Accessing GUI using internal and external IP

Graylog Central (peer support)
1

Hi

I run Graylog on a Debian VM within a DMZ behind a firewall.
Internally everything worked and I could access the GUI etc.

Now I would like to expose the graylog machine using a public IP.
The 1:1 NAT is setup and working, but I can’t seem to get the configuration for graylog correct.
So far I was able to find similar problems, but they were all for 2.x

Now my question is, what is the right combination to use in the config?

172.16.99.204 is the (internal) IP of the VM
xxx.yyy.237.107 would be the public IP

So far I’ve tried most (?) combinations of different IPs for http_bind_address / http_publish_uri and http_external_uri

The external url graylog.example.com is known both in and outside of my network

Depending on the config (which, unfortunately I have discarded and can’t reproduce it) I can either access the GUI internally, but not externally, or I get net::ERR_CONNECTION_REFUSED for the GUI assets (CSS, JS etc)

Any idea on how I can accomplish this? If at all?

Thanks!

2

you have two options to make this happen, the important setting is the http_external_uri as this tells the client where it can reach the Graylog API - by client I mean your browser.

  1. have a DNS entry that resolve internal to the internal IP and external to the external ip (e.g graylog.company.tld resolves different. http_external_uri set to graylog.company.tld
  2. having a proxy (like nginx) with two vhosts.
    As you can overwrite the http_external_uri on a proxy ( see docs ) have one vhost for internal and one for external access

Internal

server
{
    listen      443 ssl spdy;
    server_name graylog.intern.company.tld;
    # <- your SSL Settings here!

    location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }
}

external

server
{
    listen      443 ssl spdy;
    server_name graylog.company.tld;
    # <- your SSL Settings here!

    location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }
}

the above assume that the proxy is (nginx) is running on the same host as Graylog does. So it might need to be adjusted to your setup!

3

Hi Jan

Thank you for you answer!

This sounds a bit complicated I fear.
Would I need to install nginx on top of graylog? Or change the existing ngnix that came with the deb repository (I am afraid I don’t know what graylog uses as http server)

But can you explain to me, why my 1:1 NAT is not working? Or why I would need to be able to tell graylog the existence of both of my IPs? I thought this setup is not so uncommon?

Thanks!

4

The reason is how Graylog is working:

You have the Graylog server that is providing a REST-API and a browser based application that is communicating with that API.

So as the browser based application needs to know how to access the API you have multiple options. My first suggested would work without a problem. But you need to have control over your DNS and know how to configure that.

The second would include a Proxy (NGINX) that is available on both networks internal and external and can reach Graylog to proxy the request.

You are right the setup is very common - but not really complicated if you know the above.

5

ah sorry! I misread! I thought I needed both :wink:

Ok the DNS option is perfect!
What do I set for http_bind_address / http_publish_uri?
0.0.0.0 or the internal IP?

6

please read the docs and if unclear return - because the docs would need a rewrite if that is not clear.

7

Hi Jan

yes, it is unclear (at least to me, maybe it is not for everyone else)

These following statements are all my understanding how things work - this can be very wrong! :wink:

http_bind_address:

  • Using 127.0.0.1:9000 would lead to only localhost mapping (= running graylog on the same machine as you access it with)
  • must be accessible by all Graylog nodes: but these will be two different IPs (external & internal)?

http_publish_uri:

  • not really needed for solving my problem? So I can leave it uncommented and use the default http://$http_bind_address/

or am I again misunderstanding? :frowning:

8

http_bind_interface can be wildcard (read 0.0.0.0) that Graylog is listening on all devices that are available on the server Graylog is running on

http_publish_uri needs to be a specific adress where Graylog can reach itself - in multi Graylog hosts environments that publish uri of each host needs to be reachable by all other Graylog server that the Graylog nodes can communicate over that.

http_external_uri is where the application in your browser can reach Graylog (API) to get the data.

Is that more clear now?

9

Thank you!
Sorry to be so complicated, but it does not seem to be working :confused:

server.log

(...)
2019-07-26T13:13:57.209+02:00 INFO  [connection] Opened connection [connectionId{localValue:8, serverValue:34}] to localhost:27017
2019-07-26T13:13:58.277+02:00 INFO  [JerseyService] Enabling CORS for HTTP endpoint
2019-07-26T13:14:39.133+02:00 INFO  [NetworkListener] Started listener bound to [0.0.0.0:9000]
2019-07-26T13:14:39.135+02:00 INFO  [HttpServer] [HttpServer] Started.
2019-07-26T13:14:39.135+02:00 INFO  [JerseyService] Started REST API at <0.0.0.0:9000>
2019-07-26T13:14:39.138+02:00 INFO  [ServerBootstrap] Services started, startup times in ms: {OutputSetupService [RUNNING]=254, BufferSynchronizerService [RUNNING]=270, GracefulShutdownService [RUNNING]=299, KafkaJournal [RUNNING]=314, PeriodicalsService [RUNNING]=432, InputSetupService [RUNNING]=463, ConfigurationEtagService [RUNNING]=517, EtagService [RUNNING]=517, StreamCacheService [RUNNING]=544, LookupTableService [RUNNING]=551, JournalReader [RUNNING]=562, JerseyService [RUNNING]=42386}
2019-07-26T13:14:39.146+02:00 INFO  [ServerBootstrap] Graylog server up and running.
2019-07-26T13:14:39.147+02:00 INFO  [ServiceManagerListener] Services are healthy
2019-07-26T13:14:39.148+02:00 INFO  [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2019-07-26T13:14:39.173+02:00 INFO  [InputStateListener] Input [Syslog UDP/5d31c5cbf7f6e633974301d4] is now STARTING
2019-07-26T13:14:39.184+02:00 INFO  [InputStateListener] Input [Syslog UDP/5d31c6b8f7f6e633974302d9] is now STARTING
2019-07-26T13:14:39.307+02:00 INFO  [InputStateListener] Input [Syslog UDP/5d31c6b8f7f6e633974302d9] is now RUNNING
2019-07-26T13:14:39.321+02:00 INFO  [InputStateListener] Input [Syslog UDP/5d31c5cbf7f6e633974301d4] is now RUNNING
2019-07-26T13:14:39.355+02:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=elk.company.tld, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=dff27e32-9166-4e32-a425-0345cf2eef2a} (channel [id: 0xe6ac1fdb, L:/172.16.99.204:5140]) should be 262144 but is 425984.
2019-07-26T13:14:39.358+02:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=MacPro, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=dff27e32-9166-4e32-a425-0345cf2eef2a} (channel [id: 0x3ddceeaa, L:/0:0:0:0:0:0:0:0%0:5140]) should be 262144 but is 425984.

server.conf (excerpt)

http_bind_address = 0.0.0.0:9000
http_publish_uri = http://graylog.company.tld:9000/
http_external_uri = http://graylog.company.tld/

everything else (exepct user / hash) is the default config

The browser (both public and private network access report, accessing http://graylog.company.tld:9000/):

Untitled%208
Untitled 8.png2370×360 109 KB

DNS is working, ports for external access are open (9000 & 80) - internally there is no blocking

10

how did you configured that port proxy from port 80 to port 9000?

cause that had happend for the http_external_uri what proxy did you use to make this happen? because Graylog is running on Port 9000 …

11

ah! figured it out!
I had to define http_external_uri = http://graylog.company.tld:9000/

omitting the port defaulted back to 80 and as you said, Graylog only listens on 9000

Thank you so much for your help!!

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.