Graylog behind nginx

I have installed graylog behind nginx and currently it works on http.
But when accessing to https address, the graylog fails as it tries to download content from http.

How should the nginx or graylog be configured to work corretly also on https address?

Case is similar as this: Graylog with nginx-ingress-controller

@tatuh
Hello,
Have you seen or tried these?

NGINX

Using HTTPS

Nginx allready is configured to serve https.
But when loading page over https on chrome I get:
“Mixed Content: The page at ‘’ was loaded over HTTPS, but requested an insecure script ‘’. This request has been blocked; the content must be served over HTTPS”

and on developer tools network tab shows:

We are running services on kubernets and using helm chart to deploy the graylog. I think I should enable the tls for the graylog, and link the cert and key from the nginx (stored in secrets) ?

…not totally sure how to give the key and cert with helm chart. Trying to set it up following this: graylog 1.7.9 · KongZ/kong-z
(in this example cert and key are stored as strings, but how to do this on helm chart?)

edit:
On helm chart I’m able to get key and cert as string from the nginx secrets.
Like: “-----BEGIN CERTIFICATE----- …” and " -----BEGIN EC PRIVATE KEY----- …"

As I try to set them to graylog on helm:

  • --set graylog.tls.certFile: $CERT_as_string_variable `
    
  • --set graylog.tls.keyFile: $KEY_as_string_variable `
    

I end up with error (as the cert is the first):
bad flag syntax: -----BEGIN CERTIFICATE-----

How should I use the cert and to enable the https?
I guess the correct way to set up https is to enable tls?
If I enable the tls, how should the key and cert be given to graylog?

@tatuh
Hello,

I think it might be your certificates, but I’m unsure.
Chrome be a little weird at times, have you tried other browsers?

It would be greatly appreciated to have more information about your Graylog environment like your graylog configuration file, and how you configured nginx. Please take a look at the link below.

Details you should always include

Did you see any of these posts here that might resemble your issue?

Have you looked here ? Maybe something was over looked when creating certificates for HTTPS.

If this doesn’t help, at this point I’m not sure. If I had this issue with a Graylog installation, I would remove nginx from the equation to see if everything functions as expected (i.e., https) Then roll into securing it. That way if something weird pops up I know for sure where the issues is from.
All I can do is offer suggestions and speculate sorry I can’t be more help.

I had a similar issue. I’m not running multinode, though, so your difficulties may be more complicated. In my case, I think it was related to the trusted_proxies parameter in /etc/graylog/server/server.conf and the X-Graylog-Server-URL header.


in server.conf
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128


And then in the nginx server, this config block. One of the things this block does is set the X-Graylog-Server-URL header, which tells Graylog to properly write links to its resources.

In nginx configuration, within the relevant server{} block:

listen 443 ssl; 
location / {
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Graylog-Server-URL https://$server_name/;
  proxy_pass       http://127.0.0.1:9000;
}

Ok. Enabling the tls did not solve the issue :frowning: I managed to enable the tls, and deployed the graylog with the cert and key).
Still getting these “(blocked:mixed-content)” on the browser, when trying to load the UI.

I probably need to configure the https to the nginx, something like Sean is pointing above.

On this post Web interface not working behind Nginx - #4 by jan
there is:
" when you have http s you need to adjust that in the nginx configuration:
proxy_set_header X-Graylog-Server-URL https://$server_name/;
"
I have tried to set it up on helm, like:
–set graylog.ingress.annotations.nginx.ingress.kubernetes.io/proxy_set_header='X-Graylog-Server-URL https://$server_name’ `

Deployment does not fail, but also the https is not working.
Kind a lost here, I guess the enaling the tls is not working because of the nginx, but not totally sure what is needed for nginx :frowning:

FWIW, I’m running Graylog in 3 VMs (not k8s) and have TLS working. Here are my redacted configs:

