HTTPS stripping on a nginx proxy behind NAT

v0r0n · 2017-05-08 13:23:12 UTC

Hi, i have a proxy with https that should strip the ssl and redirect http->https and than go to http to the graylog inside LAN, i’ve tryed a lot of different configurations, none of them worked so far, the web interface and api used in different ports, i can access the web interface but it has issues with using the api
Error message
Bad request
Original Request
GET http://graylog.example.com:12900/system/cluster/node
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

this is the error i’m getting. and if i go for the link it works fine from any point (internal and external)
did anyone tryed something like this before?

jan · 2017-05-08 14:07:29 UTC

Hej Sergey,

what is your configuration are looking like? Every component on one Server?

Did you look into http://docs.graylog.org/en/2.2/pages/configuration/web_interface.html ?

I had personal running my environment on HTTPS and only my NGINX Proxy terminates SSL - the environment is a multi node one and you can see the configuration here: Load balancing nginx with ip private in LAN

Maybe this will help you

v0r0n · 2017-05-08 14:50:48 UTC

Hi, Thank you for the answer, yes i saw and tried this way, my difference is that i have one node and i have api and web on a different ports and web works correctly, the problem is api, i have tried to just forward 12900 http and it looks like it starts for a few seconds and then i have the error i described tried the config from the docs (replaced the ip’s) tryed to make a 301 redirect on http and than https strip (took the https part from your config) all still the same

v0r0n · 2017-05-08 15:25:04 UTC

config
https://pastebin.com/my39bL2R

jan · 2017-05-09 06:43:54 UTC

Hej Sergey

you took a bit from every documentation and mixed something together that can’t work.

Please re-read the web interface documentation and clean your configuration.

Are you bound to use two different ports? If no consider that you move everything to one port. Using the configuration I had referred already.

If you are bound to two ports, look at the older Version of the Documentation ( http://docs.graylog.org/en/2.0/pages/configuration/web_interface.html#nginx ) that holds some snippets for that.

v0r0n · 2017-05-09 12:40:23 UTC

this is not a first try(i’ve tried a lot of different configs), yes i’m bound to use different ports, that is why all of the issue, if now i would just copy the documentation example, i’m interested if someone did configurations common to what i need. About the older configuration i’ve tried to copy it and make 301 redirect on http ports and then this configuration only with ssl, that didn’t work for the api part as well

jan · 2017-05-11 06:17:30 UTC

You should really read the Documentation - from what I had taken from your posting my configuration would look like the following

Set in your server.conf:

rest_listen_uri = http://192.168.x.x:12900
web_listen_uri = http://192.168.x.x:9000

Remove:

web_endpoint_uri = graylog.example.com:12900
rest_transport_uri = http://192.168.x.x:12900

server
{
        listen 80;
        server_name graylog.cominform.com;
        return 301 https://$server_name$request_uri;
}

server
{
    listen      443 spdy;
    server_name graylog.cominform.com;
    include /etc/nginx/conf.d/ssl-com.template;

location /
    {
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Graylog-Server-URL https://graylog.cominform.com:12900;
        proxy_set_header    Host $http_host;
        proxy_pass          http://192.168.x.x:9000;
    }
}

server
{
    listen      12900 spdy;
    server_name graylog.cominform.com;
    include /etc/nginx/conf.d/ssl-com.template;

location /
    {
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Host $http_host;
        proxy_pass          http://192.168.x.x:12900;
    }
}

v0r0n · 2017-05-10 16:55:29 UTC

tried, issue remains the same, only now it prompts for login for about 5 seconds, it was less than a second in my previous attempts, and if i try to login in 5 sec after i type Enter error occurs again

v0r0n · 2017-05-10 16:58:04 UTC

sorry, my bad, i’ve missed another configuration that was there before, now it work’s fine, thank you very much!!