of if data has been submitted from or is currently cached on a proxy. This will affect running total and eod (end of day) numbers if the data is not available on the server at the time the calculated item executes.

Setup

Zabbix Proxy’s are easy enough to install from package. Just have an existing repo configured and install zabbix-proxy with your favorite flavour of package manager. Ive been using the sqlite varient without much issue.

I usually modify the zabbix-proxy (or zabbix-agent and even zabbix-server) default conf file to have an include <directly>/*.conf line so I can externalize all custom config.

Config Example:

#! /etc/zabbix/zabbix_proxy.d/<name>-zabbix-proxy.conf
# Proxy Config
ProxyMode=0
Server=<WAN Hostname for server>
Hostname=zabbix-proxy.<sitename>.<domainname>

# Database
DBName=/var/zbx/zabbix-proxy.sqlite

# Buffers
# Local Data Buffer 1 Hour (Buffers data regardless of connection status)
ProxyLocalBuffer=1
# Server Offline Buffer 1 week (used if unable to connect to server)
ProxyOfflineBuffer=168

# Encryption
TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=zabbix-proxy.<sitename>.<domainname>
TLSPSKFile=/etc/zabbix/proxy-psk.key

After that create a proxy-psk.key file and start the service.

openssl rand -hex 32 > /etc/zabbix/proxy-psk.key


Add the TLSPSKIdentity value and data from the proxy-psk.key file to a new zabbix proxy on your main server.
(Web interface > Administration > Proxies) under the Encryption Tab
Name your proxy and set it to active.

Under agent settings you can select which “Zabbix Proxy” their data will be relayed through.

On each of your agents make sure to add a new “server” host (usually I have both the main server and zabbix proxy listed so the agent can talk to both if required) and restart the agent.

Leave a Reply

Your email address will not be published.