That is easy:
Settings for Graylog (should be always modified for each host)
rest_listen_uri = http://192.168.10.5:9000/api/
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128, 192.168.10.0/24
web_listen_uri = http://192.168.10.5:9000/
NGINX configuration
upstream graylog_master_interface {
server 192.168.10.5:9000;
}
upstream graylog_web_interface {
server 192.168.10.5:9000;
server 192.168.10.6:9000;
}
# Graylog via https
server
{
listen 443 ssl http2;
server_name graylog.example.org;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 208.67.222.222 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_certificate /etc/nginx/ssl/graylog.example.org.fullchain;
ssl_certificate_key /etc/nginx/ssl/graylog.example.org.key;
ssl_trusted_certificate /etc/nginx/ssl/graylog.example.org.ca;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Plugins only from the master (current fix for some)
location /api/plugins/
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://graylog.example.org/api;
proxy_pass http://graylog_master_interface;
}
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://graylog.example.org/api;
proxy_pass http://graylog_web_interface;
}
}