Load balancing nginx with ip private in LAN


(Kieulam141) #1

Hello guys,
I’m building load balacing with nginx as a proxy and 2 graylog nodes.
I built success with graylog config:

rest_listen_uri = http://IP_Public:9000/api/
web_listen_uri = http://IP_Public:9000/

and nginx config:

server {
listen 80;
server_name xxx;

    location / {
    proxy_pass  http://graylog-web-cluster;
}
}

upstream graylog-web-cluster {
server IP_Public:9000 max_fails=3 fail_timeout=30s;
server IP_Public:9000 max_fails=3 fail_timeout=30s;
}

Now, I want to build with IP_private instead IP_Public.How can I build it?


(Jan Doberstein) #2

That is easy:

Settings for Graylog (should be always modified for each host)

rest_listen_uri = http://192.168.10.5:9000/api/
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128, 192.168.10.0/24
web_listen_uri = http://192.168.10.5:9000/

NGINX configuration


upstream graylog_master_interface {
         server 192.168.10.5:9000;
}

upstream graylog_web_interface {
         server 192.168.10.5:9000;
         server 192.168.10.6:9000;
}

# Graylog via https
server
{
    listen      443 ssl http2;
    server_name graylog.example.org;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 208.67.222.222 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ssl_certificate /etc/nginx/ssl/graylog.example.org.fullchain;
    ssl_certificate_key /etc/nginx/ssl/graylog.example.org.key;
    ssl_trusted_certificate /etc/nginx/ssl/graylog.example.org.ca;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # Plugins only from the master (current fix for some)
    location /api/plugins/
    {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Graylog-Server-URL https://graylog.example.org/api;
        proxy_pass          http://graylog_master_interface;
    }
    location /
    {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Graylog-Server-URL https://graylog.example.org/api;
        proxy_pass          http://graylog_web_interface;
    }
}


HTTPS stripping on a nginx proxy behind NAT
Web Server Error API
(Kieulam141) #3

Thanks Jan very much, I did it.