Nginx LB Config

upstream graylog {
  server graylog00.example.com:9000 max_fails=3 fail_timeout=30s;
  server graylog01.example.com:9000 max_fails=3 fail_timeout=30s;
  server graylog02.example.com:9000 max_fails=3 fail_timeout=30s;
}

server {
  listen *:80;
  server_name           graylog.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/graylog.example.com.access.log combined;
  error_log             /var/log/nginx/graylog.example.com.error.log;
}

server {
  listen       *:443 ssl;
  server_name  graylog.example.com;

  ssl_certificate           /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log /var/log/nginx/ssl-graylog.example.com.access.log combined;
  error_log  /var/log/nginx/ssl-graylog.example.com.error.log;

  location / {
    # Simple requests
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin"  *;
    }

    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
      return 200;
    }

    proxy_pass https://graylog;
    proxy_redirect https://graylog:443/api /api;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://$server_name/;
  }
}

Graylog HTTP Configuration Attributes

http_bind_address = 192.168.1.2:9000
http_enable_cors = true
http_enable_tls=true
http_tls_cert_file=/etc/graylog/ssl/fullchain.pem
http_tls_key_file=/etc/graylog/ssl/privkey.pem
http_publish_uri=https://graylog00.example.com:9000/

I can’t really provide an expert take on K8s/Helm since I don’t actively work with every day, but hopefully this helps.

In my example, I do not have TLS enabled on the Graylog server. Behind the proxy, it’s unencrypted.

Are you required to have HTTPS enabled behind the proxy?

While troubleshooting, are you able to get it working through the proxy with ONLY HTTP (no TLS)?

While troubleshooting, are you able to get it working through the proxy with HTTPS on the front of the proxy and HTTP on the back?

Actually no need to have https behind the proxy so redirecting to http would be fine.

So at this point I’m not enabling the tls, and trying to set the configuration for http redicting on “graylog.nginx.ingress” like:

        --set graylog.ingress.annotations.nginx.ingress.kubernetes.io/server-snippet: |
        location / {
            internal;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_buffering off;

            proxy_pass http://localhost:30022/site/;
            proxy_redirect default;
            proxy_cookie_path /site/ /;
        } ` 

I can set one individual header like:
–set graylog.ingress.annotations.nginx.ingress.kubernetes.io/proxy_set_header='Host $http_host’ `
But adding multiple fails…

As trying to set the like this:

and
https://docs.graylog.org/en/4.0/pages/configuration/web_interface.html

I have a similiar issue, and the graylog is deployed in kubernetes, the webui is behind a server loadbalancer.

And below configure are working fine:

env for graylog pod:

GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000
GRAYLOG_HTTP_EXTERNAL_URI: https://domain.name/graylog/

add below in the docker-entrypoint.sh:

 export GRAYLOG_HTTP_PUBLISH_URI="http://$(hostname -f):9000/graylog"

What sort of trouble are you having?
Web interface on https loads content as http, like mine?

Currently, I’m trying set tls enabled on graylog, but I’m missing how to add custom server files to the container with helm. I started new topic about it: Graylog tls, how to add cert and key ass serverFiles (Kubernetes Helm Chart)

I did few tries to set up nginx. And was able to set configuration as nginx annotation server snippet. But adding the configuration pointed out over here: Web interface — Graylog 3.0.2 documentation
did not redirect solve the issue with webinterface not working. But it might be about how the nginx is running on kubernetes. Not totally familiar with kubernetes and nginx, so that might also be some mistake. But at least the configuration is visible when looking the ingress of graylog:
kubectl describe ing graylog -n graylog

The trouble is setup graylog domain to a subpath, https://domain.com/graylog.
I didn’t enable tls for gelf input, only for webui, so I attached the ssl certificate at loadbalancer.
browser —(https)—> loadbalancer --(http)—> ingress -----> graylog webui service

It would be nice to see working nginx annotation config on Kubernetes.

Mine currently looks like (this is default form documentation), seems that it is making no effect to the traffic