Configure Zabbix proxy servers to distribute monitoring loads across multiple network segments with encrypted communication, automated discovery, and centralized management for enterprise-scale infrastructure monitoring.
Prerequisites
- Existing Zabbix 7 server installation
- Network connectivity between proxy and server
- Administrative access to proxy servers
- Basic understanding of network monitoring concepts
What this solves
Zabbix proxy servers distribute monitoring loads across network segments, reducing bandwidth usage and enabling monitoring of isolated networks. This setup scales monitoring beyond single-server limitations while maintaining centralized control and reporting through encrypted PSK communication.
Step-by-step installation
Update system packages
Start by updating your package manager to ensure you get the latest versions of all components.
sudo apt update && sudo apt upgrade -yInstall Zabbix repository
Add the official Zabbix 7 repository to access the latest stable packages.
wget https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest+ubuntu24.04_all.deb
sudo dpkg -i zabbix-release_latest+ubuntu24.04_all.deb
sudo apt updateInstall Zabbix proxy server
Install the Zabbix proxy package with SQLite3 support for local data storage and caching.
sudo apt install -y zabbix-proxy-sqlite3 zabbix-sql-scriptsCreate proxy database directory
Set up the directory structure for the SQLite database with proper permissions for the Zabbix user.
sudo mkdir -p /var/lib/zabbix
sudo chown zabbix:zabbix /var/lib/zabbix
sudo chmod 755 /var/lib/zabbixGenerate PSK encryption key
Create a pre-shared key for encrypted communication between proxy and server. Store this securely as you'll need it on the Zabbix server.
sudo mkdir -p /etc/zabbix/keys
sudo openssl rand -hex 32 | sudo tee /etc/zabbix/keys/proxy.psk
sudo chown zabbix:zabbix /etc/zabbix/keys/proxy.psk
sudo chmod 400 /etc/zabbix/keys/proxy.pskConfigure Zabbix proxy
Configure the proxy with server connection details, encryption settings, and local cache parameters.
Server=203.0.113.10
Hostname=proxy-site1
ListenPort=10051
SourceIP=203.0.113.20
DBName=/var/lib/zabbix/zabbix_proxy.db
ProxyOfflineBuffer=24
ConfigFrequency=300
DataSenderFrequency=1
PSK Encryption
TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=proxy-site1
TLSPSKFile=/etc/zabbix/keys/proxy.psk
Cache settings
CacheSize=32M
HistoryCacheSize=64M
HistoryIndexCacheSize=16M
TrendCacheSize=16M
Process settings
StartPollers=10
StartPollersUnreachable=5
StartTrappers=10
StartPingers=5
StartDiscoverers=3Set configuration file permissions
Secure the configuration file to prevent unauthorized access to sensitive connection details.
sudo chown root:zabbix /etc/zabbix/zabbix_proxy.conf
sudo chmod 640 /etc/zabbix/zabbix_proxy.confConfigure firewall rules
Open the necessary ports for proxy communication with the Zabbix server and monitored devices.
sudo ufw allow 10051/tcp comment "Zabbix Proxy"
sudo ufw allow 162/udp comment "SNMP Traps"
sudo ufw reloadEnable and start Zabbix proxy
Start the proxy service and enable it to automatically start on system boot.
sudo systemctl enable --now zabbix-proxy
sudo systemctl status zabbix-proxyConfigure Zabbix server for proxy
Add proxy to Zabbix server
Configure the proxy on your main Zabbix server through the web interface or database. Access Administration > Proxies in the Zabbix web interface.
| Setting | Value | Description |
|---|---|---|
| Proxy name | proxy-site1 | Must match Hostname in proxy config |
| Proxy mode | Active | Proxy initiates connection to server |
| Proxy address | 203.0.113.20 | IP address of proxy server |
| Encryption | PSK | Enable PSK encryption |
| PSK identity | proxy-site1 | Must match proxy configuration |
| PSK | [key from file] | Copy content from proxy.psk file |
Configure network discovery
Set up network discovery rules to automatically find and monitor devices through the proxy. Go to Configuration > Discovery in the Zabbix interface.
Name: Site1-Network-Discovery
IP ranges: 192.168.1.1-254
Proxy: proxy-site1
Checks:
- SNMP v2 community: public
- ICMP ping
- HTTP/HTTPS
- SSH
Update interval: 1h
Device uniqueness criteria: IP addressConfigure proxy monitoring and templates
Apply host templates through proxy
Assign monitoring templates to hosts that will be monitored through the proxy. This enables distributed monitoring while maintaining centralized template management.
