HTTPS termination on Traefik

Graylog Central (peer support)
1

Hi, i’m using Traefik as a Load Balancer/Reverse Proxy and i’m trying to terminate SSL for Graylog on Traefik but couldn’t get it done. Graylog gives “Server currently unavailable” error. It works well without HTTPS.

My server config:

rest_listen_uri = http://X.X.X.X9000/api/
web_listen_uri = http://X.X.X.X:9000/
web_endpoint_uri = http://graylog.example.net:9000/api/

Traefik Servers Config:

    [frontends.graylog]
    backend = "graylog"
    entrypoints = ["https"]
    [frontends.graylog.routes.hosts]
    rule = "Host:graylog.example.net"
    [frontends.graylog.customrequestheaders]
    X-Graylog-Server-URL = "https://graylog.example.net/api;"
    [backends.graylog]
    [backends.graylog.servers.server1]
    url = "http://X.X.X.X:9000"

Thanks in advance

2

What’s the exact and complete error message?
What URI do you try to open and which URI does Graylog try to access?

The trailing semicolon looks wrong.

3

Semicolon didn’t change anything.

Here is the full error on Web Interface :

We are experiencing problems connecting to the Graylog server running on 
http://graylog.example.net:9000/api/. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.

Do you need a hand? We can help you.
More details
4

If you’re accessing the Graylog web interface via HTTPS, you also have to access the Graylog REST API via HTTPS due to the mixed content policy of modern browsers.

Make sure to read the documentation:

5

Still the same error :

Error - the server returned: 404 - cannot POST https://graylog.test.net/api/system/sessions (404)

So here is what i’ve tried so far:

Split the api and web interface to two different ports 8000/9000 and gave uri’s as IP’s

rest_listen_uri = http://server_ip:8000/api
web_listen_uri = http://server_ip:9000/
web_endpoint_uri = http://server_ip:8000/api
rest_transport_uri = https://server_ip:8000/api/

gave uri’s as domains:

rest_listen_uri = http://X.X.X.X:8000/api
rest_transport_uri = https://graylog.test.net/api/
web_listen_uri = http://X.X.X.X:9000
web_endpoint_uri = https://graylog.test.net/api

If i give everything as domain server crashes at startup so that’s definitely wrong.

2 server configurations for both api and web interface on Traefik that i’m extremely sure correct.

I can access the API from both public/private networks on web browsers.

I’m using private IP on configs and Traefik is routing traffic to them and i’m accessing both API and the interface through HTTPS.

Thanks in advance

6

If you only provide configuration snippets, we cannot help you.

Please provide the complete configuration of Graylog and Træfik, the URL you’re trying to access in your browser, and the complete error message for each combination you’ve tried.

7

Okay, i thought only those would be relevant. Full configs:

Traefik server conf :

[frontends]
  [frontends.graylog]
  backend = "graylog"
  entrypoints = ["https"]
    [frontends.graylog.routes.hosts]
    rule = "Host:graylog.test.net"
    #[frontends.graylog.headers.customrequestheaders]
    #X-Graylog-Server-URL = "https://graylog.test.net/api"
  [frontends.graylogapi]
  backend = "graylogapi"
  entrypoints = ["https"]
    [frontends.graylogapi.routes.hosts]
    rule = "Host:graylog.test.net;Path:/api"
[backends]
  [backends.graylog]
    [backends.graylog.servers.server1]
    url = "http://10.6.42.15:9000"
  [backends.graylogapi]
    [backends.graylogapi.servers.server1]
    url = "http://10.6.42.15:8000"

And here is full graylog-server conf:

https://paste.ubuntu.com/p/8zSvtww2YS/

8

Hello I just achieved what you want to do on my own test setup and here is what I did.

  1. Graylog configuration
    I only defined the following parameters in server.conf 
rest_listen_uri = http://<localipaddress>:<graylog port>/api
web_listen_uri = http://<localipaddress>:<graylog port>

I left the API on the same port as you can notice

  1. Traefik configuration
    I defined a redirect of all http trafic to https
    [entryPoints]
        [entryPoints.http]
        address = ":80"
          [entryPoints.http.redirect]
          entryPoint = "https"
        [entryPoints.https]
        address = ":443"
          [entryPoints.https.tls]

Then in the frontends I defined my Graylog rule

    [frontends]
      [frontends.graylog]
      backend = "graylog"
      passHostHeader = true
        [frontends.graylog.headers.customrequestheaders]
        X-Graylog-Server-URL = "https://<your public hostname>/api/"
        [frontends.graylog.routes.route_1]
        rule = "Host: <your public hostname>"

I use a rule based on the requested hostname

Then in backend configuration

    [backends]
      [backends.graylog]
        [backends.graylog.servers.server_1]
        url = "http://<localipaddress>:<graylog port>"

It looks like it is working correctly (just configured it a few minutes away) and I can access all menus / functions of my graylog setup.
Hope it helps …

9

I’ll try this and get back asap thanks a lot!

Edit: It’s working now, i’m very grateful thank you so much!

10

@sebpon It would be great if you could contribute the configuration to the Graylog documentation:

11

Hello @jochen,
no problem I’ll have a look at how I can contribute and will do it when I get some spare time.
Happy I could help.

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.