Zabbix MPA – HTTP > HTTPS FrontEnd Conversion

Zabbix MPA HTTP -To- HTTPS Portal Front End

This article will assist you in setting up your new Zabbix Monitoring Platform with HTTPS front-end portal access instead of the default HTTP that comes as standard, thus allowing you to manage your zabbix externally from the outside world in a safe manor. Security wise accessing the Zabbix MPA Portal front end I would best advise to either use a Firewall IP Address White List or VPN.

Firewall IP Address White List
Setup will only allowing certain places of your choice to have access to the front end portal. If your server is located in a data centre, then only allow your remote office or home office access to the Front End portal by putting them on a Firewall IP Address Allowed/White List. Alternatively you can setup a Firewall VPN Tunnel and then connect and access the Front End portal on your machine.

Front End Portal Access
– Zabbix Server > Firewall > IP Address White List
 – Zabbix Server > Firewall > VPN

1. Login to your Zabbix Appliance Ubuntu Terminal and initiate the following command.

appliance@zabbix:~$ sudo a2enmod ssl

2. Now give the Apache Web Server a restart using the following command.

appliance@zabbix:~$ sudo service apache2 restart

3. After restarting the Apache web server, create a Subdirectory using the command line below, this will create a folder within the Apache configuration and will hold both the key and certificate files.

appliance@zabbix:~$ sudo mkdir /etc/apache2/ssl

4. Once done, now you will create a new key and certificate using the command line below, please take some time to look at the command line and information below and make any changes you require, then press “Enter“.

appliance@zabbix:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt


  • openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
  • req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate management. Since we are wanting to create a new X.509 certificate, this is what we want.
  • -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
  • -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
  • -days 365: This specifies that the certificate we are creating will be valid for one year.
  • -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn’t create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
  • -keyout: This parameter names the output file for the private key file that is being created.
  • -out: This option names the output file for the certificate that we are generating.

5. Now you will be prompted with the following, fill out the details with your own highlighted in green.

Country Name (2 Letter Code) [AU]: UK
State or Province Name (Full Name) [Some-State]:
Locality Name (EG, City) []: London
Organization Name (EG, Company) []: DeltaCentral
Organizational Unit Name (EG,Section) []: DeltaLabs
Common Name (Server FQDN or YOUR Name []: Deltacentral
Email Address []: / Internal Zabbix Server IP Address

Once you have filled out all green highlighted fields with your own, then press “Enter“. A new Key & Certificate will now be created and placed in the following location.

Location: /etc/apache2/ssl

6. Now we will edit the following file using the following command line, using GNU Nano editor to make the changes.

sudo nano /etc/apache2/sites-available/default-ssl.conf
[sudo] password for appliance:

7. Now add and amend the highlighted details in your configuration file.

<IfModule mod_ssl.c>
 <VirtualHost _default_:443>
      ServerName Deltacentral
      ServerAlias ZBRM01
      DocumentRoot /var/www/html
      ErrorLog ${APACHE_LOG_DIR}/error.log
      CustomLog ${APACHE_LOG_DIR}/access.log combined
      SSLEngine on
      SSLCertificateFile /etc/apache2/ssl/apache.crt
      SSLCertificateKeyFile /etc/apache2/ssl/apache.key
      <FilesMatch “\.(cgi|shtml|phtml|php)$”>
         SSLOptions +StdEnvVars
         <Directory /usr/lib/cgi-bin>
                 SSLOptions +StdEnvVars
         BrowserMatch “MSIE [2-6]” \
              nokeepalive ssl-unclean-shutdown \
              downgrade-1.0 force-response-1.0
         BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown

Once done, then press (CTRL+O) to Write-Out (Save), Then press the (Enter) button on your keyboard and then (CTRL+X) to Exit the GNU Nano editor and return to the Zabbix Terminal.

8. Now that we have added and amended details in our (default-ssl.conf) file, we will now run the following command below to activate it.

appliance@zabbix:~$ sudo a2ensite default-ssl.conf

9. Now that we have activated the config, we will now restart the Apache2 Web Server as the last process, run the following command to restart.

appliance@zabbix:~$ sudo service apache2 restart

10. Now test your new URL in your browser but this time using the HTTPS protocol.


Image result for digital ocean logo png


BIG THANK YOU TO, Justin Ellingwood
@ Digital Ocean (Source)


Leave a Reply