zabbix-web切换为nginx及https

目录

• zabbix-web切换为nginx及https
  • 1、背景和环境
  • 2、安装nginx
    • 2.1、编译参数
    • 2.2、修改配置文件并配置https
    • 2.3、配置nginx为系统服务
  • 3、安装php
    • 3.1、编译安装
      • 3.1.1、编译参数
      • 3.1.2、排错
    • 3.2、配置
    • 3.3、配置php为系统服务
    • 3.4、启动
  • 4、访问及排错

zabbix-web切换为nginx及https

1、背景和环境

zabbix使用了很久，安装的时候并没有选择复杂的源码编译安装，所以默认采用了apache的httpd提供web服务。由于对httpd并没有深入研究，而且个人对httpd的配置文件格式很不感冒，怎么办？当然是换nginx呀！顺便加上https证书安全安全。

本文中的环境如下：

系统版本：CentOS Linux release 7.4.1708 (Core)

软件版本：

zabbix 4.0.0

nginx 1.16.0

php 5.6.40

2、安装nginx

2.1、编译参数

apache httpd通过模块来使用php，nginx连接php则需要单独安装php，首先编译安装nginx

编译参数和步骤如下，来自我的github

#!/bin/bash
#定义版本
VERSION=1.16.0
#安装依赖包
yum install gcc gcc-c++ glibc pcre-devel zlib-devel openssl-devel -y
#用户创建
/usr/sbin/useradd -M -s /sbin/nologin www
#编译安装
cd ~
wget http://nginx.org/download/nginx-${VERSION}.tar.gz
tar xf nginx-${VERSION}.tar.gz
cd nginx-${VERSION}
./configure --prefix=/usr/local/nginx --pid-path=/usr/local/nginx/run/nginx.pid --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module
make && make install
cd /usr/local/nginx/conf/
grep -Ev '^$|#' nginx.conf.default > nginx.conf
#清除包
cd ~
rm -rf nginx-${VERSION} nginx-${VERSION}.tar.gz

2.2、修改配置文件并配置https

/usr/local/nginx/confnginx.conf

[root@zabbix ~]# cat /usr/local/nginx/conf/nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server_tokens   off;
    include /usr/local/nginx/conf/Include/*.conf;
}

cat /usr/local/nginx/conf/Include/zabbix.conf

[root@zabbix ~]# cat /usr/local/nginx/conf/Include/zabbix.conf
server {
    listen       80;
    server_name  www.zabbix.cn;
    return 301   https://www.zabbix.cn$request_uri;
}
server {
    listen       443 ssl;
    server_name  www.zabbix.cn
    if ($host != 'www.zabbix.cn') {
        return 403;
    }
    root /usr/share/zabbix;
    index index.php index.html index.htm;
    ssl_certificate     /usr/local/nginx/ssl-certs/2505454_www.zabbix.cn.pem;
    ssl_certificate_key /usr/local/nginx/ssl-certs/2505454_www.zabbix.cn.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    access_log      /var/log/nginx/ngnix_access.log;
    error_log       /var/log/nginx/ngnix_error.log;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    location ^~ /app {
        deny all;
    }
    location ^~ /conf {
        deny all;
    }
    location ^~ /local {
        deny all;
    }
    location ^~ /include {
        deny all;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

2.3、配置nginx为系统服务

vim /lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

• 加载系统服务

systemctl daemon-reload

• 设置开机启动

systemctl enable nginx

• 启动 nginx

systemctl start nginx

• 停止

systemctl stop nginx

• 加载配置文件

systemctl reload nginx

3、安装php

3.1、编译安装

3.1.1、编译参数

php的编译安装稍微复杂，复杂点就在于它的编译参数，php的编译参数很多，这里尽量最小化安装，如何选择参数，可通过在第一次安装zabbix的时候环境检测查看到，参数不满足是无法正常安装使用的，我通过本地虚拟机重新安装了一遍zabbix，得到具体环境参数如下，每列可依次理解为：名称、检测结果、需满足的结果、检测是否通过。

PHP version		5.6.40					5.4.0		OK
PHP option 		"memory_limit"			128M	128M	OK
PHP option 		"post_max_size"			8M	16M	Fail
PHP option 		"upload_max_filesize"	2M	2M	OK
PHP option 		"max_execution_time"	30	300	Fail
PHP option 		"max_input_time"	    -1	300	OK
PHP option 		"date.timezone"			unknown		Fail
PHP databases support					MySQL 			OK
PHP bcmath		on						OK
PHP mbstring	on						OK
PHP option 		"mbstring.func_overload"	off	off	OK
PHP option 		"always_populate_raw_post_data"	on	off	Fail
PHP sockets		on				OK
PHP gd			2.1.0	2.0		OK
PHP gd PNG 		support	on		OK
PHP gd JPEG 	support	on		OK
PHP gd FreeType support	on		OK
PHP libxml		2.9.1			2.6.15	OK
PHP xmlwriter	on				OK
PHP xmlreader	on				OK
PHP LDAP		off				Warning
PHP ctype		on				OK
PHP session		on				OK
PHP option 		"session.auto_start"	off	off	OK
PHP gettext		off		Warning
PHP option 		"arg_separator.output"	&	&	OK

