Graylog behind nginx

I have installed graylog behind nginx and currently it works on http.
But when accessing to https address, the graylog fails as it tries to download content from http.

How should the nginx or graylog be configured to work corretly also on https address?

Case is similar as this: Graylog with nginx-ingress-controller

Have you seen or tried these?



Nginx allready is configured to serve https.
But when loading page over https on chrome I get:
“Mixed Content: The page at ‘’ was loaded over HTTPS, but requested an insecure script ‘’. This request has been blocked; the content must be served over HTTPS”

and on developer tools network tab shows:

We are running services on kubernets and using helm chart to deploy the graylog. I think I should enable the tls for the graylog, and link the cert and key from the nginx (stored in secrets) ?

…not totally sure how to give the key and cert with helm chart. Trying to set it up following this: graylog 1.7.9 · KongZ/kong-z
(in this example cert and key are stored as strings, but how to do this on helm chart?)

On helm chart I’m able to get key and cert as string from the nginx secrets.
Like: “-----BEGIN CERTIFICATE----- …” and " -----BEGIN EC PRIVATE KEY----- …"

As I try to set them to graylog on helm:

  • --set graylog.tls.certFile: $CERT_as_string_variable `
  • --set graylog.tls.keyFile: $KEY_as_string_variable `

I end up with error (as the cert is the first):
bad flag syntax: -----BEGIN CERTIFICATE-----

How should I use the cert and to enable the https?
I guess the correct way to set up https is to enable tls?
If I enable the tls, how should the key and cert be given to graylog?


I think it might be your certificates, but I’m unsure.
Chrome be a little weird at times, have you tried other browsers?

It would be greatly appreciated to have more information about your Graylog environment like your graylog configuration file, and how you configured nginx. Please take a look at the link below.

Details you should always include

Did you see any of these posts here that might resemble your issue?

Have you looked here ? Maybe something was over looked when creating certificates for HTTPS.

If this doesn’t help, at this point I’m not sure. If I had this issue with a Graylog installation, I would remove nginx from the equation to see if everything functions as expected (i.e., https) Then roll into securing it. That way if something weird pops up I know for sure where the issues is from.
All I can do is offer suggestions and speculate sorry I can’t be more help.

I had a similar issue. I’m not running multinode, though, so your difficulties may be more complicated. In my case, I think it was related to the trusted_proxies parameter in /etc/graylog/server/server.conf and the X-Graylog-Server-URL header.

in server.conf
trusted_proxies =, 0:0:0:0:0:0:0:1/128

And then in the nginx server, this config block. One of the things this block does is set the X-Graylog-Server-URL header, which tells Graylog to properly write links to its resources.

In nginx configuration, within the relevant server{} block:

listen 443 ssl; 
location / {
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Graylog-Server-URL https://$server_name/;

Ok. Enabling the tls did not solve the issue :frowning: I managed to enable the tls, and deployed the graylog with the cert and key).
Still getting these “(blocked:mixed-content)” on the browser, when trying to load the UI.

I probably need to configure the https to the nginx, something like Sean is pointing above.

On this post Web interface not working behind Nginx - #4 by jan
there is:
" when you have http s you need to adjust that in the nginx configuration:
proxy_set_header X-Graylog-Server-URL https://$server_name/;
I have tried to set it up on helm, like:
–set'X-Graylog-Server-URL https://$server_name’ `

Deployment does not fail, but also the https is not working.
Kind a lost here, I guess the enaling the tls is not working because of the nginx, but not totally sure what is needed for nginx :frowning:

FWIW, I’m running Graylog in 3 VMs (not k8s) and have TLS working. Here are my redacted configs:

Nginx LB Config

upstream graylog {
  server max_fails=3 fail_timeout=30s;
  server max_fails=3 fail_timeout=30s;
  server max_fails=3 fail_timeout=30s;

server {
  listen *:80;
  server_name ;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/ combined;
  error_log             /var/log/nginx/;

server {
  listen       *:443 ssl;

  ssl_certificate           /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;

  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log /var/log/nginx/ combined;
  error_log  /var/log/nginx/;

  location / {
    # Simple requests
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin"  *;

    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
      return 200;

    proxy_pass https://graylog;
    proxy_redirect https://graylog:443/api /api;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://$server_name/;

Graylog HTTP Configuration Attributes

http_bind_address =
http_enable_cors = true

I can’t really provide an expert take on K8s/Helm since I don’t actively work with every day, but hopefully this helps.

In my example, I do not have TLS enabled on the Graylog server. Behind the proxy, it’s unencrypted.

Are you required to have HTTPS enabled behind the proxy?

While troubleshooting, are you able to get it working through the proxy with ONLY HTTP (no TLS)?

While troubleshooting, are you able to get it working through the proxy with HTTPS on the front of the proxy and HTTP on the back?

Actually no need to have https behind the proxy so redirecting to http would be fine.

So at this point I’m not enabling the tls, and trying to set the configuration for http redicting on “graylog.nginx.ingress” like:

        --set |
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_buffering off;

            proxy_pass http://localhost:30022/site/;
            proxy_redirect default;
            proxy_cookie_path /site/ /;
        } ` 

I can set one individual header like:
–set'Host $http_host’ `
But adding multiple fails…

As trying to set the like this:


I have a similiar issue, and the graylog is deployed in kubernetes, the webui is behind a server loadbalancer.

And below configure are working fine:

env for graylog pod:


add below in the

 export GRAYLOG_HTTP_PUBLISH_URI="http://$(hostname -f):9000/graylog"

What sort of trouble are you having?
Web interface on https loads content as http, like mine?

Currently, I’m trying set tls enabled on graylog, but I’m missing how to add custom server files to the container with helm. I started new topic about it: Graylog tls, how to add cert and key ass serverFiles (Kubernetes Helm Chart)

I did few tries to set up nginx. And was able to set configuration as nginx annotation server snippet. But adding the configuration pointed out over here: Web interface — Graylog 3.0.2 documentation
did not redirect solve the issue with webinterface not working. But it might be about how the nginx is running on kubernetes. Not totally familiar with kubernetes and nginx, so that might also be some mistake. But at least the configuration is visible when looking the ingress of graylog:
kubectl describe ing graylog -n graylog

The trouble is setup graylog domain to a subpath,
I didn’t enable tls for gelf input, only for webui, so I attached the ssl certificate at loadbalancer.
browser —(https)—> loadbalancer --(http)—> ingress -----> graylog webui service

It would be nice to see working nginx annotation config on Kubernetes.

Mine currently looks like (this is default form documentation), seems that it is making no effect to the traffic