2. 加密

概述

本节包含以安全方式设置加密的最佳实践。

为 Zabbix 前端设置 SSL

在基于 RHEL 的系统上,安装该mod_ssl包:

  1. dnf install mod_ssl

为 SSL 密钥创建目录:

  1. mkdir -p /etc/httpd/ssl/private
  2. chmod 700 /etc/httpd/ssl/private

创建 SSL 证书:

  1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/apache-selfsigned.key -out /etc/httpd/ssl/apache-selfsigned.crt

适当填写提示。最重要的行是请求的行Common Name。您必须输入要与服务器关联的域名。如果您没有域名,则可以输入公共 IP 地址。

  1. Country Name (2 letter code) [XX]:
  2. State or Province Name (full name) []:
  3. Locality Name (eg, city) [Default City]:
  4. Organization Name (eg, company) [Default Company Ltd]:
  5. Organizational Unit Name (eg, section) []:
  6. Common Name (eg, your name or your server's hostname) []:example.com
  7. Email Address []:

编辑 Apache SSL 配置文件(/etc/httpd/conf.d/ssl.conf):

  1. DocumentRoot "/usr/share/zabbix"
  2. ServerName example.com:443
  3. SSLCertificateFile /etc/httpd/ssl/apache-selfsigned.crt
  4. SSLCertificateKeyFile /etc/httpd/ssl/private/apache-selfsigned.key

重新启动 Apache 服务以应用更改:

  1. systemctl restart httpd.service