Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  2. ZBXNEXT-5839

Add SNI support to TLS protocol between Agent, Proxy and Server


    • Icon: New Feature Request New Feature Request
    • Resolution: Fixed
    • Icon: Medium Medium
    • 6.0.1rc1, 6.2.0alpha1, 6.2 (plan)
    • 4.4.7
    • Agent (G)
    • TLS based Encryption with SNI
      kubernetes / docker / traefik
    • Sprint 84 (Jan 2022), Sprint 85 (Feb 2022), Sprint 86 (Mar 2022)
    • 1

      I'm currently testing the zabbix-server & zabbix-proxy docker images (https://github.com/zabbix/zabbix-docker) on top of a kubernetes cluster.

      I'm using traefik (https://docs.traefik.io/routing/providers/kubernetes-crd/) as kubernetes ingress controller to manage the incoming connections from the external zabbix agents (deployed on the servers i'm monitoring / all configured in active mode) and the zabbix proxies running inside the kubernetes cluster (TLS activated between agents and proxies)

      I've two solutions at traefik level to allow those incoming communications between the agents and the proxies:

      1/ 1st solution --> not my prefered one but it is working:

      • setup one dedicated entrypoint/port per proxy at traefik level
      • setup the different IngressRouteTCP rules using HostSNI(`*`)

      This is working but not convenient at all ... each time a new proxy has to be deployed inside the cluster, a new entrypoint/port has to be opened at traefik level


      2/ 2nd solution --> my prefered one but currently not working 

      • setup only one entrypoint/port at traefik level
      • setup the different IngressRouteTCP rules using HostSNI(`myproxyX.mydomain.corp`)

      This would be so great ... only one entrypoint/port at traefik level and the routing to the different proxies in kubernetes will be managed using SNI (servername)

      zabbix-agent looks currently not SNI compliant.

      I did those two basic tests to demonstrate this:

      From one monitored server:

      1/ openssl s_client -connect myproxyX.mydomain.corp:10051 -cert mytls.crt -key mytls.key -CAfile myca.crt

      --> KO, connection blocked at traefik level ... SNI missing in the request to route the traffic to the correct proxy (myproxyX in this example)

      2/ openssl s_client -servername myproxyX.mydomain.corp -connect myproxyX.mydomain.corp:10051 -cert mytls.crt -key mytls.key -CAfile myca.crt

      --> OK, connection sent to the correct proxy using the SNI in the request.


      So questions :

      • Is it feasible to add SNI support at zabbix-agent level?
      • If yes, could you add it to your roadmap?

            yurii Jurijs Klopovskis
            adrien.gruneisen Adrien GRUNEISEN
            Team I
            5 Vote for this issue
            18 Start watching this issue