Problem with use of TLS and Haproxy

(Pirona) #1

Hello (again - posting a lot these days),

I’m not sure about the 3.0 docs regarding haproxy.
What I’m trying to do :
1/ set up a first configuration to use graylog in http through haproxy and test it
2/ use my cert and key generated by my own ca in haproxy

In the docs I can read :

frontend http
bind 0.0.0.0:80

option forwardfor
http-request add-header X-Forwarded-Host %[req.hdr(host)]
http-request add-header X-Forwarded-Server %[req.hdr(host)]
http-request add-header X-Forwarded-Port %[dst_port]
acl is_graylog hdr_dom(host) -i -m str graylog.example.org
use_backend     graylog if is_graylog

backend graylog
description The Graylog Web backend.
http-request set-header X-Graylog-Server-URL http://graylog.example.org/
use-server graylog_1
server graylog_1 127.0.0.1:9000 maxconn 20 check

I can’t get it to work : apparently, you cannot use use-server without any condition. It’s mentioned in haproxy docs, and that is what syslog says to me.

https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-use-server

It’s a bit tricky to use use graylog as its own CA, so I’d like to use haproxy. And also, I have my own certification authority and therefore would like to use it.

Am I doing this right ?

0 Likes

(Pirona) #2

Ok answer to myself : I managed tyo make it work but I stick with the error in haproxy : I had to comment the use-server line.

Making https work … another story

0 Likes

(Pirona) #3

I got the following error :
image

with following configurations :

haproxy :

frontend http
bind :80

    option forwardfor
    http-request add-header X-Forwarded-Host %[req.hdr(host)]
    http-request add-header X-Forwarded-Server %[req.hdr(host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    acl is_graylog hdr_dom(host) -i -m str DNS_RECORD
    use_backend     graylog if is_graylog

frontend https
#bind :443 ssl crt /usr/share/ca-certificates/extra/ucs-root-ca.crt
bind :443 ssl crt /etc/graylog/server/cert.pem

    option forwardfor
    http-request add-header X-Forwarded-Host %[req.hdr(host)]
    http-request add-header X-Forwarded-Server %[req.hdr(host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    acl is_graylog hdr_dom(host) -i -m str DNS_RECORD
    use_backend     graylog if is_graylog

backend graylog
description graylog web backend.
http-request set-header X-Graylog-Server-URL http://DNS_RECORD/
server graylog_1 172.17.0.2:9000 maxconn 20 check

server.conf :

http_bind_address = 172.17.0.2:9000

0 Likes

(Pirona) #4

got it to work with : http-request set-header X-Graylog-Server-URL https://DNS_RECORD/
(added an s…) (shame)

Still I have no idea how I’m going to cipher the traffic between sources and graylog.
As soon as I use http_publish_uri = https://mydomain.fr/, everything’s broken, input not working …etc

2019-04-10T15:26:18.129+02:00 WARN [ProxiedResource] Unable to call https://mydomain.fr/api/system/inputstates on node
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

0 Likes

(Pirona) #5

I’ll keep writing in this diary until the end (:slight_smile:).
I did read the docs but I dont catch everything (who said anything)

Here is where I am :
I have a working connection in https from client browser to interface with : https://graylog.mydnsrecord.tld
As soon as I add /api/, I fall back to http.

I also have a working https connection between the sidecar and https://graylog.mydnsrecord.tld
But all my inputs are unciphered for now.

What I know I have to do :

get my source server to recognize my root ca (which I forgot to do), then I’ll be able to get the skip_tls variable to false
EDIT : even by making my server acknowledge my root ca, I get

time=“2019-04-11T15:14:45+02:00” level=error msg="[UpdateRegistration] Failed to report collector status to server: Put https://graylog.srv.int.artis.fr/sidecars/1d35c448-0a26-4ae1-beb6-00e36469c237: x509: certificate signed by unknown authority"

What I don’t get: why the fall back to http with the /api/ and if it is bad.
What I don’t know or how it even works : get the input to use TLS.
What I want : security at all stages.

Seeking for enlightenment,
Regards :slight_smile:

0 Likes

(Pirona) #6

Hello again,

I managed to keep the https even with the api extension. In a brower I keep falling back to http, but in the sidecar configuration, I can use https://graylogdnsrecord.tld/api/ and I’m sure (by monitoring haproxy logs) that no http is used but https.
That is, among others, because I finally got how to use the following :
http_bind_adddress : 0.0.0.0:9000
http_external_uri : https://graylogdnsrecord.tld/api/
http_publish_uri : https://graylogdnsrecord.tld/

Heres is btw my haproxy conf file :

frontend http
bind :80

    option forwardfor
    http-request add-header X-Forwarded-Host %[req.hdr(host)]
    http-request add-header X-Forwarded-Server %[req.hdr(host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    acl is_graylog hdr_dom(host) -i -m str graylogdnsrecord.tld
    use_backend     graylog if is_graylog

frontend https
bind :443 ssl crt /etc/graylog/server/cert.crt

    option forwardfor
    http-request add-header X-Forwarded-Host %[req.hdr(host)]
    http-request add-header X-Forwarded-Server %[req.hdr(host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    acl is_graylog hdr_dom(host) -i -m str graylogdnsrecord.tld
    use_backend     graylog if is_graylog

backend graylog
description graylog web backend.
http-request set-header X-Graylog-Server-URL https://graylogdnsrecord.tld/
server graylog_1 0.0.0.0:9000 maxconn 20 check

So this is good news !

Still, I don’t understand how to use tls with my inputs. I have 6 of them, each on a specific port and I use nxlog to send logs. I know I have to use TLS in nxlog configuration, but I don’t know what cert file I should use.

Also, do I have to use the security settings in server.conf ?
Can I use my ROOT CA in that case ?
Can I use only haproxy and map my inputs directly in its configuration ?
What cert file should enter in inputs configuration ?

Is it a problem to use my root CA for the interface and the API and to use self-signed (following your process in the docs) for the inputs ?

0 Likes

(Jan Doberstein) #7

I Just want to add:


http_external_uri : https://graylogdnsrecord.tld/api/

(from the docs )
The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.


http_publish_uri : https://graylogdnsrecord.tld/

(from the docs )
The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all clients using the Graylog web interface.

No need to add API here at any point.


For the Inputs - it is up to you. If you want to have a single cert for all of them - or if you want to use the same cert as you have for web. So I can’t answer all your questions at once.

0 Likes

(Pirona) #8

Thanks for sharing. Nonetheless, I got a 503 if don’t add api/ at the end of http_external_uri.
I’m not an expert so something is probably wrong. :smiley:

I did read the docs, but, by not being an expert, I did not get everything in one reading :smiley:

Regarding the inputs, I can use the same pair I’m using with my haproxy if I’m able to convert them in the right format ? Im sorry that part is not clear for me.

0 Likes