Nginx Config Examples

For those of you who use Nginx as a reverse proxy or load balancer, you may find these configuration files useful:

Here’s the example main nginx config I use for load balancing tcp/udp connections:

nginx.conf

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# In order to load balance TCP connections, we need to ensure that we use the "stream"
# module that's in Nginx's open source offering.
stream {

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  Syslog input. 

  upstream graylog_syslog {
    server logs00.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs01.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs02.example.com:1514 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  GELF input. 

  upstream graylog_gelf {
    server logs00.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs01.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs02.example.com:12201 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  beats input. 

  upstream graylog_beats {
    server logs00.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs01.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs02.example.com:5044 max_fails=3 fail_timeout=30s;
  }
  
# This is where the load balancing takes place and we tell Nginx to listen on 1514 UDP for UDP sysloog

  server {
    listen 1514 udp;
    proxy_pass graylog_syslog;
    proxy_timeout 1s;
    error_log /var/log/nginx/graylog_syslog_udp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP sysloog  

  server {	
    listen 1514;
    proxy_pass graylog_syslog;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_syslog_tcp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP GELF  

  server {
    listen 12201;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for UDP Gelf  

  server {
    listen 12201 udp;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP Beats  

  server {
    listen 5044;
    proxy_pass graylog_beats;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_beats.log;
  }

}

Here’s a more specific config that I use for load balancing connections to the UI/API:

logs.example.conf
# Here we define our upstream software
upstream graylog {
  server logs00.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs01.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs02.example.com:9000 max_fails=3 fail_timeout=30s;
}

server {
  listen *:80;
  server_name           logs.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/logs.example.com.access.log combined;
  error_log             /var/log/nginx/logs.example.com.error.log;
}

server {
  listen       *:443 ssl;
  server_name  logs.example.com;

  ssl_certificate           /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log /var/log/nginx/ssl-logs.example.com.access.log combined;
  error_log  /var/log/nginx/ssl-logs.example.com.error.log;

  location / {
    # Simple requests
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin"  *;
    }

    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
      return 200;
    }
 
    proxy_pass https://graylog;
    proxy_redirect https://graylog:443/api /api;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://$server_name/;
  }
}

Cheers!

7 Likes

Also to get the original source ip address of the logsource in graylog, you can use proxy_bind $remote_addr transparent; in a server{} - block.
Otherwise in some cases Graylog shows as source the nginx loadbalancer ip instead of the original source address.

3 Likes

In some network devices you can’t define a other source port than 514, but you can map it to another port to use seperate input’s.
E.g. if you want to listen to port 514 and redirect messages from Host A to port 12212 and messages from Host B to port 12213 you can use the map directive:

map $remote_addr $port {
                # Redirect messages from 192.168.30.10 from port 514 to port 12212
                192.168.30.10 12212;

                # Redirect messages from 192.168.30.55 from port 514 to port 12213
                192.168.30.55 12213;

                # Define source port to listen to
                default 514;
}
2 Likes

A post was split to a new topic: Moving to Xfer and Xfer

Another way is redirect for specific source ip’s and fixed port to other ports.
If the source ip is not listed in the following map, it will be routed to the default graylog514 backend.
Example for UDP:

map $remote_addr $newbackend {
                # redirect incoming packets with source ip = 192.168.17.14 and port = 514 to a backend with port 51461 
                192.168.17.14 graylog_port_51461;

                192.168.18.11 graylog_port_51462;

                192.168.3.13 graylog_port_51463;

                192.168.1.15 graylog_port_51422;

                192.168.1.140 graylog_port_51430;

                default graylog514;
}
server {
                listen 514 udp;
                proxy_responses 0;
                proxy_bind $remote_addr transparent;
                proxy_pass $newbackend;
}
upstream graylog514{
        server graylog1.example.com:514;
        server graylog2.example.com:514;
}

upstream graylog_port_51461 {
    server graylog1.example.com:51461;
    server graylog2.example.com:51461;
}

server {
    # TCP
    listen 51461;
    proxy_pass graylog_port_51461;
}

server {
    # UDP
    listen 51461 udp;
    proxy_responses 0;
    proxy_bind $remote_addr transparent;
    proxy_pass graylog_port_51461;
}
1 Like

@hollowdew

Hey this is some awesome stuff and it works great. I tried it a couple times what you posted, but I was wondering if you could start your own post/s. under
Nginx Config Examples. For example call one redirect specific source ip’s.

This would help others and make it easier for future searching. Thanks :smiley: