Graylog cluster with Nginx on each node has duplicated node-stats

It’s been a while since my last topic because Graylog was working like a charm and new features are getting better and better!

Right now I’m trying to set some security headers via Nginx. It seems almost everything is working fine except node statistics at


It seems Graylog is displaying stats of one node duplicated to all the other nodes.

Our setup is:

  • PowerDNS load-balancing from specific DNS, lets say :

into 3 machines:

graylog1 graylog2 graylog3

On each of these machines I launched an Nginx with proxy_pass to Graylog running on

About configurations:

Graylog has a http_bind_address =

Nginx (example on node graylog1) has:

server_tokens off;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection “1; mode=block”;

add_header Strict-Transport-Security max-age=31536000;

server {
listen 443 ssl default_server;
server_name graylog1;

ssl_certificate /etc/nginx/graylog_test_cert.crt;
ssl_certificate_key /etc/nginx/graylog_test_cert.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;

location / {
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Graylog-Server-URL https://$server_name/;


Sadly my knowledge of running Graylog behind NGINX is very little, could some of you help? :slight_smile:

Problem solved:

http_bind_address =
http_publish_uri = https://graylog1

In publish_uri it seems it is essential to put the DNS or external-ip of Graylog Node.
Also, because I’m using proxy-pass on 443 which is default SSL, http_publish_uri does not require any port.

he @Zerobot

please check again. From:

http_bind_address =

  • The network interface used by the Graylog HTTP interface.
  • This network interface must be accessible by all Graylog nodes in the cluster and by all clients using the Graylog web interface.

http_publish_uri = http://$http_bind_address/

  • The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all clients using the Graylog web interface.
  • The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node.
  • This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address, for example if the machine has multiple network interfaces or is behind a NAT gateway.
  • This configuration setting must not be configured to a wildcard address!

http_external_uri = $http_publish_uri

  • The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
  • The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
  • When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
    • This setting can be overriden on a per-request basis with the “X-Graylog-Server-URL” HTTP request header.
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.