Is TLS required in graylog.conf if using nginx for SSL?

I’m new to all of this and it still unclear after reading the docs what needs to be configured with respect to TLS when using a local nginx reverse proxy to terminate connections.

1. Does TLS need to be enabled in the server.conf
2. Do certs need to be added to the java keystore?

It’s up to you.
Where would you end the TLS?
Do you need TLS for the GUI (http) or for logs?

We require encrypted communication for the GUI and for beats clients sending log data to the server.

We have nginx installed locally on our single GL3 server and graylog services listen on 127.0.0.1.

Our nginx conf.

server
{
    listen      443 ssl http2;
    server_name server.example.com;
    ssl_certificate /etc/nginx/certificates/wildcard.example.com.chained.crt;
    ssl_certificate_key /etc/nginx/certificates/example.key;
    ssl_protocols TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    keepalive_timeout 70;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


    location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }
}

Do you need TSL between nginx and GL for GUI (on localhost based on your config)?

Nginx can’t do your TSL on Beats, you need to do it on GL side.
For beats I suggest to do http://docs.graylog.org/en/latest/pages/configuration/https.html but only the cert formatting and java key store. After you can set the cert on GUI.

So beats cannot go through nginx meaning that the GL server has to have port 5044 listening on its external interface so beats can connect directly to it?

yes, beats can’t be done via proxy.

you might want to look into: http://docs.graylog.org/en/3.0/pages/secure/sec_graylog_beats.html

Is this a limitation with beats, nginx or GL?

the reason is the beats protocol and how the framework defines the connection.

Is there an alternative method we can use to ship logs that can go through a reverse proxy?

use another kind of collector.

Why is it a problem to speak direct from your beats to Graylog?

I’m not sure…
If you set some fix load balance method in nginx it can handle TLS logs.
I use syslog with TLS where the nginx only load balancing, and the graylog make the TLS. So I think if you configure as stream in nginx, you can do the balancing, but not more, because the traffic is encrypted.

But also as far as I know beats supports loadbalancing, so maybe you don’t need use a proxy fpr that traffic.

Uniformity. More flexible for growth. Added layer of security.

What other collector can be run through a proxy with TLS?

Think it again.
If you want the nginx open the tls you have to choose a protocoll what nginx can handle.
Try http:) or check nginx docs.
It can put ssl to stream.

// The Best firewall is the one cm air between the ethernet cable and NIC.

Thanks. I’ll look at one that supports https.

//The best protection is to disconnect and bury the computer underground. If we can’t do that then we practice defense in depth.

You can use NXLog.
NXLog sends logs to a syslog relay (rsyslog) via TLS, then this relay sends logs to Graylgo via TLS.
And NXLog is configured with Sidecar which communicatse with Graylog API via HTTPS.

We’ll look into that. Thanks Frantz.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.