Graylog Nginx SSL configuration issue

Graylog Central (peer support)
1

Hello!

I’ve been grinding away at trying to get the Graylog Web Interface secured behind Nginx. I can still connect to the webui on port 9000, and Nginix seems to connect securely as my browser says “Graylog Web Interface” in the masthead, but the Graylog interface never comes up on the secure port. Nginx is running on the same server as Graylog.

Here is my Nginx config file:

server
{
 listen 443 ssl;
 server_name glog.cad-server.com;
 location /
 {
 proxy_set_header Host $http_host;
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://glog.cad-server.com/api;
 proxy_pass http://127.0.0.1:9000;
 # proxy_pass http://ip-address:9000;
 }
 ssl on;
 ssl_certificate /etc/letsencrypt/live/glog.cad-server.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/glog.cad-server.com/privkey.pem;
 ssl_session_timeout 5m;
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/graylog.access.log;
 error_log /var/log/nginx/graylog.error.log;
}

# http to https redirection
server {
    listen 80;
    server_name glog.cad-server.com;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;
}

Screen Shot 2020-08-22 at 4.07.01 PM

The http_bind_address is 0.0.0.0:9000

and the web_publish_uri is http://glog.cad-server.com:9000

I did try to config the httpd_external_uri to be the same as web_publish_uri, but that didn’t work either.

2

If you get a terminal on your GrayLog server, can you telnet to 127.0.0.1 port 9000? If the port is open to localhost, you should see

$ telnet localhost 9000
Trying ::1...
Connected to localhost.
Escape character is '^]'.

If this doesn’t work, make sure that you’ve restarted your GrayLog service after modifying your GrayLog config, and check for any firewall rules that may be interfering.

One difference that I noticed between our nginx configs is that my server section is under an http section like so:

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        ...
    }
}
3

Thanks for the reply! I can telnet on localhost to port 9000, so I’m good there.

Sorry, but I’m not entirely clear on your Nginx example. Any chance you could post your Nginx Graylog config? Is it possible this why I’m getting a blank page?

I added your config snippet to the top of my config but got an error when running the config checker.

sudo nginx -t

nginx: [emerg] invalid number of arguments in "server" directive in /etc/nginx/conf.d/graylog.conf:3

nginx: configuration file /etc/nginx/nginx.conf test failed
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.