1. Go to Configuration > Hosts
- Create new host or edit existing
- Set 'Monitored by proxy' to 'proxy-site1'
- Assign appropriate templates:
- Template OS Linux by SNMP
- Template Net Network Devices
- Template App HTTP Service
- Configure host interface with proxy settings
Configure proxy health monitoring
Set up monitoring for the proxy itself to ensure it remains healthy and connected to the main server.
zabbix[proxy,proxy-site1,lastaccess]
zabbix[proxy,proxy-site1,delay]
zabbix[proxy,proxy-site1,items]
zabbix[proxy,proxy-site1,hosts]
zabbix[proxy,proxy-site1,triggers]Set up multiple proxy deployment
Deploy additional proxies
For large environments, deploy multiple proxies to distribute load across network segments. Each proxy needs unique configuration.
# Proxy 2 configuration differences
Hostname=proxy-site2
SourceIP=203.0.113.30
TLSPSKIdentity=proxy-site2
TLSPSKFile=/etc/zabbix/keys/proxy2.psk
Proxy 3 configuration differences
Hostname=proxy-datacenter1
SourceIP=10.0.1.50
TLSPSKIdentity=proxy-datacenter1
TLSPSKFile=/etc/zabbix/keys/proxy3.pskConfigure proxy load balancing
Distribute monitoring loads across multiple proxies by assigning different network segments or device types to each proxy.
| Proxy | Network Segment | Device Types | Max Hosts |
|---|---|---|---|
| proxy-site1 | 192.168.1.0/24 | Network devices, servers | 100 |
| proxy-site2 | 192.168.2.0/24 | Workstations, printers | 200 |
| proxy-datacenter1 | 10.0.1.0/24 | Critical servers, storage | 50 |
Advanced proxy configuration
Configure passive proxy mode
For environments where proxies cannot initiate outbound connections, configure passive mode where the server connects to proxies.
# On proxy server - disable active mode
Server=203.0.113.10
ListenIP=0.0.0.0
ListenPort=10051
Server must be configured to connect to proxy
In Zabbix interface:
Proxy mode: Passive
Interface IP: 203.0.113.20
Interface Port: 10051
Configure proxy data retention
Set appropriate data retention policies to manage local storage and prevent disk space issues during network outages.
ProxyLocalBuffer=168
ProxyOfflineBuffer=720
HeartbeatFrequency=60
ConfigFrequency=300
DataSenderFrequency=1
Local database maintenance
HousekeepingFrequency=1
MaxHousekeeperDelete=5000Monitor proxy performance
Set up proxy performance monitoring
Monitor key proxy metrics to ensure optimal performance and identify potential bottlenecks.
# Queue sizes
zabbix[queue,10m]
zabbix[queue,overview]
Process utilization
zabbix[process,poller,avg,busy]
zabbix[process,trapper,avg,busy]
zabbix[process,discoverer,avg,busy]
Cache utilization
zabbix[rcache,buffer,pused]
zabbix[wcache,values]
zabbix[dcache,buffer,pused]Verify your setup
# Check proxy status
sudo systemctl status zabbix-proxy
Verify proxy log for successful connection
sudo tail -f /var/log/zabbix/zabbix_proxy.log
Check database creation
sudo ls -la /var/lib/zabbix/
Verify PSK file exists and has correct permissions
sudo ls -la /etc/zabbix/keys/proxy.psk
Test proxy connectivity
sudo netstat -tlnp | grep 10051
Check proxy registration on server
zabbix_get -s 203.0.113.10 -k zabbix[proxy,proxy-site1,lastaccess]Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Proxy won't start | Database path not writable | sudo chown zabbix:zabbix /var/lib/zabbix |
| PSK connection fails | Key mismatch or permissions | Verify PSK content matches on server, check file permissions 400 |
| Discovery not working | Firewall blocking SNMP | Open port 161/udp: sudo ufw allow 161/udp |
| High proxy queue | Insufficient pollers | Increase StartPollers in configuration |
| Database lock errors | Multiple proxy instances | sudo pkill zabbix_proxy && sudo systemctl start zabbix-proxy |
| Proxy shows offline | Network connectivity issues | Check firewall rules and network routing |
Next steps
- Configure Zabbix 7 API automation with Python scripts for monitoring and alerting
- Configure Zabbix SNMP monitoring for network devices with automated discovery and templates
- Set up Zabbix 7 high availability cluster with PostgreSQL replication and automated failover
- Integrate Zabbix with Grafana dashboards for enhanced visualization and reporting
Running this in production?
