Nginx Config Examples

For those of you who use Nginx as a reverse proxy or load balancer, you may find these configuration files useful:

Here’s the example main nginx config I use for load balancing tcp/udp connections:

nginx.conf

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# In order to load balance TCP connections, we need to ensure that we use the "stream"
# module that's in Nginx's open source offering.
stream {

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  Syslog input. 

  upstream graylog_syslog {
    server logs00.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs01.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs02.example.com:1514 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  GELF input. 

  upstream graylog_gelf {
    server logs00.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs01.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs02.example.com:12201 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  beats input. 

  upstream graylog_beats {
    server logs00.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs01.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs02.example.com:5044 max_fails=3 fail_timeout=30s;
  }
  
# This is where the load balancing takes place and we tell Nginx to listen on 1514 UDP for UDP sysloog

  server {
    listen 1514 udp;
    proxy_pass graylog_syslog;
    proxy_timeout 1s;
    error_log /var/log/nginx/graylog_syslog_udp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP sysloog  

  server {	
    listen 1514;
    proxy_pass graylog_syslog;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_syslog_tcp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP GELF  

  server {
    listen 12201;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for UDP Gelf  

  server {
    listen 12201 udp;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP Beats  

  server {
    listen 5044;
    proxy_pass graylog_beats;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_beats.log;
  }

}

Here’s a more specific config that I use for load balancing connections to the UI/API:

logs.example.conf
# Here we define our upstream software
upstream graylog {
  server logs00.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs01.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs02.example.com:9000 max_fails=3 fail_timeout=30s;
}

server {
  listen *:80;
  server_name           logs.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/logs.example.com.access.log combined;
  error_log             /var/log/nginx/logs.example.com.error.log;
}

server {
  listen       *:443 ssl;
  server_name  logs.example.com;

  ssl_certificate           /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log /var/log/nginx/ssl-logs.example.com.access.log combined;
  error_log  /var/log/nginx/ssl-logs.example.com.error.log;

  location / {
    # Simple requests
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin"  *;
    }

    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
      return 200;
    }
 
    proxy_pass https://graylog;
    proxy_redirect https://graylog:443/api /api;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://$server_name/;
  }
}

Cheers!

6 Likes

Also to get the original source ip address of the logsource in graylog, you can use proxy_bind $remote_addr transparent; in a server{} - block.
Otherwise in some cases Graylog shows as source the nginx loadbalancer ip instead of the original source address.

2 Likes

In some network devices you can’t define a other source port than 514, but you can map it to another port to use seperate input’s.
E.g. if you want to listen to port 514 and redirect messages from Host A to port 12212 and messages from Host B to port 12213 you can use the map directive:

map $remote_addr $port {
                # Redirect messages from 192.168.30.10 from port 514 to port 12212
                192.168.30.10 12212;

                # Redirect messages from 192.168.30.55 from port 514 to port 12213
                192.168.30.55 12213;

                # Define source port to listen to
                default 514;
}
2 Likes

Can you please advice me what Nginx content pack to use for Graylog 4.0. I am not using docker for Nginx.

Updated for Graylog 3.0+ NGINX JSON Content Pack link on Graylog Market Place seems to be broken.

Thanks

Hi there, this thread is for Nginx examples. If you need assistance, please start a new post.