"next gen dm" would be a better fit for this functionality, but i can't find an issue about it right now - if it's found, this should be closed as a duplicate
I don't recall already existing issues about "next gen dm".
Probably it's time to create and use new label 
I think "dm-nextgen" should be ok.
Actually, this would be an absolute killer feature! I often stumble over desired setups where it would be very benefitial to have, say a Zabbix server in a natted network, a proxy having a public fixed IP address and then other proxies, again behind NAT devices. Also, larger organization structures with networks spread over the world would benefit from this feature quite a lot.
I'm a bit concerned about the increased delay by DataSenderFrequency resp. ProxyDataFrequency of each proxy in the chain.
When it's just about breaking the TCP connection, then this can likely justified by a reverse proxy like HAProxy:
Zabbix server --> HAProxy --> Zabbix proxy <--> Zabbix agent Zabbix server <-- HAProxy <-- Zabbix proxy <--> Zabbix agent
When it's on the other hand about a connection direction change, then there's indeed something new required. Something that may act like a configuration cache and data queue or data transceiver, depending on the proxy mode:
Zabbix server --> Queue <-- Zabbix proxy <--> Zabbix agent Zabbix server <-- Transceiver --> Zabbix proxy <--> Zabbix agent
Where I'd actually limit it to the latter, the Zabbix transceiver. But I think now I'm slightly off-topic
Edit: Transceiver does not appear appropriate. Mediator is possibly a better term.
Yes, it's usually the second setup that I see a need for, and the "Queue" and "Tansceiver" is actually exactly what the Proxy does, but unfortunately not in such a chain. Sure you would have to set your DataSenderFrequency accordingly, but it should be OK to just take a little longer until agent configuration drops through the chain of proxies.
Btw for the first of the scenarios (with HAProxy), do you have an example config on how this could look like on the HAProxy side?
I have some hosts that are in a remote DC and have some nodes connected via a VPN to those hosts. I monitor the remote hosts via a proxy and want to start monitoring the far nodes but don't have a direct connection to them (so would like to connect
zabbix server -> DC proxy -> system (with zabbix-proxy) ->
remote vpn nodes with no direct route (zabbix-agent)
Hi all,
I stumbled upon that, and as a matter of fact, I always thought that chaining proxies in any way was not supported. Currently running 3.2.7.
However, I have a setup that's like this:
zabbix agent <-- zabbix proxy in DMZ (passive) <-- zabbix proxy internal network (passive) <-- zabbix master
It seems I am getting values for all, no error. Everything looks fine.
Am I just getting lucky? Or that configuration is actually supported?
Thank you.
@Fred, as far i understand Zabbix Master sends configuration to zabbix proxy internal, so you setup it on zabbix gui, but in what way zabbix proxy in DMZ receive configuration from proxy Internal ? How do you setup it ? can you share some config ?
My main take on this one is regarding security. Zabbix server often has lots of key to many kingdoms (e.g. ssh keys for remote commands) and creeps me out letting its server port opened to the world. One single vulnerability in a publicly available 10051 could be a catastrophe.
A passive proxy in a DMZ consolidating all the data from agents and other proxies could avoid exposing the server to the world entirely.
,-------------,
ZBX server ---> | ZBX passive | <--- ZBX remote active proxy <---> ZBX active/passive agents
| proxy | <--- ZBX active agents
`-------------`
My approach so far is to restrict access to the zabbix server based on source IPs of the proxies, but this is cumbersome, specially in environments where active proxy resides behind failovers and can arrive from many source IPs (some backup links are dynamic)