Nginx Config Examples

aaronsachs · August 2, 2021, 3:19pm

For those of you who use Nginx as a reverse proxy or load balancer, you may find these configuration files useful:

Here’s the example main nginx config I use for load balancing tcp/udp connections:

nginx.conf


user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# In order to load balance TCP connections, we need to ensure that we use the "stream"
# module that's in Nginx's open source offering.
stream {

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  Syslog input. 

  upstream graylog_syslog {
    server logs00.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs01.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs02.example.com:1514 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  GELF input. 

  upstream graylog_gelf {
    server logs00.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs01.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs02.example.com:12201 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  beats input. 

  upstream graylog_beats {
    server logs00.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs01.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs02.example.com:5044 max_fails=3 fail_timeout=30s;
  }
  
# This is where the load balancing takes place and we tell Nginx to listen on 1514 UDP for UDP sysloog

  server {
    listen 1514 udp;
    proxy_pass graylog_syslog;
    proxy_timeout 1s;
    error_log /var/log/nginx/graylog_syslog_udp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP sysloog  

  server {	
    listen 1514;
    proxy_pass graylog_syslog;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_syslog_tcp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP GELF  

  server {
    listen 12201;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for UDP Gelf  

  server {
    listen 12201 udp;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP Beats  

  server {
    listen 5044;
    proxy_pass graylog_beats;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_beats.log;
  }

}

Here’s a more specific config that I use for load balancing connections to the UI/API:

logs.example.conf

# Here we define our upstream software
upstream graylog {
  server logs00.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs01.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs02.example.com:9000 max_fails=3 fail_timeout=30s;
}

server {
  listen *:80;
  server_name           logs.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/logs.example.com.access.log combined;
  error_log             /var/log/nginx/logs.example.com.error.log;
}

server {
  listen       *:443 ssl;
  server_name  logs.example.com;

  ssl_certificate           /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log /var/log/nginx/ssl-logs.example.com.access.log combined;
  error_log  /var/log/nginx/ssl-logs.example.com.error.log;

  location / {
    # Simple requests
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin"  *;
    }

    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
      return 200;
    }
 
    proxy_pass https://graylog;
    proxy_redirect https://graylog:443/api /api;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://$server_name/;
  }
}

Cheers!

dscryber · January 15, 2022, 1:26am

A post was split to a new topic: Moving to Xfer and Xfer

gsmith · January 22, 2022, 12:49am

@hollowdew

Hey this is some awesome stuff and it works great. I tried it a couple times what you posted, but I was wondering if you could start your own post/s. under
Nginx Config Examples. For example call one redirect specific source ip’s.

This would help others and make it easier for future searching. Thanks

hollowdew · January 24, 2022, 8:21am

Hello @gsmith ,
thank you
I created a new topic for this: Redirect specific source ip’s
Should I delete my messages in this thread here?

gsmith · January 24, 2022, 10:11pm

You can since you made a new post of the same thing.

ashu99099 · July 26, 2022, 7:19am

Hi @aaronsachs,
In below example, what if we have to a lot of ports. what is the best way to add them in config? I want to avoid adding each port individually.

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  Syslog input. 
  upstream graylog_syslog {
    server logs00.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs01.example.com:1514  max_fails=3 fail_timeout=30s;
    server logs02.example.com:1514 max_fails=3 fail_timeout=30s;
  }

# This is where the load balancing takes place and we tell Nginx to listen on 1514 TCP sysloog
 server {	
    listen 1514 ;
    proxy_pass graylog_syslog;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_syslog_tcp.log;
  }

aaronsachs · July 29, 2022, 5:18pm

So that sort of falls outside out the intent of this example–have you looked at the Nginx docs to see if they have any recommendations? The only other thing I could think of would be to do something like an ansible playbook to generate your config.

Topic		Replies	Views
Best practice - Loadbalancer Graylog Central (peer support)	5	2310	January 21, 2022
NginX load balancer Graylog Central (peer support)	4	2720	April 27, 2017
Using Nginx as reverse proxy and loadbalancer for Graylog Graylog Central (peer support)	11	6212	March 12, 2018
Load balancing nginx with ip private in LAN Graylog Central (peer support)	2	2434	April 3, 2017
Nginx as a load balancer for graylog UI Graylog Central (peer support)	4	1551	September 20, 2018

Nginx Config Examples

Related topics