TLS based Encryption with SNI
kubernetes / docker / traefik

Hi Zabbix support team,

I hope my ticket was clear enough to let you understand this feature request?

Don't hesitate to sollicitate me if you need additional information, extract of configuration files or whatever... i will be very happy to answer.

This topic is not urgent at all, i can live with solution 1/ for a while ...

Regards,

Adrien

Hi All,

I have the exact same need (not sure wich Ingress Controller to use yet, probably using Envoy instead of Traefik).

I wonder if it is possible to do this by playing with certificates.

Hi,

In my setup, TLS is already activated between the agents (on the servers) and the proxies (hosted on k8s)

TLS configuration at Traefik IngressRouteTCP level is set to "passtrough: true" (no certificate at Traefik level)

Please find below an example of Traefik IngressRouteTCP configuration:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: proxy-2s59
  namespace: zabbix-2s59
spec:
  entryPoints:
    - px-2s59
  routes:
#  - match: HostSNI(`proxy-2s59.{{project_wildcard_dns}}`)
  - match: HostSNI(`*`)
    services:
    - name: proxy-2s59
      port: 10051
  tls:
    passthrough: true

Currently, as the zabbix agent is not providing any SNI, traefik is not able to determine to which service the traffic should be forwarded.

SNI (Server Name Indication) is an extension of TLS (https://en.wikipedia.org/wiki/Server_Name_Indication).

The client (in our case: the zabbix agent / configured in active) should indicates to which hostname it is attempting to connect at the start of the handshaking process.

If zabbix agent would be able to specify an SNI, we would be able to replace HostSNI(`*`) with the multiple entrypoints per proxy by HostSNI(`myproxyX.mydomain.myorg`) with only one single entrypoint at traefik level.

Hi Zabbix support team,

Do you need additional information?

Thank you

Up

Don't hesitate to sollicate me if needed.

What reason of using so difficult configuration ?

Zabbix is providing docker images of their components (console, server, proxy, agent) ... deploying them on top of a container orchestrator like kubernetes is just awesome in term of flexibility, HA, capacity, upgrades, downgrades, etc etc... 

Accessing an application hosted on kubernetes though treafik using HostSNI is something very common ... nothing difficult here.

Please find attached my infrastruture diagram (2s59-acp-tooling.pdf)  ... I'm using Zabbix hosted on Kubernetes for the monitoring of several Openshift clusters 

If needed, we could do a google meet together to better explain the setup and answer your questions ...?

dotneft promised to take a look at this one.

Great, thank you

Hello Adrien,

I'm thinking it is not image issue. Zabbix agent and other components do not support SNI. Actually images do not have any additional modifications and just expose specified ports. Did you test regular agent / proxy? Same behaviour?

Kind regards,
Alexey.

Hi Alexey,

Yes, you are fully right, this is not an image issue. This is a new feature request for a better zabbix integration when deployed on kubernetes (this feature is not needed when installing zabbix on traditional servers from packages ... so no issue with regular agent/proxy).

Deploying zabbix on k8s is certainly not yet very common (but it will become ) and I'm quite sure you will receive again this new feature request in the coming weeks/months when other people will try to deploy zabbix on kubernetes using a reverse proxy like traefik to access their zabbix components on the cluster.

I have a doubt and I have the filling that my request is not fully understood (certainly because you are not very familiar with kubernetes and reverse proxy usage like traefik ...  that i can fully understand ... no issue)

Should i explain a bit more ?

Looks like this feature should be added to TLS support between Server, Proxy, Agent components, so systems like k8s can route traffic using SNI extension. This issue is not about Docker container itself.

TLS SNI (rfc4366)

@Edgar: exactly

Hello

Will you finally add SNI capability to TLS support between Server, Proxy, Agent components ?

Or should I consider my workaround (dedicated entrypoint/port at traefik level using HostSNI(`*`)) as a definitive solution

This topic is not urgent for me ... but I just want to know if this new feature request is validated or not ?

Thank you

Hi

UP

Thank you

+1 using SNI would make container setups (and all other setups using proxies in front of zabbix server) much easier

edit: and it's not only for compontent agents but also proxy

I'm very happy to see that the status of the ticket has evolved ... I was still waiting for this new feature

Don't hesitate to solicitate me if I can support.

Available in:

• 6.0.1rc1 89cd921eced
• 6.2.0alpha1 522580803db

This is for Zabbix components written in C.

Changes for agent2 are implemented separately: ZBXNEXT-7452

Documentation updated:

• What's new in 6.0.1

FYI, I've just tested TLS SNI feature on Zabbix 6.0.2 and it is working like a charm

I'm now able to declare one single entrypoint at Traefik level for all incoming connection from agents (one entrypoint "zabbix-proxy" using the default port 10051) and use "HostSNI" at Traefik IngressRouteTCP definition to route the incoming connection from agents to the corresponding proxy.

For example:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: proxy-2s59-val
  namespace: zabbix-2s59-val
spec:
  entryPoints:
    - zabbix-proxy
  routes:
    - match: HostSNI(`proxy-2s59-val.2s59-v.eu.airbus.corp`)
      services:
        - name: proxy-2s59-val
          port: 10051
  tls:
    passthrough: true

adrien.gruneisen , thanks for your feedback!

Right, we have back-ported it to 6.0.x to make it available in LTS release. No need to wait Zabbix 6.2, use it now!