Configuring HTTPS with a docker container


(Pierre-Yves Taczynski) #1

I spent hours reading the documentation and the forum and so far no success.

Importing the certificate in the javastore : OK.

I was able to get the login page but after the credential input I have a 404 error:
Error - the server returned: 404 - cannot POST http://IP:9000/system/sessions (404)

This setting works (no TLS):
GRAYLOG_REST_TRANSPORT_URI: http://IP:9000/api
GRAYLOG_WEB_ENDPOINT_URI: http://IP:80/api

Changing the web endpoint to : https://IP/api does not

Any advise welcome :slight_smile:


(Jochen) #2

Please post your complete configuration.


(Pierre-Yves Taczynski) #3

Here is my docker-compose file:

  graylog:
   image: graylog2/server:latest
   container_name: graylog
   hostname: graylog
   environment:
        GRAYLOG_IS_MASTER: "true"
        GRAYLOG_PASSWORD_SECRET: somepasswordpepper:)
        GRAYLOG_ROOT_PASSWORD_SHA2: whocares?
        GRAYLOG_SERVER_JAVA_OPTS: -Xms2g -Xmx4g -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow
        GRAYLOG_REST_TRANSPORT_URI: http://IP:9000/api
        GRAYLOG_WEB_ENDPOINT_URI: http://IP:80/api
        GRAYLOG_ELASTICSEARCH_HOSTS: http://elasticsearch:9200,http://elasticsearch2:9200
        GRAYLOG_MONGODB_URI:  mongodb://mongo:27017,mongo2:27017/graylog?replicaSet=graylog
        GRAYLOG_TRANSPORT_EMAIL_ENABLED: "true"
   depends_on:
      - mongo
      - elasticsearch
   ports:
      - "80:9000"
      - "514:514/tcp"
      - "514:514/udp"
      - "1514/udp:1514/udp"
      - "5044:5044/tcp"
      - "9000:9000"
      - "9350:9350"
      - "12200-12300:12200-12300/tcp"
      - "12200-12300:12200-12300/udp"
      - "12900:12900"
   networks:
     graylog:
       aliases:
       - graylog

For HTTPS I add/edit:

GRAYLOG_REST_ENABLE_TLS: "true"
GRAYLOG_WEB_ENABLE_TLS: "true"
GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.cert.pem
GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.pkcs8.key.pem
GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.cert.pem
GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.pkcs8.key.pem
GRAYLOG_REST_TRANSPORT_URI: https://10.99.107.152:9000/api
GRAYLOG_WEB_ENDPOINT_URI: https://10.99.107.152/
  - "443:443"

I spent so much time tweaking and changing… I’m sure it will be obvious for a fresh eye.


(Jochen) #4

Please post your complete configuration of the Graylog Docker container (or the complete docker-compose.yml) as it is right now.

BTW, IP addresses from the 10.0.0.0/8 range are private IP addresses which aren’t routed on the Internet, so you can simply post the configuration as it is without having to redact anything (except for the password secret and root password SHA-256).


(Pierre-Yves Taczynski) #5

Hi,

I know for the 10. range, but I’m a contractor and sometimes this kind of detail is not understood by a manager :sunglasses:

  graylog:
   image: graylog2/server:latest
   container_name: graylog
   hostname: graylog
   environment:
        GRAYLOG_IS_MASTER: "true"
        GRAYLOG_PASSWORD_SECRET: somepasswordpepper:)
        GRAYLOG_ROOT_PASSWORD_SHA2: whocares?
        GRAYLOG_SERVER_JAVA_OPTS: -Xms2g -Xmx4g -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow
        GRAYLOG_REST_ENABLE_TLS: "true"
        GRAYLOG_WEB_ENABLE_TLS: "true"
        GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.cert.pem
        GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.pkcs8.key.pem
        GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.cert.pem
        GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.pkcs8.key.pem
        GRAYLOG_REST_TRANSPORT_URI: https://10.99.107.152:9000/api
        GRAYLOG_WEB_ENDPOINT_URI: https://10.99.107.152/
        GRAYLOG_ELASTICSEARCH_HOSTS: http://elasticsearch:9200,http://elasticsearch2:9200
        GRAYLOG_MONGODB_URI:  mongodb://mongo:27017,mongo2:27017/graylog?replicaSet=graylog
   depends_on:
      - mongo
      - elasticsearch
   ports:
      - "80:9000"
      - "443:443"
      - "514:514/tcp"
      - "514:514/udp"
      - "1514/udp:1514/udp"
      - "5044:5044/tcp"
      - "9000:9000"
      - "9350:9350"
      - "12200-12300:12200-12300/tcp"
      - "12200-12300:12200-12300/udp"
      - "12900:12900"
   networks:
     graylog:
       aliases:
       - graylog

(Jochen) #6

The web_endpoint_uri setting has to point to the public URI of the Graylog REST API.

This is most likely wrong and should be:

      - "443:9000"

(Pierre-Yves Taczynski) #7

Thank you for pointing me out in the right direction.

My mistake was to take for granted a working configuration made by someone else and even reading the web interface doc did not help me to understand the web_endpoint_uri problem.

Removing this variable made it works now.

Here is the final working configuration.

graylog:
image: graylog2/server:latest
container_name: graylog
hostname: graylog
environment:
GRAYLOG_IS_MASTER: "true"
GRAYLOG_PASSWORD_SECRET: somepasswordpepper:)
GRAYLOG_ROOT_PASSWORD_SHA2: whoreallycares?
GRAYLOG_SERVER_JAVA_OPTS: -Xms2g -Xmx4g -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow
GRAYLOG_REST_ENABLE_TLS: "true"
GRAYLOG_WEB_ENABLE_TLS: "true"
GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.cert.pem
GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.pkcs8.key.pem
GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.cert.pem
GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/data/config/ssl/graylog.prod.lan.pkcs8.key.pem
GRAYLOG_REST_TRANSPORT_URI: https://graylog.prod.lan:9000/api
GRAYLOG_ELASTICSEARCH_HOSTS: http://elasticsearch:9200,http://elasticsearch2:9200
GRAYLOG_MONGODB_URI: mongodb://mongo:27017,mongo2:27017/graylog?replicaSet=graylog
depends_on:
- mongo
- elasticsearch
ports:
- “443:9000”
- “514:514/tcp”
- “514:514/udp”
- “1514/udp:1514/udp”
- “5044:5044/tcp”
- “9000:9000”
- “9350:9350”
- “12200-12300:12200-12300/tcp”
- “12200-12300:12200-12300/udp”
- "12900:12900"
networks:
graylog:
aliases:
- graylog


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.