How to configure Nginx for sidecar port 9000/api 3 Graylog Nodes

I want to load balance via Nginx the Sidecar communication to the graylog /api on port 9000. But I am unsure how to configure nginx configuration for this. The sidecars which do communicate with one graylog node over https://ip.address:9000/api directly, are detected.
Load balancing of logs and https access to graylog is working.

I have 3 Graylog servers (3 IPs). Graylog is running on port 9000 on all servers. https is enabled for every graylog node.

Graylog version: 5.1.2
Sidecar version: 1.4.0

The external uri of Graylog is set (e.g. with example):

http_external_uri =  https://example.com/

This is my nginx configuration for https access to graylog backend gui. Which is working fine (Inputs are working fine (TCP/UDP), so I am not posting them here).

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;

# Define the pool of servers to load balance
    upstream webservers {
        server graylog.ip.address.1:9000 max_fails=3 fail_timeout=30s;
        server graylog.ip.address.2:9000 max_fails=3 fail_timeout=30s;
        server graylog.ip.address.2:9000 max_fails=3 fail_timeout=30s;
    }
# Redirect traffic on port 80 to use HTTPS
    server {
        listen load.balancer.ip.address:80;
        return 301 https://$host$request_uri;
}
# Forward traffic on port 443 to one of the servers in the web servers group
    server {
         listen load.balancer.ip.address:443 ssl;
         server_name example.com;
         location / {
              proxy_set_header Host $http_host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Graylog-Server-URL https://$server_name/;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_pass https://webservers;
              proxy_ssl_certificate /path to cert/.pem;
              proxy_ssl_certificate_key /path to key/.key;
              proxy_ssl_trusted_certificate /path to ca/.pem;
              proxy_ssl_protocols TLSv1.2;
              proxy_ssl_ciphers HIGH:!aNULL:!MD5;
         }
         ssl_certificate /path to cert/.pem;
         ssl_certificate_key /path to key/.key;
         ssl_session_cache shared:SSL:1m;
         ssl_session_timeout 5m;
         ssl_protocols TLSv1.2;
         ssl_ciphers HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers on;
    }
}

Now I want to load balance in nginx for sidecar communication. I know sidecar server_url: would be for one graylog node https://ip of graylog node:9000/api that works.

This is my configuration so far. But I do not get any new sidecar, which should be connected via the load balancer. I tried it with ssl and all certificates. Also no new sidecar appearing. Best would be just to pass it through. Token is there and created.

upstream api_servers {
        server graylog.ip.address.1:9000 max_fails=3 fail_timeout=30s;
        server graylog.ip.address.2:9000 max_fails=3 fail_timeout=30s;
        server graylog.ip.address.3:9000 max_fails=3 fail_timeout=30s;
    }

    server {
        listen load.balancer.ip.address:9000;
        location /api {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                rewrite ^/api/?(.*) /$1 break;
                proxy_pass https://api_servers;
                proxy_redirect off;
                }
}

How can I load balance with nginx to three graylog nodes on port 9000/api via https and graylog hattps setting active?

Thank you for your help.

Hey @bavarian

This post might help you.

From there you modify the sidecar file

vi /etc/graylog/sidecar/sidecar.yml

Adjust the following.

server_url: “http://graylog_server:9000/api/”

and

server_api_token: " 8v89da5n7cmogkpk_i_eat_ alot_of_beef_vpb4a7muaj4clsn1g9vqr9543ik6kl0seef"

Ok thank you for this. However in my setup this did not work.

After long tryouts with my collegue we came to a solution, which suits our setup. And is maybe not best practice but works and is kind of simple.

Setup: Graylog (3 Nodes) is set with https enabled, every Graylog Node has its own certificate, with subject alternative names, which contains the web-address and IP-Address where the Load Balancer is reachable.

Nginx configuration → Moved away from http into the tcp block and just using it as a bypass:

stream  {
    upstream api_servers {
        server graylog.ip.address.1:9000 max_fails=3 fail_timeout=30s;
        server graylog.ip.address.2:9000 max_fails=3 fail_timeout=30s;
        server graylog.ip.address.3:9000 max_fails=3 fail_timeout=30s;
    }
    server {
        listen load.balancer.ip.address:9000;
        proxy_pass api_servers;
    }
}

Client with Sidecar has the CA of the graylog certificates which are signed by the CA, as trusted CA.
Just a note, the IP-Address of the Load Balancer has a DNS Entry which matches the web-address. So Web-Address or IP-Address works in the server_url.

server_url: “https://web-address/ip-address:9000/api”

With this setup and the neccessary token, the Client is viewable in the Graylog GUI. The configuration of a beat is also pushable to the client.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.