Hi all, I hope someone can help as I am a bit of a noob on docker and containers and this is my first attempt at using docker and containers! At a high-level, my Graylog environment is currently setup like the following configuration:
- Ubuntu 18.04 VM
- Docker and docker compose installed on the Ubuntu VM
- Graylog, Elasticsearch and MongoDB, Nginx and Certbot running as docker containers
- Nginx is setup as a reverse proxy for port 80 to port 9000 on the Graylog container
What I really want to do is configure Nginx to secure connections to the VM using port 443/HTTPS which then forwards on port 9000 to the Graylog container. I have read the documentation with regards to using Nginx as a reverse proxy: https://docs.graylog.org/en/3.1/pages/configuration/web_interface.html#configuring-webif-nginx which all makes sense. What I can’t seem to get working is the Certbot which looks for a .well-known folder within Nginx I believe:
certbot | Domain: my.domain.net
certbot | Type: unauthorized
certbot | Detail: Invalid response from
certbot | http://my.domain.net/.well-known/acme-challenge/uWWZoAes9tJDopP9oNJ3PQBIEt8P-Cek0FMdh3u9HvQ
certbot | [51.143.152.188]: "<html>\r\n<head><title>502 Bad
certbot | Gateway</title></head>\r\n<body>\r\n<center><h1>502 Bad
However, once that is working I am not sure what I should be changing to my nginx.conf file and what exactly needs to be changed in the docker-compose file.
Any help is greatly appreciated!
Below is my docker-compose file:
version: '2'
services:
mongodb:
image: mongo:3
container_name: mongodb
volumes:
- mongo_data:/data/db
- mongo_config:/data/configdb
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.2
container_name: elasticsearch
volumes:
- es_data:/usr/share/elasticsearch/data
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
# NGINX Configuration
nginx:
image: nginx
container_name: nginx
volumes:
- ./nginx-conf:/etc/nginx/conf.d
ports:
- 80:80
- 443:443
# Certbot / Lets Encrypt Configuration
certbot:
image: certbot/certbot
container_name: certbot
volumes:
- ./letsencrypt:/etc/letsencrypt
command: certonly --standalone -d my.domain.net --staple-ocsp -m email@my.domain.net --agree-tos
# Graylog:
graylog:
image: graylog/graylog:3.1
container_name: graylog
volumes:
- graylog_data:/usr/share/graylog/data
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=removedforprivacy
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=removedforprivacy
- GRAYLOG_HTTP_EXTERNAL_URI=http://my.domain.net:9000/
- GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
links:
- mongodb:mongo
- elasticsearch
- nginx
- certbot
depends_on:
- mongodb
- elasticsearch
- nginx
- certbot
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
# Volumes for persisting data
volumes:
mongo_data:
driver: local
mongo_config:
driver: local
es_data:
driver: local
graylog_data:
driver: local
nginx_conf:
driver: local
Below is my current nginx.conf:
server
{
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name my.domain.net;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
proxy_pass http://my.domain.net:9000;
}
}