HAProxy configurtion with HTTPS

Graylog Tech Challenges
1

Hi ,
I a have setup a Graylog cluster with two nodes and configured ssl certificates; all are working fine.
The next step is to configure a load balancing for the cluster; I passed thorough all the documentation related to the topic but still don’t find the right way to do it.
Lately I installed nginx on both nodes and also configured https on each
The example I try to follow is the one on
https://docs.graylog.org/en/4.0/pages/configuration/web_interface.html
Multiple Backends (roundrobin) with Health-Check (using HTTP) :
Following are my questions:

  1. This listing is for backend with HTTP, as in my setup I use HTTPS , should I just change the top part and adapt to https ?
  2. Should this listing (modified according to my setup) be copied on virtual host of the nginx web server on each node ? or somewhere else ?
    frontend graylog_http
    bind *:80
    option forwardfor
    http-request add-header X-Forwarded-Host %[req.hdr(host)]
    http-request add-header X-Forwarded-Server %[req.hdr(host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    acl is_graylog hdr_dom(host) -i -m str graylog.example.org
    use_backend graylog

backend graylog
description The Graylog Web backend.
balance roundrobin
option httpchk HEAD /api/system/lbstatus
http-request set-header X-Graylog-Server-URL http://graylog.example.org/
server graylog1 192.168.0.10:9000 maxconn 20 check
server graylog2 192.168.0.11:9000 maxconn 20 check
server graylog3 192.168.0.12:9000 maxconn 20 check

  1. In the Graylog configuration file /etc/graylog/server/server.conf I already setup HTTPS, should I keep or remove it because ssl certificate has been installed in the nginx ?
  2. Or may I get a sample configuration for HA Proxy in order to lad balance between the nodes with a health check with HTTPS ?
    Thanks,

Aboubacar

2

Hello, Aboubacar,

Welcome to the Graylog community. Glad you’re here. I’ve moved your post to the challenges where it’ll get more attention.

Are you getting any errors? If so, please let us know.
Also, from our documentation, please be sure you’ve read this note:

The HTTP address must be accessible by everyone using the web interface. This means that Graylog must listen on a public network interface or be exposed to one using a proxy, NAT or a load balancer!

3

Hi David,
Thank you for the follow up,
I am still confused to where install the HAProxy software

  1. Should I install it on each Graylog server or to a separate machine dedicated to load balancing ?
  2. May a get a sample working configuration /etc/haproxy/haproxy.cfg with Graylog ?

Thanks

4

Hey, aboubacar.

Check out our 4.0 documentation (we just released 4.1 yesterday). The information on HAProxy on this page shows a configuration file. Let us know if this helps.

Making the web interface work with load balancers/proxies

If you want to run a load balancer/reverse proxy in front of Graylog, you need to make sure that:

  • The HTTP port of the load balancer/reverse proxy is accessible for clients
  • The HTTP address for the Graylog server is properly set (as explained in How does the web interface connect to the Graylog server?), so it is resolvable and accessible for the load balancer/reverse proxy.
  • If you use SSL, your certificates must be valid and trusted by your clients.

Note

To help you with your specific environment, we show some example configuration use cases.

https://docs.graylog.org/en/4.0/pages/configuration/web_interface.html?highlight=haproxy

Regarding installing the HAproxy on Graylog, these links may help you to answer that question:

5

Hi
Thank you for the quick, response
To resume what I understand,
On both of my (2) Graylog servers I install and configure HAProxy according to the documentation on links your you referred ?
Aboubacar

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.