[ZBXNEXT-2339] Proxy cascading Created: 2014 Jun 10 Updated: 2021 Mar 17 |
|
Status: | Open |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Proxy (P) |
Affects Version/s: | 2.2.3 |
Fix Version/s: | None |
Type: | New Feature Request | Priority: | Major |
Reporter: | Andreas Franke | Assignee: | Unassigned |
Resolution: | Unresolved | Votes: | 16 |
Labels: | dm-nextgen, nested, proxy | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
it would to be nice, when i could cascading proxys: ZBX Server -> ZBX Proxy active -> ZBX Proxy passive -> DMZ Host XYZ |
Comments |
Comment by richlv [ 2014 Jun 10 ] |
"next gen dm" would be a better fit for this functionality, but i can't find an issue about it right now - if it's found, this should be closed as a duplicate |
Comment by Oleksii Zagorskyi [ 2014 Jun 11 ] |
I don't recall already existing issues about "next gen dm". Probably it's time to create and use new label |
Comment by Christian Anton [ 2017 Apr 06 ] |
Actually, this would be an absolute killer feature! I often stumble over desired setups where it would be very benefitial to have, say a Zabbix server in a natted network, a proxy having a public fixed IP address and then other proxies, again behind NAT devices. Also, larger organization structures with networks spread over the world would benefit from this feature quite a lot. |
Comment by Marc [ 2017 Apr 06 ] |
I'm a bit concerned about the increased delay by DataSenderFrequency resp. ProxyDataFrequency of each proxy in the chain. When it's just about breaking the TCP connection, then this can likely justified by a reverse proxy like HAProxy: Zabbix server --> HAProxy --> Zabbix proxy <--> Zabbix agent Zabbix server <-- HAProxy <-- Zabbix proxy <--> Zabbix agent When it's on the other hand about a connection direction change, then there's indeed something new required. Something that may act like a configuration cache and data queue or data transceiver, depending on the proxy mode: Zabbix server --> Queue <-- Zabbix proxy <--> Zabbix agent Zabbix server <-- Transceiver --> Zabbix proxy <--> Zabbix agent Where I'd actually limit it to the latter, the Zabbix transceiver. But I think now I'm slightly off-topic Edit: Transceiver does not appear appropriate. Mediator is possibly a better term. |
Comment by Christian Anton [ 2017 Apr 06 ] |
Yes, it's usually the second setup that I see a need for, and the "Queue" and "Tansceiver" is actually exactly what the Proxy does, but unfortunately not in such a chain. Sure you would have to set your DataSenderFrequency accordingly, but it should be OK to just take a little longer until agent configuration drops through the chain of proxies. |
Comment by Andrew [ 2017 Sep 06 ] |
I have some hosts that are in a remote DC and have some nodes connected via a VPN to those hosts. I monitor the remote hosts via a proxy and want to start monitoring the far nodes but don't have a direct connection to them (so would like to connect zabbix server -> DC proxy -> system (with zabbix-proxy) -> |
Comment by Fred Blaise [ 2017 Nov 17 ] |
Hi all, I stumbled upon that, and as a matter of fact, I always thought that chaining proxies in any way was not supported. Currently running 3.2.7. However, I have a setup that's like this: zabbix agent <-- zabbix proxy in DMZ (passive) <-- zabbix proxy internal network (passive) <-- zabbix master It seems I am getting values for all, no error. Everything looks fine. Am I just getting lucky? Or that configuration is actually supported? Thank you. |
Comment by Tomasz Zieliński [ 2018 Jul 20 ] |
@Fred, as far i understand Zabbix Master sends configuration to zabbix proxy internal, so you setup it on zabbix gui, but in what way zabbix proxy in DMZ receive configuration from proxy Internal ? How do you setup it ? can you share some config ?
|
Comment by Marcos Machado [ 2021 Feb 28 ] |
My main take on this one is regarding security. Zabbix server often has lots of key to many kingdoms (e.g. ssh keys for remote commands) and creeps me out letting its server port opened to the world. One single vulnerability in a publicly available 10051 could be a catastrophe. A passive proxy in a DMZ consolidating all the data from agents and other proxies could avoid exposing the server to the world entirely. ,-------------, ZBX server ---> | ZBX passive | <--- ZBX remote active proxy <---> ZBX active/passive agents | proxy | <--- ZBX active agents `-------------` My approach so far is to restrict access to the zabbix server based on source IPs of the proxies, but this is cumbersome, specially in environments where active proxy resides behind failovers and can arrive from many source IPs (some backup links are dynamic)
|