Need this managed? Setting this up once is straightforward. Keeping it patched, monitored, backed up and performant across environments is the harder part. See how we run infrastructure like this for European teams who need reliable monitoring at scale.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Default values
ZABBIX_SERVER_IP=""
PROXY_HOSTNAME=""
PROXY_SOURCE_IP=""
# Usage function
usage() {
echo "Usage: $0 --server <zabbix_server_ip> --hostname <proxy_hostname> [--source-ip <proxy_source_ip>]"
echo " --server IP address of the Zabbix server"
echo " --hostname Hostname for this proxy (must be unique)"
echo " --source-ip Source IP for proxy connections (optional)"
exit 1
}
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--server)
ZABBIX_SERVER_IP="$2"
shift 2
;;
--hostname)
PROXY_HOSTNAME="$2"
shift 2
;;
--source-ip)
PROXY_SOURCE_IP="$2"
shift 2
;;
-h|--help)
usage
;;
*)
echo -e "${RED}Unknown option: $1${NC}"
usage
;;
esac
done
# Validate required arguments
if [[ -z "$ZABBIX_SERVER_IP" || -z "$PROXY_HOSTNAME" ]]; then
echo -e "${RED}Error: Missing required arguments${NC}"
usage
fi
# Cleanup function for rollback
cleanup() {
echo -e "${YELLOW}Installation failed. Cleaning up...${NC}"
systemctl stop zabbix-proxy 2>/dev/null || true
systemctl disable zabbix-proxy 2>/dev/null || true
rm -f /etc/zabbix/zabbix_proxy.conf.bak 2>/dev/null || true
}
# Set trap for cleanup on error
trap cleanup ERR
# Check if running as root or with sudo
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}This script must be run as root or with sudo${NC}"
exit 1
fi
echo -e "${GREEN}Installing Zabbix 7 Proxy Server${NC}"
# Detect distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_INSTALL="apt install -y"
PKG_UPDATE="apt update && apt upgrade -y"
FIREWALL_CMD="ufw"
;;
almalinux|rocky|centos|rhel|ol)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
PKG_UPDATE="dnf update -y"
FIREWALL_CMD="firewall-cmd"
;;
fedora)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
PKG_UPDATE="dnf update -y"
FIREWALL_CMD="firewall-cmd"
;;
amzn)
PKG_MGR="yum"
PKG_INSTALL="yum install -y"
PKG_UPDATE="yum update -y"
FIREWALL_CMD="firewall-cmd"
;;
*)
echo -e "${RED}Unsupported distribution: $ID${NC}"
exit 1
;;
esac
else
echo -e "${RED}Cannot detect distribution${NC}"
exit 1
fi
# Step 1: Update system packages
echo -e "${GREEN}[1/9] Updating system packages...${NC}"
$PKG_UPDATE
# Step 2: Install required tools
echo -e "${GREEN}[2/9] Installing required tools...${NC}"
if [[ "$PKG_MGR" == "apt" ]]; then
$PKG_INSTALL wget curl openssl
else
$PKG_INSTALL wget curl openssl
fi
# Step 3: Install Zabbix repository
echo -e "${GREEN}[3/9] Installing Zabbix repository...${NC}"
if [[ "$PKG_MGR" == "apt" ]]; then
wget -q https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest+ubuntu24.04_all.deb
dpkg -i zabbix-release_latest+ubuntu24.04_all.deb
apt update
rm -f zabbix-release_latest+ubuntu24.04_all.deb
else
case "$ID" in
almalinux|rocky)
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rocky/9/x86_64/zabbix-release-latest.el9.noarch.rpm
;;
centos|rhel|ol)
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-latest.el9.noarch.rpm
;;
fedora)
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/fedora/39/x86_64/zabbix-release-latest.fc39.noarch.rpm
;;
amzn)
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-latest.el9.noarch.rpm
;;
esac
$PKG_MGR clean all
if [[ "$PKG_MGR" == "dnf" ]]; then
