Rest listen uri and web listen uri

Graylog Central (peer support)
1

hi, we have different ports in this two parameters ( rest_listen_uri = http://172.16.20.58:9000/api/ , web_listen_uri = http://172.16.20.58:9200/ ) .
so there are two questions:

  1. is it safe for cluster to change on the fly web listen uri to http://172.16.20.58:9000 ? Can there be problems with the cluster?

  2. We have tried to setup SSL connection trough nginx. so on version 2.0.1 this config works

server {
    listen   80;
    listen   443 ssl http2;
    server_name log-sys.example.ru;

    ssl_certificate         /etc/ssl/certs/star_example_ru.chained2.crt;
    ssl_certificate_key     /etc/ssl/private/star_example.key;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;

    location /api/ {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass  http://172.16.20.41:12900/;
    }

    location / {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Graylog-Server-URL https://log-sys.example.ru/api;
        proxy_pass  http://172.16.20.41:9000;
        if ($ssl_protocol = "") { rewrite ^/(.*) https://$host/$1 permanent;}
    }
}

but on newer version (2.2.3) same config doesn`t work .

server {
    listen   80;
    listen   443 ssl http2;
    server_name log.example.ru;

    ssl_certificate         /etc/ssl/certs/star_example_ru.chained2.crt;
    ssl_certificate_key     /etc/ssl/private/star_example.key;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;

    location /api/ {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_pass http://172.16.20.58:9000/api;
   }

    location / {
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Graylog-Server-URL https://log.example.ru/api;
         proxy_pass http://172.16.20.58:9200;
        if ($ssl_protocol = "") { rewrite ^/(.*) https://$host/$1 permanent;}
    }
}

Where we have a mistake ? or what we do wrong? thx

2

Yes, that should be safe.

Please refer to http://docs.graylog.org/en/2.2/pages/configuration/web_interface.html#nginx for a working nginx example configuration.

1 Like
3

thx @jochen , i`ve seen this before . Does this mean that we should use a single port in version 2.2.3 instead different ports ?

4

That’s completely up to you, although I’d argue that there is no reason to use multiple ports for the Graylog REST API and the web interface.