Graylog 4 + Docker + Traefik 2 + HTTPS (wildcard / cloudflare) = KO

Clem · June 7, 2021, 9:45am

Hi there,

i’m trying to setup a graylog server behind a Traefik 2 reverse proxy but i’m stuggeling as hell!
I did try everything i could, but best i could achieve it a blanks page with browser TLS handshaking and then a timeout.

Here is my docker-compose file for graylog :

version: '3'
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongo:
    image: mongo:4.2
    networks:
      - proxy
  # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 1g
    networks:
      - proxy
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:4.0
    environment:
      - GRAYLOG_PASSWORD_SECRET=blablablablablapassword16char
      - GRAYLOG_ROOT_PASSWORD_SHA2=123456whatever
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_HTTP_EXTERNAL_URI=https://graylog.local.example.com:9000/
      - GRAYLOG_WEB_ENDPOINT_URI=https://graylog.local.example.com:9000/api
      - GRAYLOG_WEB_LISTEN_URI=https://graylog.local.example.com:9000/
#      - GRAYLOG_WEB_ENABLE_TLS=true
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - proxy
    restart: always
    depends_on:
      - mongo
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.graylog.entrypoints=http"
      - "traefik.http.routers.graylog.rule=Host(`graylog.local.example.com`)"
      - "traefik.http.middlewares.graylog-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.graylog.middlewares=graylog-https-redirect"
      - "traefik.http.routers.graylog-secure.entrypoints=https"
      - "traefik.http.routers.graylog-secure.rule=Host(`graylog.local.example.com`)"
      - "traefik.http.routers.graylog-secure.tls=true"
      - "traefik.http.routers.graylog-secure.service=graylog"
      - "traefik.http.services.graylog.loadbalancer.server.port=9000"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.graylog.middlewares=graylog-header"
      - "traefik.http.middlewares.graylog-header.headers.customresponseheaders.X-Graylog-Server-URL=http://graylog.local.example.com/"

networks:
  proxy:
    external: true
#  graylog:
#    external: false

I tried to force enable TLS, adding https, removing https, making a static entry in traefik.yml and removing labels… still the same. I also tried for force the bind adress, nothing better.
I also did try as seen in this example to put everything on the same docker network (called proxy) instead of having 2 separate networks (1 for mongo+elastic+Graylog and one only to expose graylog) but it does the same.

Other apps seems to work fine using Traefik, for instance portainer, i have valid https certificate, can navigate the app no issues, or with other non dockerised app, for instance a freepbx, with a manual setup of config.yml for traefik gets me https with valid certificate, no issues.

By setting everything to http, i can get to graylog on port 9000 without HTTPS, seems to work (did no try to set persistant storage yet) at least i can login to the GUI with no issues.

Any help with that? Any hint on what should i check?

Thanks!

aaronsachs · June 7, 2021, 6:36pm

So 2 things:

Did you enable CORS (it’s disabled by default)
Did you check your browser console to see if there were any errors showing up there?

Clem · June 8, 2021, 4:16pm

Hi,

thanks for helping!

I didn’t know what CORS was, but i enabled it in docker compose via

GRAYLOG_http_enable_cors=true

But it does not seem to change anything, i still got a 504 gateway timeout.

Nothing helpful in browser inspector, only a 504.

aaronsachs · June 8, 2021, 4:22pm

Hmmm…the value should be:

GRAYLOG_HTTP_ENABLE_CORS=true

Did you put it in all caps?

system · June 22, 2021, 4:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 3 behind Traefik v2 Graylog Central (peer support)	2	4368	April 29, 2020
Graylog (docker) + Apache2 Reverse Proxy -> Blank page Graylog Central (peer support)	2	2056	May 8, 2019
Accessing graflog web interface behind a traefik Graylog Central (peer support)	7	1688	July 2, 2018
HTTPS termination on Traefik Graylog Central (peer support)	11	3609	June 20, 2018
Graylog not talking to https Elasticsearch Graylog Central (peer support)	18	8849	May 15, 2019

Graylog 4 + Docker + Traefik 2 + HTTPS (wildcard / cloudflare) = KO

Related topics