Graylog docker container behind an Nginx reverse proxy in a sub-directory


#1

I want to run Graylog as a Docker instance. I am also running Nginx as a Docker instance.

The server’s hostname is homeserver so the web-services hosted on it are setup as http://homeserver/nextcloud or http://homeserver/guacamole courtesy of reverse proxying via Nginx.

I also want Graylog to be accessed via Nginx as a reverse proxy via http://homeserver/graylog (i.e. as a sub-directory)

My Docker instance looks like this:

docker run --name mongo \
 -v mongo_data:/data/db \
 -d mongo:3

docker run --name elasticsearch \
 -e "http.host=0.0.0.0" -e "xpack.security.enabled=false" \
 -v es_data:/usr/share/elasticsearch/data \
 -d docker.elastic.co/elasticsearch/elasticsearch:5.6.2

docker run -d --name graylog \
 --link mongo --link elasticsearch \
 -p 9000:9000 -p 12201:12201 -p 514:514 -p 514:514/udp \
 -e GRAYLOG_REST_LISTEN_URI="http://127.0.0.1:9000/graylog/api/" \
 -e GRAYLOG_WEB_LISTEN_URI="http://127.0.0.1:9000/graylog" \
 -e GRAYLOG_WEB_ENDPOINT_URI="http://graylog:9000/graylog/api" \
 -v /srv/graylog/config:/usr/share/graylog/data/config \
 -v graylog_journal:/usr/share/graylog/data/journal \
 -d graylog/graylog:2.4.0-1

And my Nginx conf file looks like this:

server {

    listen       80;
    server_name  homeserver;

    location /guacamole/ {  
        #snip 
    }

    location /graylog/ {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Graylog-Server-URL https://$server_name/graylog/api;
        proxy_pass       http://graylog:9000/;
    }
   
    location /portainer/ {  
        #snip        
    }

       
}
 

Unfortunately, this doesn’t work at all.

When I try to access the graylog instance directly (non-proxied) via http://homeserver:9000/ it simply doesn’t load at all. Unreachable.

And when I try to access the graylog instance via Nginx (http://homeserver/graylog), Nginx simply return a 502 - presumably because Graylog is inaccessible so Nginx can’t proxy_pass to an unreachable destination.

Any ideas on what I need to change?


(Jan Doberstein) #2

I personal use docker-compose for a similar setup. This can be found over here https://github.com/jalogisch/d-gray-lab

Maybe this will help you with the configuration.


#3

That’s perfect, thank you ever so much!

I looked at your docker-compose file and had a look at your nginx.conf file and was able to get my reverse proxied URL http://homeserver/graylog working.

My Docker command looks like this:

docker run --name mongo \
 -v mongo_data:/data/db \
 -d mongo:3

docker run --name elasticsearch \
 -e "http.host=0.0.0.0" -e "xpack.security.enabled=false" \
 -v es_data:/usr/share/elasticsearch/data \
 -d docker.elastic.co/elasticsearch/elasticsearch:5.6.2

docker run -d --name graylog \
 --link mongo --link elasticsearch \
 -p 9000:9000 -p 12201:12201 -p 514:514 -p 514:514/udp \
 -e GRAYLOG_REST_LISTEN_URI="http://0.0.0.0:9000/graylog/api" \
 -e GRAYLOG_WEB_LISTEN_URI="http://0.0.0.0:9000/graylog" \
 -e GRAYLOG_WEB_ENDPOINT_URI="http://homeserver:9000/graylog/api" \
 -v graylog_journal:/usr/share/graylog/data/journal \
 -d graylog/graylog:2.4.0-1

My Nginx config looks like this:

server {

    listen       80;
    server_name  homeserver;

    location /guacamole/ {  
        #snip 
    }

    location /graylog/ {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Remote-User admin;
        proxy_set_header    X-Forwarded-User admin;
        proxy_set_header    X-Graylog-Server-URL http://$http_host/graylog/api;
        proxy_pass          http://graylog:9000/graylog/;    
    }
   
    location /portainer/ {  
        #snip        
    }

       
}

In short, I had to make a few tweaks from the configs on Github. For anyone who comes here from Google, I suggest looking on Github and using that as your base to achieve a similar desired result.

One question though…right now, my GRAYLOG_WEB_ENDPOINT_URI is set to http://homeserver:9000/graylog/api because Graylog Web is accessible via http://homeserver

Let’s say a few weeks later, I publish this web application online through some domain (e.g. http://foobar-public.ddns.me/graylog/) so that it’s not just an internal application, will I need to change the GRAYLOG_WEB_ENDPOINT_URI to something else or can it remain pointing to the internal server hostname?


(Jan Doberstein) #4

Let’s say a few weeks later, I publish this web application online through some domain (e.g. http://foobar-public.ddns.me/graylog/) so that it’s not just an internal application, will I need to change the GRAYLOG_WEB_ENDPOINT_URI to something else or can it remain pointing to the internal server hostname?

My Setup is similar and I have one Server configuration for the internal hostname and one for the external. First to be able to seperate what is available to the outsite world and second to be able to use the following Graylog configuration:

   location /graylog/ {
	   # Graylog reverse proxy
          proxy_set_header    Host $http_host;
          proxy_set_header    X-Forwarded-Host $host;
          proxy_set_header    X-Forwarded-Server $host;
          proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header    X-Graylog-Server-URL https://$server_name/graylog/api;
          proxy_pass          http://graylog_web_interface/graylog/;
   }

where graylog_web_interface is a defined upstream group.


#5

I see - thanks for that. So from an Nginx point of view, it’s possible to access the same service both internally from within the LAN and externally from the WAN.

However, my issue is the docker run command I use to instantiate the Graylog container includes this flag:
-e GRAYLOG_WEB_ENDPOINT_URI="http://homeserver:9000/graylog/api" \

Note that this flag has the internal/local hostname hardcoded in as the web endpoint URI. If I set up Nginx to work for access via the WAN, won’t Graylog break because the web endpoint URI hostname and FQDN for WAN access won’t match and trigger a CORS Violation error?

For example, I’ll load http://foobar-public.ddns.me/graylog/ in my browser. But under the hood, Graylog will be trying to load resources from http://homeserver:9000/api/ and I’m worried this would stop my Graylog working when trying to access from the WAN?


(Jochen) #6

That’s why you can override this setting with an HTTP request header which you could inject in your load-balancer/proxy server:
http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#how-does-the-web-interface-connect-to-the-graylog-server


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.