Plan:
host1: [zabbix-agent (active, send data) → haproxy (port 10052) ] → host2[zabbix-server (port 10051)]
Is it possible to configure tcp-check send-binary and tcp-check expect when TLS encryption is configured between zabbix agent and zabbix server? It works without encryption. But as soon as encryption by certificate is configured, the zabbix server expects that the tcp-check send-binary somedata string will be transmitted encrypted with the zabbix agent certificate. And when haproxy sends an unencrypted string, the zabbix server does not respond to the request. Is it somehow possible to encrypt the string sent by haproxy with a zabbix agent certificate - tcp-check send-binary somedata?
frontend z-client
bind :10061
default_backend z-srv
backend z-srvs
mode tcp
server z-srv1 13.13.13.13:10051 check inter 9s
option tcp-check
tcp-check connect
tcp-check send-binary somebinarydata
tcp-check expect string someresponse
I added ssl parameters to the server directive in the haproxy on the side of the zabbix agent:
check-ssl crt /var/lib/haproxy/fullchain.pem ca-file /var/lib/haproxy/isrgrootx1.pem
But tcpdump shows that the traffic remains unencrypted
In order to receive an encrypted response from the zabbix server, I need to send tcp-check send-binary with the encrypted certificate specified in the zabbix agent
Result:
frontend z-client
bind :10061
default_backend z-srv
backend z-srvs
mode tcp
server z-srv1 13.13.13.13:10051 check inter 9s check-ssl crt /var/lib/haproxy/fullchain.pem ca-file /var/lib/haproxy/isrgrootx1.pem
option tcp-check
tcp-check connect
tcp-check send-binary somebinarydata
tcp-check expect string someresponse
Solved
frontend z-client
bind :10061
default_backend z-srvs
backend z-srvs
mode tcp
server z-srv1 13.13.13.13:10051 check inter 9s crt /var/lib/haproxy/fullchain.pem ca-file /var/lib/haproxy/isrgrootx1.pem
option tcp-check
tcp-check connect ssl
tcp-check send-binary somebinarydata
tcp-check expect string someresponse