Graylog 4 + Docker + Traefik 2 + HTTPS (wildcard / cloudflare) = KO

Hi there,

i’m trying to setup a graylog server behind a Traefik 2 reverse proxy but i’m stuggeling as hell!
I did try everything i could, but best i could achieve it a blanks page with browser TLS handshaking and then a timeout.

Here is my docker-compose file for graylog :

version: '3'
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongo:
    image: mongo:4.2
    networks:
      - proxy
  # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 1g
    networks:
      - proxy
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:4.0
    environment:
      - GRAYLOG_PASSWORD_SECRET=blablablablablapassword16char
      - GRAYLOG_ROOT_PASSWORD_SHA2=123456whatever
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_HTTP_EXTERNAL_URI=https://graylog.local.example.com:9000/
      - GRAYLOG_WEB_ENDPOINT_URI=https://graylog.local.example.com:9000/api
      - GRAYLOG_WEB_LISTEN_URI=https://graylog.local.example.com:9000/
#      - GRAYLOG_WEB_ENABLE_TLS=true
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - proxy
    restart: always
    depends_on:
      - mongo
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.graylog.entrypoints=http"
      - "traefik.http.routers.graylog.rule=Host(`graylog.local.example.com`)"
      - "traefik.http.middlewares.graylog-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.graylog.middlewares=graylog-https-redirect"
      - "traefik.http.routers.graylog-secure.entrypoints=https"
      - "traefik.http.routers.graylog-secure.rule=Host(`graylog.local.example.com`)"
      - "traefik.http.routers.graylog-secure.tls=true"
      - "traefik.http.routers.graylog-secure.service=graylog"
      - "traefik.http.services.graylog.loadbalancer.server.port=9000"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.graylog.middlewares=graylog-header"
      - "traefik.http.middlewares.graylog-header.headers.customresponseheaders.X-Graylog-Server-URL=http://graylog.local.example.com/"

networks:
  proxy:
    external: true
#  graylog:
#    external: false

I tried to force enable TLS, adding https, removing https, making a static entry in traefik.yml and removing labels… still the same. I also tried for force the bind adress, nothing better.
I also did try as seen in this example to put everything on the same docker network (called proxy) instead of having 2 separate networks (1 for mongo+elastic+Graylog and one only to expose graylog) but it does the same.

Other apps seems to work fine using Traefik, for instance portainer, i have valid https certificate, can navigate the app no issues, or with other non dockerised app, for instance a freepbx, with a manual setup of config.yml for traefik gets me https with valid certificate, no issues.

By setting everything to http, i can get to graylog on port 9000 without HTTPS, seems to work (did no try to set persistant storage yet) at least i can login to the GUI with no issues.

Any help with that? Any hint on what should i check?

Thanks!

So 2 things:

  • Did you enable CORS (it’s disabled by default)
  • Did you check your browser console to see if there were any errors showing up there?

Hi,

thanks for helping!

I didn’t know what CORS was, but i enabled it in docker compose via

  • GRAYLOG_http_enable_cors=true

But it does not seem to change anything, i still got a 504 gateway timeout.

Nothing helpful in browser inspector, only a 504.

Hmmm…the value should be:

GRAYLOG_HTTP_ENABLE_CORS=true

Did you put it in all caps?