External access through separate nginx proxy


(Joseph LaVigne) #1

I am running the Graylog virtual appliance (v2.3), and it works great in my local network. I also have an nginx server to manage reverse proxy of sites into my lan, and to use SSL for all of my sites.

I cannot, thus far, get the graylog server to properly proxy through the nginx proxy. I am sure it is due to my own misunderstanding of something simple, so I thought I’d drop it here and see if anyone can help.

So, here is some config info… Some info is changed to protect the innocent lan…

external address: https://graylog.mydomain.com:443
graylog server: 192.168.0.14
nginx proxy: 192.168.0.10

graylog-settings.json:

    {
      "timezone": "America/New_York",
      "smtp_server": "smtp.mail.com",
      "smtp_port": 587,
      "smtp_user": "graylog.admin@emaildomain.us",
      "smtp_password": "01Dominic",
      "smtp_from_email": "graylog.admin@emaildomain.us",
      "smtp_web_url": "https://graylog.mydomain.com",
      "smtp_no_tls": false,
      "smtp_no_ssl": true,
      "master_node": "127.0.0.1",
      "local_connect": false,
      "current_address": "192.168.0.14",
      "last_address": "192.168.0.14",
      "enforce_ssl": false,
      "journal_size": 1,
      "node_id": false,
      "internal_logging": true,
      "web_listen_uri": "http://192.168.0.14:9000",
      "web_endpoint_uri": false,
      "rest_listen_uri": "http://192.168.0.14:9000/api/",
      "rest_transport_uri": false,
      "external_rest_uri": false,
      "custom_attributes": {

      }
    }

NGINX graylog.conf:

    server {
    listen 80;
    server_name graylog.mydomain.com;
    return 301 https://$host$request_uri;
    }

    server {
    listen 443 ssl;
    server_name graylog.mydomain.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM
    -SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-
    RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
    SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:A
    ES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EX
    PORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    location / {
    proxy_pass http://192.168.0.14:9000;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://graylog.mydomain.com;
    proxy_pass_request_headers on;
    proxy_connect_timeout 150;
    proxy_send_timeout 100;
    proxy_read_timeout 100;
    proxy_buffers 4 32k;
    client_max_body_size 8m;
    client_body_buffer_size 128k;
    }
    }

I can still connect to the server directly, on the LAN, but when I connect through the proxy, I get the graylog page background, and I get the login window, but when I enter my credentials, the login screen stays up and I get this error:
Error - the server returned: 404 - cannot POST https://graylog.mydomain.com/system/sessions (404)

Any thoughts on where I am going wrong? Obviously, I’m close, but missing just that one last thing…

The graylog server has no direct connection to the outside world. The only open ports on my lan are 80 & 443, and I only use 80 to redirect everything to SSL on 443.


(Joseph LaVigne) #2

For the record, I have tried a number of different iterations of web_listen_uri, web_endpoint_uri, rest_listen_uri, and rest_transport_uri. I just cannot seem to get it right.


(Jochen) #3

You have to set web_endpoint_uri or the X-Graylog-Server-URL HTTP request header to the public address of the Graylog REST API. Currently it’s set to the address of the Graylog web interface.


(Joseph LaVigne) #4

Ok, tried that. Everything is now the same as listed above, but with:
web_endpoint_uri = https://graylog.mydomain.com/api/

On the NGINX server, proxy_set_header X-Graylog-Server-URL https://graylog.mydomain.com was the original setting. Finally fixed it by adding the /api/ onto there.

I knew it was something small I was missing. Thanks for the help!


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.