Nginx as a load balancer for graylog UI


(Akhil Bhardwaj) #1

He have 3 node graylog cluster running in containers.
each container contains (graylog + nginx) and I want to use nginx as a load Balancer in top of all containers for graylog UI.
So, that means two nginx will be there one will act as a Main load balancer which will distribute my all graylog UI requests to graylog containers and then request will be handled by nginx inside the container and then request handled by graylog.

My concern is are we doing this in correct way?, because many time my Nginx which is akting as a Load Balancer stuck. And graylog UI won’t work only grey screen will be there.

Should I use only single Nginx which will act as Load Balancer and also work for proxy of graylog?


(Jan Doberstein) #2

whatever works in your environment.

I have up to 3 nginx proxys in my lab before the request reach Graylog …


(Akhil Bhardwaj) #3

Hi Jan,

Thanks for you input, can you please share an example of your nginx config file.
Which all parameters you are using to pass request from one proxy to another proxy.


(Jan Doberstein) #4

Nothing fancy or special.

The NGINX nginx configuration that is used to be the first after Graylog can be found in my docker lab setup:

Then the second chain uses this configuration:

server {

  listen 192.168.1.10:443 ssl http2;
  server_name nuci3 nuci3.lan nuci3.local.lan;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  resolver 192.168.1.4 192.168.1.1 valid=300s;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  root /home/srv/nuci3.local.lan/root;

  ssl_certificate_key /etc/myCA/nuci3.lan/nuci3.lan.key;
  ssl_certificate /etc/myCA/nuci3.lan/nuci3.lan.pem;


  ssl_dhparam /etc/myCA/dhparams.pem;

  # https://github.com/portainer/portainer-docs/blob/master/docs/source/faq.rst

  location /portainer/ {

    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_pass http://192.168.1.4:9000/;
  }
  location /portainer/api/websocket/ {

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    proxy_pass http://192.168.1.4:9000/api/websocket/;
  }

  # Graylog reverse proxy
  location /graylog/ {

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL http://$server_name/graylog/api;
    #proxy_set_header    X-Graylog-Server-URL https://$http_host/graylog/api;
    proxy_pass https://192.168.1.50/graylog/;

  }

  # cerebro reverse proxy
  location /cerebro {

    proxy_pass https://192.168.1.50/cerebro;
  }

  # cerebro reverse proxy
  location /nosqlclient {

    proxy_pass https://192.168.1.50/nosqlclient;
  }


}

(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.