Zabbix Keeps Logging me Out
Zabbix Keeps Logging me Out
by Jeff on October 7th, 2016 No Comments »
 , , ,

I recently ran into an issue while installing a new Zabbix server running Zabbix 3.2. After the installation, Zabbix would keep logging me out. I would authenticate, click the Administration tab, then receive an access denied message saying I’m logged in as a guest user. It turns out that the reason Zabbix keeps logging me out is that I’m using HTTPS to access my Zabbix installation and Zabbix itself has a JSON call that has a hardcoded HTTP address. For security reasons, when you log in via HTTPS, the cookie has the “secure” flag set, which means that cookie cannot be read by non-SSL pages. The request to/from a non SSL page will cannot read the session cookie, therefore assumes we are not logged and shows the error, while also deleting all cookies. This is why Zabbix keeps logging me out.

I was able to test this by viewing my Apache logs after I log in. I saw the following request

"POST /jsrpc.php?output=json-rpc HTTP/1.1" 200 76 "http://zabbix.example.com/adm.gui.php?ddreset=1"

This is the point where Zabbix keeps logging me out. To avoid this, we need to use Apache’s mod rewrite to force SSL on the entire site to use HTTPS. The easiest place to create this rewrite/redirect rule is the .htaccess file in the websites root directory. Let’s say you have Zabbix installed here

/var/www/html/zabbix/

Then you’d create and/or modify the current .htaccess file with your favorite text editor (I prefer VI)

[root@server localhost]# vi /var/www/html/zabbix/.htaccess

And add the following lines

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Save the files

{esc} :wq

Now load your Zabbix website. Every page will now redirect to HTTPS. Zabbix no longer keeps logging me out.

Note: You should already have a valid SSL certificate installed and Apache configured to handle HTTPS traffic.