Multi Node Setup + SSO

SKrinetzki · September 24, 2018, 1:16pm

Dear Community,

I’m trying to setup a three node Graylog-Server Cluster with a 7 node Elasticsearch Cluster. My Setup has 3 Nodes MongoDB + Graylog-Server and 7 Nodes with Elasticsearch. Every Graylog node is behind an apache proxy (in the futur there will be a F5 load balancer at the front)

At the moment, Graylog is reachable over our first graylog node.

What are the steps to set up a multi node?
I tried the following

rest_listen_uri = https://0.0.0.0:9000/api
rest_transport_uri = https://mygraylog.tld:9000/api
rest_enable_tls = true
rest_tls_cert_file = /path/to/my/cert.crt
rest_tls_key_file = /path/to/my/key.key
web_listen_uri = http://0.0.0.0:9001/
web_endpoint_uri = https://mygraylog.tld

With this configuration, my first node works with local accounts, but not with SSO. But the headers are sent, as i checked via tcpdump.

The second node is unreachable in this setup.

Any ideas, what i did wrong and how to fix it?

jan · September 24, 2018, 2:52pm

he @SKrinetzki

you would have on all Graylog Servers set your rest_listen_uri to 0.0.0.0:9000/api and your web_listen_uri to 0.0.0.0:9000.

See http://docs.graylog.org/en/2.4/pages/configuration/server.conf.html#general

To be saved, the rest_transport_uri on each node should be set to one IP where the node is reachable for others. Because this is used by other nodes to communicate with each other. If the communication should be done via HTTPS, including the keys and certs for rest and web listen at the same time.

Then you would have one Proxy that is the frontend for all nodes with a configuration like you can see in the docs ( http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#apache-httpd-2-x ). The important part is to make the X-Graylog-Server-URL "https://graylog.example.org/api/" setting to your load balancers URL.

When the SSO Plugin comes into play, this Plugin needs to be present on all Graylog Nodes. The Proxy (your Apache) then needs to ensure some kind of authentication and send the header to Graylog with each request ( http://docs.graylog.org/en/2.4/pages/users_and_roles/external_auth.html#single-sign-on ).

Does this make it more clear?

Jan

SKrinetzki · September 25, 2018, 9:10am

Hello @jan

Thanks for the clarification. I was on the right track, but not at the goal. It makes sense now. Thank you so far.

Stephan

system · October 9, 2018, 9:11am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multi nodes question Graylog Central (peer support)	4	1360	April 16, 2019
How to setup multi node in graylog manually Graylog Central (peer support)	2	5396	February 15, 2018
Graylog Cluster Graylog Central (peer support)	4	1325	April 21, 2017
Only 1 node showing in Graylog Web Interface Graylog Central (peer support)	5	358	May 26, 2023
Graylog cluster with multiple ethernet interfaces Graylog Central (peer support)	2	2566	January 17, 2018

Multi Node Setup + SSO

Related Topics