So I’m trying to set up HTTPS for my Graylog server. I have followed the guide for [Setting up the proxy](docs.http://172.24.228.161:9000cd .org/en/3.0/pages/configuration/web_interface.html#configuring-webif) and read through Ussing HTTPS
I’ve editied /etc/apache2/sites-available/default-ssl.conf and put in:
<VirtualHost *:443>
ServerName host.domain.co.uk
ProxyRequests Off
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildtnewc.cer
SSLCertificateKeyFile /etc/apache2/ssl/wildnew.key
SSLCertificateChainFile /etc/apache2/ssl/wildtnewc.cer
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "host.domain.co.uk:9000/"
ProxyPass https://host.domain.co.uk:9000/
ProxyPassReverse https://host.domain.co.uk:9000/
</Location>
</VirtualHost>
Restart apache but when I go to my host.domain.co.uk I get a error page stating
This site can’t be reached host.domain.co.uk refused to connect.
Try:
I have made those changed, but still not working. I have disabled the firewall for the moment.
I can get to hostname.com:9000
I can get to http://hostname.com (this takes be to the apache2 default splash screen) I can not get to https://hosntame.com ( I get ‘This site can’t be reached’)
I don’t know whether it’s the best practice, but I do know it’s a very common practice. Personally I believe in keeping things as simple as possible, and thought putting a proxy in-between would only muddy the waters. But that’s my personal choice
Can you connect to port 443 on your proxy? This won’t get you actual HTTPS, but it tests for the port.
What does openssl s_client -connect target:443 show you? Is the connection valid?
In the server logs for your proxy server, what does it tell you there? You should have both access and error logs for the proxy/vhost that you defined.
Thanks Tess. I went with the proxy because I’ve used apache2 in the past for Nextcloud, mediawiki and set up the SSL with no problems.
I have never set up a proxy before but from the GrayLog instructions is seemed quite straight forward. Would it be better to do this through the graylog server?
No can’t connect to 443 - Used nc -v IP 443 and get back: nc: connect to IP port 443 (tcp) failed: Connection refused
Port 80 is good. : Connection to IP 80 port [tcp/http] succeeded!
Firewall is turned off
Running openssl s_client -connect target:443 I get back:
140625505100224:error:20087002:BIO routines:BIO_lookup:system lib:…/crypto/bio/b_addr.c:693:Temporary failure in name resolution
connect:errno=1
tail /var/log/apache2/error.log is only showing notices:
[Mon Feb 25 09:30:46.116949 2019] [mpm_event:notice] [pid 14383:tid 139816477367232] AH00491: caught SIGTERM, shutting down
[Mon Feb 25 09:30:46.238871 2019] [mpm_event:notice] [pid 14522:tid 140027025042368] AH00489: Apache/2.4.29 (Ubuntu) configured – resuming normal operations
[Mon Feb 25 09:30:46.239091 2019] [core:notice] [pid 14522:tid 140027025042368] AH00094: Command line: ‘/usr/sbin/apache2’
[Mon Feb 25 09:33:53.789749 2019] [mpm_event:notice] [pid 14522:tid 140027025042368] AH00491: caught SIGTERM, shutting down
[Mon Feb 25 09:41:13.835725 2019] [mpm_event:notice] [pid 14714:tid 139636331256768] AH00489: Apache/2.4.29 (Ubuntu) configured – resuming normal operations
[Mon Feb 25 09:41:13.836025 2019] [core:notice] [pid 14714:tid 139636331256768] AH00094: Command line: ‘/usr/sbin/apache2’
[Mon Feb 25 09:49:07.029017 2019] [mpm_event:notice] [pid 14714:tid 139636331256768] AH00491: caught SIGTERM, shutting down
[Mon Feb 25 10:28:43.012275 2019] [mpm_event:notice] [pid 15046:tid 140315883342784] AH00489: Apache/2.4.29 (Ubuntu) configured – resuming normal operations
[Mon Feb 25 10:28:43.031091 2019] [core:notice] [pid 15046:tid 140315883342784] AH00094: Command line: ‘/usr/sbin/apache2’
That means the most basic of basics isn’t working: your Apache isn’t listening on port 443, meaning the configuration hasn’t activated correctly. I say that, assuming that you still have the firewall disabled, because you wrote:
I have disabled the firewall for the moment.
Now… on the box itself, do you see 443 waiting for connections?
Yeah, that means your Apache isn’t listening on port 443. So the configuration you’ve made is not loading correctly. If it was working, you should have seen an entry for 172.24.228.161:443 LISTEN.
Thanks Tess. I’ve gone back and put the default configs back and still get a error on openssl s_client -connect target:443 and doesn’t return anything. Checked both log file and again not info in either.
Possible bad install of apache2?
I’m going to go back to the back up and have a look at the graylog server dealing with HTTPS.
One important question would of course be: have you prepared Apache so that it can actually serve HTTPS? Apache requires a bunch of additional configuration steps before you can enable HTTPS with TLS/SSL. Not in the least, it’ll require a keypair and a certificate.
No not done any prep to apache, just installed it, I didn’t know that there where other steps required to config SSL. I have the cert and key that we use for sites. Do you have a link to any resources for further config to apache?
Well there you go then That’s why it’s not working.
Unfortunately, unless your certificate setup involves wildcard certs or a rather crappy CA setup you cannot simply copy keys and certs between hosts. Certificates are made for specific hosts (unless wildcarded), so you’ll have to make sure that they keypair and cert match the host you’re setting up.
There’s plenty of documentation out there on setting up Apache with TLS. The most basic would be the Apache docs themselves (adjust the version number to your current ver):
sudo a2enmod proxy_http but is was already enabled
Then restart apache.
My SSL certs where wild card certs (with mean it covers anything with my domain. I’m running this internally, but I still need a cert due to compliance).
I put the certs in a folder called ‘ssl’ in /etc/apache
My 000-default.conf looks like this:
<VirtualHost *:80>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#Redirects all traffic from port 80 to port 443
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/?(.*) https://hostname.domain.com/$1 [L,R]
</VirtualHost>
This will redirect all traffic to port 80 to 443
My default-ssl.conf looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName hostname.domain.com
ProxyRequests Off
ProxyPreserveHost On
SSLEngine on
#Point to ssl certs
SSLCertificateFile /etc/apache2/ssl/wildtnewc.cer
SSLCertificateKeyFile /etc/apache2/ssl/wildnew.key
SSLCertificateChainFile /etc/apache2/ssl/wildtnewc.cer
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "https://hostname.domain.com"
ProxyPass http://HOSTIP:9000/
ProxyPassReverse http://HOSTIP:9000/
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Having ProxyPass and ProxyPassReverse set to 127.0.0.1 did work for me and was getting the following error in the logs
AH01114: HTTP: failed to make connection to backend: 127.0.0.1
So I changed it to my graylogs server IP
Make sure you restart apache after any changes made.Hope this helps