dnf update -y
fi
fi
# Step 4: Install Zabbix proxy
echo -e "${GREEN}[4/9] Installing Zabbix proxy server...${NC}"
$PKG_INSTALL zabbix-proxy-sqlite3 zabbix-sql-scripts
# Step 5: Create proxy database directory
echo -e "${GREEN}[5/9] Creating proxy database directory...${NC}"
mkdir -p /var/lib/zabbix
chown zabbix:zabbix /var/lib/zabbix
chmod 755 /var/lib/zabbix
# Step 6: Generate PSK encryption key
echo -e "${GREEN}[6/9] Generating PSK encryption key...${NC}"
mkdir -p /etc/zabbix/keys
openssl rand -hex 32 > /etc/zabbix/keys/proxy.psk
chown zabbix:zabbix /etc/zabbix/keys/proxy.psk
chmod 400 /etc/zabbix/keys/proxy.psk
PSK_KEY=$(cat /etc/zabbix/keys/proxy.psk)
echo -e "${YELLOW}PSK Key generated: ${PSK_KEY}${NC}"
echo -e "${YELLOW}Save this key - you'll need it on the Zabbix server!${NC}"
# Step 7: Configure Zabbix proxy
echo -e "${GREEN}[7/9] Configuring Zabbix proxy...${NC}"
cp /etc/zabbix/zabbix_proxy.conf /etc/zabbix/zabbix_proxy.conf.bak
cat > /etc/zabbix/zabbix_proxy.conf << EOF
Server=${ZABBIX_SERVER_IP}
Hostname=${PROXY_HOSTNAME}
ListenPort=10051
$([ -n "$PROXY_SOURCE_IP" ] && echo "SourceIP=${PROXY_SOURCE_IP}")
DBName=/var/lib/zabbix/zabbix_proxy.db
ProxyOfflineBuffer=24
ConfigFrequency=300
DataSenderFrequency=1
# PSK Encryption
TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=${PROXY_HOSTNAME}
TLSPSKFile=/etc/zabbix/keys/proxy.psk
# Cache settings
CacheSize=32M
HistoryCacheSize=64M
HistoryIndexCacheSize=16M
TrendCacheSize=16M
# Process settings
StartPollers=10
StartPollersUnreachable=5
StartTrappers=10
StartPingers=5
StartDiscoverers=3
LogFile=/var/log/zabbix/zabbix_proxy.log
LogFileSize=10
EOF
chown root:zabbix /etc/zabbix/zabbix_proxy.conf
chmod 640 /etc/zabbix/zabbix_proxy.conf
# Step 8: Configure firewall
echo -e "${GREEN}[8/9] Configuring firewall...${NC}"
if [[ "$FIREWALL_CMD" == "ufw" ]]; then
if command -v ufw >/dev/null 2>&1; then
ufw allow 10051/tcp comment "Zabbix Proxy"
ufw allow 162/udp comment "SNMP Traps"
ufw --force reload
fi
else
if command -v firewall-cmd >/dev/null 2>&1; then
firewall-cmd --permanent --add-port=10051/tcp
firewall-cmd --permanent --add-port=162/udp
firewall-cmd --reload
fi
fi
# Step 9: Enable and start Zabbix proxy
echo -e "${GREEN}[9/9] Starting Zabbix proxy service...${NC}"
systemctl enable zabbix-proxy
systemctl start zabbix-proxy
# Verification
echo -e "${GREEN}Verifying installation...${NC}"
sleep 5
if systemctl is-active --quiet zabbix-proxy; then
echo -e "${GREEN}✓ Zabbix proxy service is running${NC}"
else
echo -e "${RED}✗ Zabbix proxy service is not running${NC}"
systemctl status zabbix-proxy
exit 1
fi
if [[ -f /var/lib/zabbix/zabbix_proxy.db ]]; then
echo -e "${GREEN}✓ Proxy database created${NC}"
else
echo -e "${YELLOW}⚠ Proxy database not yet created (will be created on first connection)${NC}"
fi
echo -e "${GREEN}Installation completed successfully!${NC}"
echo -e "${YELLOW}Next steps:${NC}"
echo "1. Add this proxy to your Zabbix server web interface:"
echo " - Proxy name: ${PROXY_HOSTNAME}"
echo " - Proxy mode: Active"
echo " - Proxy address: $(hostname -I | awk '{print $1}')${PROXY_SOURCE_IP:+ or $PROXY_SOURCE_IP}"
echo " - Encryption: PSK"
echo " - PSK identity: ${PROXY_HOSTNAME}"
echo " - PSK: ${PSK_KEY}"
echo ""
echo "2. Configure hosts to use this proxy in Zabbix server"
echo "3. Check proxy logs: tail -f /var/log/zabbix/zabbix_proxy.log"Review the script before running. Execute with: bash install.sh