zabbix設定https監控nginx伺服器狀態
2020-08-13 09:45:57
zabbix監控nginx伺服器狀態
環境說明:
| 伺服器端IP | 要安裝的應用 |
|---|---|
| 192.168.32.125 | lnmp架構 zabbix server |
提前關閉防火牆和selinux,並設定好了yum源,包括epel源
//生成證書
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
.............+++
e is 65537 (0x10001)
[root@localhost CA]# ll private/
total 4
-rw-------. 1 root root 1679 Aug 11 21:09 cakey.pem
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
[root@localhost CA]# ls
cacert.pem certs crl newcerts private
[root@localhost ~]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................................................................+++
....................................+++
e is 65537 (0x10001)
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.14.2.tar.gz
echo-nginx-module-0.61 nginx-1.16.1.tar.gz
httpd.key v0.61.tar.gz
[root@localhost ~]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.14.2.tar.gz
echo-nginx-module-0.61 nginx-1.16.1.tar.gz
httpd.csr v0.61.tar.gz
httpd.key
[root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 12 01:20:53 2020 GMT
Not After : Aug 12 01:20:53 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.a.com
organizationalUnitName = www.a.com
commonName = www.a.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
71:73:00:52:90:3E:4A:0E:3A:C9:38:AF:C2:97:97:6B:4A:6F:8B:71
X509v3 Authority Key Identifier:
keyid:E6:5D:3A:CA:1D:72:44:88:0B:06:9E:15:6B:63:CC:6C:F0:2E:97:B2
Certificate is to be certified until Aug 12 01:20:53 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# ls
anaconda-ks.cfg httpd.key
echo-nginx-module-0.61 nginx-1.14.2.tar.gz
httpd.crt nginx-1.16.1.tar.gz
httpd.csr v0.61.tar.gz
//建立證書存放目錄
[root@localhost ~]# mkdir /usr/local/nginx/ssl
[root@localhost ~]# ls
anaconda-ks.cfg nginx-1.14.2.tar.gz
echo-nginx-module-0.61 nginx-1.16.1.tar.gz
httpd.crt v0.61.tar.gz
httpd.csr www.example.com.pem
httpd.key
[root@localhost ~]# cp httpd.crt httpd.key /usr/local/nginx/ssl
[root@localhost ~]# cd /usr/local/nginx/ssl
[root@localhost ssl]# ls
httpd.crt httpd.key
//修改組態檔
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/httpd.crt;
ssl_certificate_key /usr/local/nginx/ssl/httpd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
[root@localhost ~]# nginx -s reload
[root@localhost ~]# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
因爲zabbix是用php語言開發的,所以必須先部署lamp架構,使其能夠支援執行php網頁
lnmp部署
1. 部署zabbix
1.1 zabbix伺服器端安裝
#安裝依賴包
[root@www ~]# yum -y install net-snmp-devel libevent-devel
#下載zabbix
[root@www ~]# wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.2.tar.gz
[root@www ~]# tar xf zabbix-5.0.2.tar.gz
[root@www ~]# cd zabbix-5.0.2
[root@www zabbix-5.0.2]# ls
aclocal.m4 build conf configure database INSTALL Makefile.am misc README ui
AUTHORS ChangeLog config.guess configure.ac depcomp install-sh Makefile.in missing sass
bin compile config.sub COPYING include m4 man NEWS src
#建立zabbix使用者
[root@www zabbix-5.0.2]# useradd -r -M -s /sbin/nologin zabbix
[root@www zabbix-5.0.2]# id zabbix
uid=994(zabbix) gid=992(zabbix) groups=992(zabbix)
#設定zabbix數據庫
[root@www zabbix-5.0.2]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.30 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
#utf-8是Zabbix支援的唯一編碼,要使Zabbix伺服器/代理與MySQL數據庫正常工作,需要字元集UTF 8和UTF 8_bin排序規則。
mysql> create database zabbix character set utf8 collate utf8_bin;
Query OK, 1 row affected (0.00 sec)
mysql> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix123!';
Query OK, 0 rows affected, 2 warnings (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
[root@www zabbix-5.0.2]# ls
aclocal.m4 build conf configure database INSTALL Makefile.am misc README ui
AUTHORS ChangeLog config.guess configure.ac depcomp install-sh Makefile.in missing sass
bin compile config.sub COPYING include m4 man NEWS src
[root@www zabbix-5.0.2]# cd database/mysql/
[root@www mysql]# ls
data.sql double.sql images.sql Makefile.am Makefile.in schema.sql
[root@www mysql]# mysql -uzabbix -pzabbix123! zabbix < schema.sql
mysql: [Warning] Using a password on the command line interface can be insecure.
