Nginx Reverse Proxy +HTTPS with Graylog 3.0 on subdirectory (e.g., server.com/graylog)

(Logan M) #1

I have Graylog setup and running and can access it on the server’s IP (e.g., 10.10.2.29:9000).

I’d rather not install Nginx on the Graylog server, since I have a separate server that is running Nginx with Let’s Encrypt and a reverse proxy. I can successfully access other services with this reverse proxy.

I would like to setup Graylog to run on a subdirectory (e.g., https://nginx02.internal.server.com/graylog). I’ve seen these examples, but I don’t know what to set in the Graylog server.conf file to make this work.

My applicable server.conf settings (I can post the entire config if needed).
http_bind_address = 10.10.2.29:9000

My Nginx config. Do I have the correct settings here?

server {
  listen 443 ssl http2;
  server_name internal.server.com;

  #SSL/TLS settings
  include /etc/nginx/sites-available/_ssl.conf;
  ssl_certificate /etc/letsencrypt/live/internal.server.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/internal.server.com/privkey.pem;
  ssl_dhparam /etc/nginx/ssl/nginx02/dhparam4096.pem;

  root /var/www/dashboard;
  autoindex off;
  index index.php index.html;

  location /graylog/ {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/graylog/;
      rewrite          ^/graylog/(.*)$  /$1  break;
      proxy_pass       http://10.10.2.29:9000;
  }

}
1 Like

#3

I’m having exactly the same problem.

0 Likes

#4

Same issue here. Does anyone know how to solve this?

0 Likes

(Jan Doberstein) #5

this is a documentation issue - what will be hopefully fixed in the next week.

0 Likes

(Logan M) #6

@jan, was this updated yet?

I have the reverse proxy working, to a small degree. This Nginx config will load Graylog, and I can login via https://log.internal.mydomain.com.

server {
  listen 443 ssl http2;
  server_name log.internal.mydomain.com;

  #SSL/TLS settings
  ssl_certificate /etc/letsencrypt/live/internal.mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/internal.mydomain.com/privkey.pem;

  location / {
    proxy_pass         http://10.10.2.29:9000/;
    proxy_set_header   Host                  $host;
    proxy_set_header   X-Real-IP             $remote_addr;
    proxy_set_header   X-Forwarded-For       $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host      $host;
    proxy_set_header   X-Forwarded-Server    $host;
    proxy_set_header   X-Graylog-Server-URL  https://$server_name/;
  }
}

However, I cannot change anything, like re-arrange dashboards. This is the error I receive.
error

I can still login to Graylog without HTTPS (on http://10.10.2.29:9000) and make edits as needed.

The applicable settings from my server.conf file are as follows:

http_bind_address = 0.0.0.0:9000
trusted_proxies = 10.10.2.1/32
0 Likes

(Jan Doberstein) #7

nope - not yet updated.

0 Likes

#8

FWIW, I have some issues proxying this way with apache as well. Everything works fine except for everything under the ‘‘System’’ menu. Everything there adds an extra ‘’/graylog/’’ to the path in the returned html. See https://github.com/Graylog2/graylog2-server/issues/5610#issue-403893017

Here is the relevant part of my apache config:

<Location /graylog>
    RequestHeader set X-Graylog-Server-URL "https://$public/graylog/"
    ProxyPass http://$private:9000
    ProxyPassReverse http://$private:9000
</Location>

I could possibly address this with a rewrite, but I’d rather not if there is something going on with the code that generates the system menu.

0 Likes

(Jan Doberstein) #9

I have created an issue for that:

0 Likes

(system) closed #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

0 Likes