Graylog sidecar Error 401 behind Nginx Reverse Proxy with SSL Enabled

Hi all,
My scenario is simple

I have an nginx reverse proxy running on the same server with the Graylog instance.
curl works

I am trying Trying to connect a sidecar which is on another server for test purposes but I keep getting this error below no matter what I tried.

Note: One critical part maybe I am using wildcard ssl certificate for the domain for Nginx SSL keys.

  • HTTPS from browser works
  • But authentication doesnt work

Error Messages are :
level=error msg="[UpdateRegistration] Bad response from Graylog server: 401 Unauthorized"

My configs are

Graylog server config- critical part:

http_bind_address = 127.0.0.1:9000
http_external_uri = https://subdomain.domain/
http_publish_uri = https://subdomain.domain/

first:

  • http_publish_uri should be http://127.0.0.1:9000 in your case. Because that is how Graylog is communicating with itself (in a single server setup)

second:

Hi Jan thanks for the answer
1- I changed http_publish_uri as you suggested -
a- Still getting Error 401
b - I cannot browse “API-BROWSER” page with this change from my personal computer since it changed the HTTP URI to internal(is this normal)

Yes I have a API token configured in Graylog and pasted that API token into sidecar.yml in Graylog sidecar.

I am suspecting of NGINX conf which is for /api/ directory as below:

**Nginx config for API location **

location /api/ {

proxy_ssl_server_name on;
proxy_no_cache $cookie_nocache;
proxy_cache_bypass $cookie_nocache;

#proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
#proxy_set_header X-Forwarded-Prefix /api/;

proxy_pass http://127.0.0.1:9000/api/;

proxy_pass http://127.0.0.1:9000/api/$request_uri;

}

He,

  1. was not to clear your problem but general advice. You can still reach the API browser - just eh button sends you wrong (add the /api/api-browser to your Graylog URI).

  2. not sure where you have taken the NGINX config from because the working example from our docs is different: http://docs.graylog.org/en/3.1/pages/configuration/web_interface.html#nginx

Hi Jan thanks for your perspective and prompt response-
1- one thing- I was thinking if API page is accessible through external world then sidecar can access since sidecar config which resides in /etc/graylog/sidecar/sidecar.yml
is like below:

# The URL to the Graylog server API.
server_url: "https://subdomain.domain/api/"

where I concluded that API shall be accessible from outside- am I wrong?
because this URL utilizes API to authenticate to Graylog server.

2- working config doesn’t expose API somehow to outside- if you don’t have “/api/” location enabled separately- which I did because of my point in the 1 st answer.

Other directives is for cookie caching and resolving problems related with SSL sessions together with DNS issues of Nginx.

For the URL you sent- it is mostly the same- maybe very small variation but I will try again with standard guidanceand let you know about it too.

I believe problem is exposing API thorugh SSL but not being able to authenticate due to somehow authentication token is not passed properly with NGINX config.

But still cannot figure out whats the solution.

You missed something entirely and screwed the configuration for some reason. With the scattered information so far it is nearly impossible to find the gap.

The server_url in your sidecar configuration looks ok - that you get the 401 error indicates that you do not have a token configured (or have that commented … )

Having a proxy serving Graylog is not unlikely and you do not need any special tricks to make that. run.

Thanks a lot- I am testing it and will give a feedback soon.

Hi,
I found it finally. solution was the basic config.
Problem was the disabled token authentication in authentication menu- I disabled it several weeks ago then needed ro re-enable it.
It would be good to have a warning while configuring tokens to show that token authentication is disabled- since now it seems totally independent.

Thansk for all help and responses- apppreciated!