[root@www mysql]# mysql -uzabbix -pzabbix123! zabbix < images.sql
mysql: [Warning] Using a password on the command line interface can be insecure.
[root@www mysql]# mysql -uzabbix -pzabbix123! zabbix < data.sql
mysql: [Warning] Using a password on the command line interface can be insecure.
#編譯安裝zabbix
[root@www zabbix-5.0.2]# ./configure --enable-server --enable-agent --with-mysql --with-net-snmp --with-libcurl --with-libxml2
[root@www zabbix-5.0.2]# make install
1.2 zabbix伺服器端設定
[root@www zabbix-5.0.2]# ls /usr/local/etc/
zabbix_agentd.conf zabbix_agentd.conf.d zabbix_server.conf zabbix_server.conf.d
#修改伺服器端組態檔
#設定數據庫資訊
[root@www ~]# vim /usr/local/etc/zabbix_server.conf
....
DBPassword=zabbix123! //設定zabbix數據庫連線密碼
....
#啓動zabbix_server和zabbix_agentd
啓動zabbix伺服器端失敗
[root@localhost zabbix-3.2.7]# /usr/local/zabbix/sbin/zabbix_server start
/usr/local/zabbix/sbin/zabbix_server: error while loading shared libraries: libmysqlclient.so.20: cannot open shared object file: No such file or directory
解決方法:
[root@localhost zabbix-3.2.7]# find / -name libmysqlclient.so.20
/usr/local/src/mysql-5.7.20/libmysql/libmysqlclient.so.20
/usr/local/mysql/lib/libmysqlclient.so.20
[root@localhost zabbix-3.2.7]# echo "/usr/local/mysql/lib" >> /etc/ld.so.conf
[root@localhost zabbix-3.2.7]# ldconfig
再重新啓動即可成功。
[root@www zabbix-5.0.2]# zabbix_server
[root@www zabbix-5.0.2]# zabbix_agentd
[root@www zabbix-5.0.2]# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:10050 *:*
LISTEN 0 128 *:10051 *:*
LISTEN 0 128 127.0.0.1:9000 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 80 [::]:3306 [::]:*
LISTEN 0 128 [::]:22 [::]:*
#按zabbix部署要求修改/etc/php.ini的設定並重新啓動php-fpm
[root@www ~]# sed -ri 's/(post_max_size =).*/\1 16M/g' /etc/php.ini
[root@www ~]# sed -ri 's/(max_execution_time =).*/\1 300/g' /etc/php.ini
[root@www ~]# sed -ri 's/(max_input_time =).*/\1 300/g' /etc/php.ini
[root@www ~]# sed -i '/;date.timezone/a date.timezone = Asia/Shanghai' /etc/php.ini
[root@www ~]# service php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@www ~]# cd zabbix-5.0.2
[root@www zabbix-5.0.2]# ls
aclocal.m4 ChangeLog config.log configure.ac include Makefile misc sass
AUTHORS compile config.status COPYING INSTALL Makefile.am missing src
bin conf config.sub database install-sh Makefile.in NEWS ui
build config.guess configure depcomp m4 man README
[root@www zabbix-5.0.2]# cd ui/
[root@www ui]# mkdir /usr/local/nginx/html/zabbix
[root@www ui]# cp -a . /usr/local/nginx/html/zabbix/
[root@www ui]# chown -R nginx.nginx /usr/local/nginx/html/zabbix/
[root@www ui]# ls /usr/local/nginx/html/zabbix/
actionconf.php conf httpconf.php map.import.php slides.php
api_jsonrpc.php conf.import.php httpdetails.php map.php srv_status.php
app correlation.php image.php modules sysmap.php
applications.php discoveryconf.php imgstore.php overview.php sysmaps.php
assets disc_prototypes.php include queue.php templates.php
audio favicon.ico index_http.php report2.php toptriggers.php
auditacts.php graphs.php index.php report4.php tr_events.php
browserwarning.php history.php index_sso.php robots.txt trigger_prototypes.php
chart2.php host_discovery.php items.php screenconf.php triggers.php
chart3.php hostgroups.php js screenedit.php vendor
chart4.php hostinventoriesoverview.php jsLoader.php screen.import.php zabbix.php
chart5.php hostinventories.php jsrpc.php screens.php
chart6.php host_prototypes.php local services.php
chart7.php host_screen.php locale setup.php
chart.php hosts.php maintenance.php slideconf.php
#設定nginx
[root@www ~]# vim /usr/local/nginx/conf/nginx.conf
......
