Configuring ngnix reverse proxy via certbot results in 'Service Temporarily Unavailable' when accessing home page over https, normal functionality over http

I recently set up a new dedicated Graylog 3 server running on Debian Stretch, using nginx as a reverse proxy frontend for the local graylog-server. After using certbot to configure encryption for nginx, I ran into the title issue. The site works normally over http, but attempting to access it via https results in this page:

I inspected the web request/response exchange to gain additional information that might be of help debugging the issue. The exchange (not including favicon.ico, omitted headers, but I can provide these if they may be of use) which occurs is as follows:
GET / HTTP/1.1

HTTP/1.1 200 OK

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="robots" content="noindex, nofollow">
    <meta charset="UTF-8">
    <title>Graylog Web Interface</title>
    <link rel="shortcut icon" href="http://ourdomain.tld/assets/favicon.png">

  </head>
  <body>
    <script src="http://ourdomain.tld/config.js"></script>

    <script src="http://ourdomain.tld/assets/vendor.4024e2a8db732781a971.js"></script>

    <script src="http://ourdomain.tld/assets/polyfill.a5e2fb591e8fd54ee4ef.js"></script>

    <script src="http://ourdomain.tld/assets/builtins.a5e2fb591e8fd54ee4ef.js"></script>

    <script src="http://ourdomain.tld/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.b864ba54b438ac0bdc48.js"></script>

    <script src="http://ourdomain.tld/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.bcc87290018e859a8a9e.js"></script>

    <script src="http://ourdomain.tld/assets/plugin/org.graylog.aws.AWSPlugin/plugin.org.graylog.aws.AWSPlugin.8ae7cb13983ce33eeb5b.js"></script>

    <script src="ourdomain.tld/assets/app.a5e2fb591e8fd54ee4ef.js"></script>

  </body>
</html>

GET /config.js HTTP/1.1

HTTP/1.1 200 OK
window.appConfig = {
gl2ServerUrl: ‘http://ourdomain.tld/api/’,
gl2AppPathPrefix: ‘/’,
rootTimeZone: ‘UTC’,
};

It jumps out at me that only 2 req/res exchanges occur, even though the initial response contains 8 tags, so I imagine the page fails after the first javascript file is fetched. However, the URL specified in config.js (which is the same URL that the landing page is complaining about) seems to work perfectly fine. Operating the site over HTTP, requests to /api/ and its assets have no problems that I can see and behavior is normal.

Additional info:
Firefox throws a mixed content warning when attempting to access the landing page (due to the HTTP embeds)

I am currently not setting any HTTPS options in /etc/graylog/server.conf. Since nginx is acting as a reverse proxy to graylog running locally, I thought it made more sense for all encryption to be handled by nginx itself. The server.conf file is pretty large, so I haven’t uploaded it here, but I would be happy to provide any snippets which could be of use.

My nginx configuration is:

server {
    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name ourdomain.tld;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    listen 80;
    listen [::]:80;
    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/ourdomain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ourdomain.tld/privkey.pem;    

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_pass       http://127.0.0.1:9000;
    }

}

if you want to use HTTPS make your proxy_set_header for `X-Graylog-Server-URL´ use of that.

        proxy_set_header X-Graylog-Server-URL http**s**://$server_name/;

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.