查看上述参数，最后确认一个合适的编译参数，如果第一次编译少了某些参数，也可通过不重新编译添加模块的方法，最终编译参数如下：

./configure --prefix=/usr/local/php-5.6.40 \
--enable-opcache \
--with-config-file-path=/usr/local/php-5.6.40/etc \
--with-mysql=mysqlnd \
--with-mysqli=mysqlnd \
--with-pdo-mysql=mysqlnd \
--enable-fpm \
--enable-static \
--enable-inline-optimization \
--enable-sockets \
--enable-wddx \
--enable-zip \
--enable-calendar \
--enable-bcmath \
--enable-soap \
--with-zlib \
--with-iconv \
--with-gd \
--with-xmlrpc \
--enable-mbstring \
--with-curl \
--with-gettext \
--with-ldap \
--enable-ftp \
--with-mcrypt  \
--with-freetype-dir=/usr/local/freetype.2.1.10 \
--with-jpeg-dir=/usr/local/jpeg.6 \
--with-png-dir=/usr/local/libpng.1.2.50 \
--disable-ipv6 \
--disable-debug \
--with-openssl \
--disable-maintainer-zts \
--disable-fileinfo

3.1.2、排错

编译安装时可能出现的报错和解决办法如下，具体不做分析

报错一：

configure: error: Cannot find ldap.h

解决办法：

yum install -y openldap openldap-devel

报错二：

configure: error: Cannot find ldap libraries in /usr/lib.

解决办法：

cp -frp /usr/lib64/libldap* /usr/lib/

报错三：

//.usrlibs//lib64ldap.o/:liblber -undefined2.4.so.2 :reference  errorto  addingsymbol  symbols':ber_scanf 'DSO
 /missingusr /fromlib64 /commandliblber -line2.4.so.2
: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
collect2: error: ld returned 1 exit status
make: *** [sapi/cli/php] Error 1
make: *** Waiting for unfinished jobs....
make: *** [sapi/cgi/php-cgi] Error 1
/usr/bin/ld: ext/ldap/.libs/ldap.o: undefined reference to symbol 'ber_scanf'
/usr/lib64/liblber-2.4.so.2: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status

解决办法：

vim Makefile 在这行最后添加-llber
EXTRA_LIBS = -lcrypt -lz -lresolv -lcrypt -lrt -lmcrypt -lldap -lpng -lz -ljpeg -lcurl -lz -lrt -lm -ldl -lnsl -lxml2 -lz -lm -ldl -lssl -lcrypto -lcurl -lxml2 -lz -lm -ldl -lssl -lcrypto -lfreetype -lxml2 -lz -lm -ldl -lxml2 -lz -lm -ldl -lcrypt -lxml2 -lz -lm -ldl -lxml2 -lz -lm -ldl -lxml2 -lz -lm -ldl -lxml2 -lz -lm -ldl -lxml2 -lz -lm -ldl -lssl -lcrypto -lcrypt -llber

3.2、配置

编译安装完php后，需要修改配置文件php.ini中的内容以满足上述检测：

post_max_size = 16M
max_input_time = 300
max_execution_time = 300
date.timezone = Asia/Shanghai
always_populate_raw_post_data = -1

3.3、配置php为系统服务

编译安装php的，会在php目录生成很多二进制文件，找到init.d.php-fpm，拷贝到init.d下。

cp /usr/local/src/php-5.6.33/sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm

设置权限

chmod 755 /etc/init.d/php-fpm

配置php-fpm.conf

vim /usr/local/etc/php-fpm.conf

如果打开了pid配置，需要将pid（;pid = run/php-fpm.pid）前的;去掉。

启动

/etc/init.d/php-fpm start

3.4、启动

编译配置没有问题，可正常启动

4、访问及排错

访问时出现的报错及解决办法如下

报错一：

FastCGI sent in stderr: "PHP message: PHP Warning:  require_once(/etc/zabbix/web/maintenance.inc.php):   failed to open stream: Permission denied in /app/nginx/html/zabbix/include/classes/core/ZBase.php on line 292
PHP message: PHP Fatal error:  require_once(): Failed opening required '/etc/zabbix/web/mainte‘

解决办法：

chmod -R 755 /etc/zabbix/web

报错二：

Database error
Error connecting to database: No such file or directory

解决办法：修改php.ini

mysqli.default_socket = /var/lib/mysql/mysql.sock

最终，切换nginx及配置https成功：