server {
listen 80;
listen 443 ssl;
server_name www.test.com;
ssl_certificate /usr/local/nginx/ssl/www.test.com.crt;
ssl_certificate_key /usr/local/nginx/ssl/www.test.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html/zabbix;
index index.php;
}
location = /status {
stub_status;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
root html/zabbix;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
......
#重新載入nginx組態檔
[root@www ~]# nginx -s reload
#設定zabbix/conf目錄的許可權,讓zabbix有許可權生成組態檔zabbix.conf.php
[root@www ~]# chmod 777 /usr/local/nginx/html/zabbix/conf
[root@www ~]# ll -d /usr/local/nginx/html/zabbix/conf
drwxrwxrwx 3 nginx nginx 94 Jul 6 05:54 /usr/local/nginx/html/zabbix/conf
#設定zabbix開機自啓
[root@www core]# pwd
/root/zabbix-5.0.2/misc/init.d/fedora/core
[root@www core]# ls
zabbix_agentd zabbix_server
[root@www core]# cp -a . /etc/init.d/
[root@www core]# chkconfig --add zabbix_server
[root@www core]# chkconfig --add zabbix_agentd
[root@www core]# chkconfig zabbix_server on
[root@www core]# chkconfig zabbix_agentd on
2. 編寫指令碼,取出需要的值來監控nginx狀態
#編寫指令碼
[root@www ~]# mkdir /scripts
[root@www ~]# cd /scripts/
[root@www scripts]# ls
Reading_value.sh requests_value.sh Writing_value.sh
[root@www scripts]# cat requests_value.sh
#!/bin/bash
value=`curl -k -s 192.168.32.125/status | awk 'NR==3{print $3}'`
echo $value
[root@www scripts]# cat Reading_value.sh
#!/bin/bash
value=`curl -k -s 192.168.32.125/status | awk 'NR==4{print $2}'`
echo $value
[root@www scripts]# cat Writing_value.sh
#!/bin/bash
value=`curl -k -s 192.168.32.125/status | awk 'NR==4{print $4}'`
echo $value
2.1 修改組態檔,新增自定義key
[root@www scripts]# vim /usr/local/etc/zabbix_agentd.conf
......
Server=192.168.32.125 #改爲伺服器端ip
ServerActive=192.168.32.125 #改爲伺服器端ip
......
### Option: UnsafeUserParameters
# Allow all characters to be passed in arguments to user-defined parameters.
# The following characters are not allowed:
# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
# Additionally, newline characters are not allowed.
# 0 - do not allow
# 1 - allow
#
# Mandatory: no
# Range: 0-1
# Default:
# UnsafeUserParameters=0
UnsafeUserParameters=1
### Option: UserParameter
# User-defined parameter to monitor. There can be several user-defined parameters.
# Format: UserParameter=<key>,<shell command>
# See 'zabbix_agentd' directory for examples.
#
# Mandatory: no
# Default:
# UserParameter=
UserParameter=requests_value,/bin/bash /scripts/requests_value.sh
UserParameter=Reading_value,/bin/bash /scripts/Reading_value.sh
UserParameter=Writing_value,/bin/bash /scripts/Writing_value.sh
[root@www scripts]# service zabbix_agentd restart
Restarting zabbix_agentd (via systemctl): [ OK ]
#測試設定的key
[root@www scripts]# zabbix_get -s 192.168.32.125 -k requests_value
689
[root@www scripts]# zabbix_get -s 192.168.32.125 -k Writing_value
1
[root@www scripts]# zabbix_get -s 192.168.32.125 -k Reading_value
0
檢視監控
