REST API browser (graylog 3.1) not accessible behind nginx reverse proxy

Hello! I’m running graylog with docker and have the following setup in docker-compose.yml:

graylog:
    image: graylog/graylog:3.1
    environment:
      GRAYLOG_HTTP_EXTERNAL_URI: https://localhost/graylog/
      GRAYLOG_ELASTICSEARCH_HOSTS: http://elasticsearch:9200/
      GRAYLOG_MONGODB_URI: mongodb://mongo_graylog/graylog

In nginx I have use the following:

    location /graylog/ {
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # proxy_set_header X-Graylog-Server-URL https://localhost/graylog/;
            rewrite          ^/graylog/(.*)$  /$1  break;
            proxy_pass       http://$host_graylog;
    }

I have commented out the X-Graylog-Server-URL because it is not required with GRAYLOG_HTTP_EXTERNAL_URI.

The result is that /graylog itself is accessible and works as expected.

However, the api browser at /graylog/api/api-browser is not working properly.

I get a html login screen but all other assets and REST calls are being routed to the wrong destination it seems:

[chrome browser error] Mixed Content: The page at ‘https://localhost/graylog/api/api-browser’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://172.22.0.8:9000/api/api-browser/css/fonts.css’. This request has been blocked; the content must be served over HTTPS.

How can I access the API browser? Thanks!

he @Wilco

what are your http_* settings over all? If you read the configuration/documentation on the http_* settings carefully you will notice that just using http_external_uri is not enough …

I’ve looked at the documentation and have now set:

graylog:
  image: graylog/graylog:3.1
  environment:
    GRAYLOG_HTTP_BIND_ADRESS: graylog:9000
    GRAYLOG_HTTP_PUBLISH_URI: http://graylog:9000/
    GRAYLOG_HTTP_EXTERNAL_URI: https://localhost/graylog/
    GRAYLOG_ELASTICSEARCH_HOSTS: http://elasticsearch:9200/
    GRAYLOG_MONGODB_URI: mongodb://mongo_graylog/graylog

still the REST API browser is not accessible:

[chrome console log] Mixed Content: The page at ‘https://localhost/graylog/api/api-browser’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://graylog:9000/api/api-browser/css/fonts.css’. This request has been blocked; the content must be served over HTTPS.

GRAYLOG_HTTP_BIND_ADRESS is set to graylog:9000 since this is the service name in docker-compose.yml. This would not work from outside docker though but that is what GRAYLOG_HTTP_EXTERNAL_URI is for right?

I have the feeling that GRAYLOG_HTTP_EXTERNAL_URI is not used in constructing the assets for the REST api browser. I cannot set GRAYLOG_HTTP_PUBLISH_URI to https://localhost/graylog because this is not accessible from within the docker container.

Thanks!

HTTP_EXTERNAL

should be the URL where your BROWSER can reach the Graylog server API - so localhost will only work for a container that is running on your local machine and only for your browser.

If you want to have that reachable for any person outside your local computer that should be the nginx that you use in front of Graylog.

Thanks Jan for your reply.

  • Yes indeed localhost would only work for my local machine, but we have a separate docker-compose.yml file for production environment with a different HTTP_EXTERNAL_URI.
  • Even with setting an externally reachable HTTP_EXTERNAL_URI in production the browser error still is the same, it tries to resolve the api-browser assets with an internal uri (I think HTTP_PUBLISH_URI).

Can you try to reproduce this locally with running graylog in a docker container?

Thanks a lot!

which button did you pressed? the global api browser or the node api browser?

The first use the http_external_uri the second one the per node http_publish_uri

I was visiting /api/api-browser but that is not the correct url it seems.

I clicked the global api browser in system/nodes and it redirects me to:
https://localhost/graylog/api/graylog/api-browser/global/index.html which gives me a 404 not found

I then manually edit the url to https://localhost/graylog/api/api-browser/global/index.html which does load the api browser visually but it does not function.

Closer inspection shows that the console has ~69 errors all like this:

shred.bundle.js:2608 GET https://localhost/graylog/api/api-docs/global/streams/{streamid}/alerts/{alertId}/history 500 (Internal Server Error)

The HTTP response is:

java.net.URISyntaxException: Illegal character in path at index 48: http://localhost:80/api/api-docs/global/streams/{streamid}/alerts/{alertId}/history

thanks!

he @Wilco

you should reach the api-browser via /graylog/api/api-browser as you placed Graylog in a sub directory.

But currently this is known to be a little buggy and it will (hopefully) improved in the next versions.

That is what I did as mentioned in the initial post

he @Wilco

sorry - I learned yesterday something new. Behind a proxy you should use (since 3.1.3)

/api/api-browser/global/index.html

attached to your URL to access the API Browser. Can you check if that is working for you?

Are you reading my posts? that’s what I did here

sorry @Wilco

not every time the complete thread … I have currently no idea what is wrong in your setup.

BUT I can confirm that this setup is (normally) working as I have NGINX as reverse proxy myself …

Do you have it working on a subdirectory e.g. http://<host>/graylog? or are you on the root?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.