Changing http_external_uri makes Graylog inaccessible inside

This is on a pretty fresh install of the Graylog 3.1.3 OVA appliance install, which mean it runs nginx (most of the google results for this issue apply to apache on docker).

Everything works great internally, but not externally. It’s exposed to the internet via the fantastic Nginx Proxy Manager by jc21 ( https://github.com/jc21/nginx-proxy-manager )

I have a proxy host setup so graylog at http://10.0.0.208:9000 is proxied to graylog.mywebsite.com with a SSL cert from LetsEncrypt. When I try to view graylog.mywebsite.com I get a blank page titled “Graylog Web Interface” from graylog, well an unrendered blank page. Graylog is trying to send something because the source html of the blank page contains some javascript source links it couldn’t retrieve because they were sent as internal IPs. You can see the whole “blank” page here: https://pastebin.com/xLv0ynuj

Researching it seemed like I need to change http_external_uri to whatever address it would be using externally in /etc/graylog/server/server.conf , and when that is done, graylog does become accessible externally, but I lose all access to the web gui internally, even via direct IP address. The same way it failed to render now happens in reverse. I get a blank page titled “Graylog Web Interface” again and when I view the html source it has all the same links as above in pastebin but the internal 10.0.0.208 IP address is replaced with hxxps://graylog.mywebsite.com. Every link to the javascript in the html is displayed as that external address, whether I use graylog.internal or hxxp://10.0.0.208:9000.

I also tried adding the IP of the Nginx Proxy Manger to the trusted_proxies line in the server.conf to no avail. Then I took a stab at messing around with nginx config files by changing some headers, but the same type of issues persisted, once it became accessible externally it stopped being accessible internally, and vice versa. It might not even be the Nginx Proxy though, I port forwarded the graylog server directly out to the internet, and same issue happens, the “blank” index page had resources linked with absolute paths to the internal IP and not relative paths.

So what is going on here? Why is it changing bind address internally when the setting I changed was http_EXTERNAL_uri ? Why is it sending the internal bind address when being accessed outside? Or I guess, why it is generating absolute paths? I will admit web servers are not a strong suit of mine, but I’m not having this issue with 10+ other apps being proxied through Nginx Proxy Manager.

  1. OVA not for production use
  2. if you have nginx, you have to change the graylog URL in the proxy. The web UI use a header field to connect to the GL server. Check the documentation.
    https://docs.graylog.org/en/3.1/pages/configuration/web_interface.html

the key to your success @GentlemanCriminal would be to have your external proxy set X-Graylog-Server-URL to its own.

You can see in the docs: https://docs.graylog.org/en/3.1/pages/configuration/server.conf.html#web-rest-api that the http_external_uri is where your browser can reach the Graylog API to communicate with the backend. This is unique for internal and external and you need to have the right setting in your server.conf or overwrite the header.

Thanks, got it working with adding the network rules to the edge reverse proxy. It was just confusing because when I saw external_uri in the GL config, my brain automatically thinks it only applied to truly external connections from the internet, but it was for any web client access.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.