Using Nginx as reverse proxy and loadbalancer for Graylog


(Charles Deng) #1

I have some questions on using Nginx as Reverse Proxy and loadbalancer:

I want to put the Graylog Cluster in internal IP networks, and put Nginxs between externel networks and internal networks as Reverse Proxy and loadbalancer for log collectors and management from externel networks. but i don’t want to put the communication among Graylog Cluster go through Nginxs. my questions are,

  1. with this deployment requirements, if we should let the rest_transport_uri and web_endpoint_uri untouched in the configuration ?

  2. if above is true. is there any options related to this have to be set in the configuration?

I have tried to setup a network as following:

manager(Broswer,192.168.3.2) — external network (192.168.3.0/24) —(lbe.mylogs.com/192.168.3.3 nginx lbi.mylogs.com/10.10.10.41) —internal network(10.10.10.0/24)—(graylog cluster: gl*.mylogs.com/10.10.10.3*)

and there is no ip route available between 192.168.3.0/24(external) and 10.10.10.0/24(internal)

when i using the following nginx configuration for reverse http proxy:

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;

    upstream glc.mylogs.com {

        server gl1.mylogs.com:9000;
        server gl2.mylogs.com:9000;
        server gl3.mylogs.com:9000;

    }

    server {

	    listen 80;
        server_name lbe.mylogs.com;
        return 302 https://$server_name$request_uri;

    }

    server {

        listen                          443 ssl;
        server_name                     lbe.mylogs.com;
        ssl                             on;
        ssl_protocols                   TLSv1.2;
        ssl_prefer_server_ciphers	on;
        ssl_ciphers	                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve                  secp384r1;
        ssl_session_cache               shared:SSL:10m;
        ssl_session_timeout	        10m;
        ssl_session_tickets             off;
#       ssl_stapling                    on;
#       ssl_stapling_verify             on;
#       resolver                        192.168.3.2 valid=300s ipv6=off;
#       resolver_timeout                5s;
        add_header                      Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header                      X-Frame-Options DENY;
        add_header                      X-Content-Type-Options nosniff;

        ssl_certificate                 /etc/nginx/certs/lbe-node-cert.pem;
        ssl_certificate_key             /etc/nginx/certs/lbe-node-key.pem;
        ssl_trusted_certificate         /etc/nginx/certs/ca-cert.pem;
        ssl_dhparam                     /etc/nginx/certs/dhparam.pem;

#       include                         /etc/nginx/default.d/*.conf;

        location / {

            proxy_bind                     10.10.10.41;
            proxy_pass                     https://glc.mylogs.com;
            proxy_ssl_certificate          /etc/nginx/certs/lbe-node-cert.pem;
            proxy_ssl_certificate_key      /etc/nginx/certs/lbe-node-key.pem;
            proxy_ssl_trusted_certificate  /etc/nginx/certs/ca-cert.pem;
            proxy_ssl_protocols            TLSv1.2;
            proxy_ssl_ciphers              "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
            proxy_ssl_verify               on;
            proxy_ssl_verify_depth         2;
            proxy_ssl_session_reuse        on;
            proxy_set_header	           Host $http_host;
            proxy_set_header               X-Forwarded-Host $host;
            proxy_set_header               X-Forwarded-Server $host;
            proxy_set_header               X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header               X-Graylog-Server-URL https://$server_name/api;

        }
    }
}

when access the web interface from external network via https://lbe.mylogs.com, i got the following error report from error_log of nginx:

2018/02/19 14:55:12 [debug] 1405#0: *1 http proxy header:
"GET / HTTP/1.0
Host: lbe.mylogs.com
X-Forwarded-Host: lbe.mylogs.com
X-Forwarded-Server: lbe.mylogs.com
X-Forwarded-For: 192.168.3.2
X-Graylog-Server-URL: https://lbe.mylogs.com/api
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1

"
...
2018/02/19 14:55:12 [debug] 1405#0: *1 X509_check_host(): no match
2018/02/19 14:55:12 [error] 1405#0: *1 upstream SSL certificate does not match "glc.mylogs.com" while SSL handshaking to upstream, client: 192.168.3.2, server: lbe.mylogs.com, request: "GET / HTTP/1.1", upstream: "https://10.10.10.31:9000/", host: "lbe.mylogs.com"
2018/02/19 14:55:12 [debug] 1405#0: *1 http next upstream, 2
2018/02/19 14:55:12 [debug] 1405#0: *1 free rr peer 3 4
2018/02/19 14:55:12 [warn] 1405#0: *1 upstream server temporarily disabled while SSL handshaking to upstream, client: 192.168.3.2, server: lbe.mylogs.com, request: "GET / HTTP/1.1", upstream: "https://10.10.10.31:9000/", host: "lbe.mylogs.com"
2018/02/19 14:55:12 [debug] 1405#0: *1 free rr peer failed: 000055D8D12C7C08 0
2018/02/19 14:55:12 [debug] 1405#0: *1 close http upstream connection: 13
2018/02/19 14:55:12 [debug] 1405#0: *1 SSL_shutdown: 1
...
2018/02/19 14:55:12 [debug] 1405#0: *1 HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Mon, 19 Feb 2018 06:55:12 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive

Is this mean that i have to put the upstream server name(i.e. glc.mylogs.com) as SAN for each cert of each graylog server(i.e gl1.mylogs.com, gl2.mylogs.com and gl3.mylogs.com in my trial)?

thanks.
–charles


(Jochen) #2

Please post the complete configuration of your Graylog nodes.


(Charles Deng) #3

Indeed when recreate the keys and certificates for the graylog servers, and add a SAN for certificates with DNS:glc.mylogs.com, the nginx http reverse proxy works.

anyway, my gl1’s configuration as( noted that i have replaced sensitive passwords):

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = --somesecretcodehere--
root_username = admin
root_password_sha2 = --sha2digestforadminpasswordhere--
root_email = "cdeng@live.cn"
root_timezone = Asia/Shanghai
plugin_dir = /usr/share/graylog-server/plugin

rest_listen_uri = https://gl1.mylogs.com:9000/api/
rest_transport_uri = https://gl1.mylogs.com:9000/api/
rest_enable_cors = true
rest_enable_gzip = true
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/rest-cert.pem
rest_tls_key_file = /etc/graylog/server/rest-key.pem
#rest_tls_key_password = ********
rest_max_header_size = 8192
rest_thread_pool_size = 16
trusted_proxies = 192.168.1.0/24,10.10.10.0/24

web_enable = true
web_listen_uri = https://gl1.mylogs.com:9000/
web_endpoint_uri = https://gl1.mylogs.com:9000/api/
web_enable_cors = true
web_enable_gzip = true
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/web-cert.pem
web_tls_key_file = /etc/graylog/server/web-key.pem
#web_tls_key_password = ********
web_max_header_size = 8192
web_max_initial_line_length = 4096
web_thread_pool_size = 16

elasticsearch_hosts = https://graylog:passwordhere@es1.mylogs.com:9200,\
                      https://graylog:passwordhere@es2.mylogs.com:9200,\
                      https://graylog:passwordhere@es3.mylogs.com:9200
elasticsearch_connect_timeout = 10s
elasticsearch_socket_timeout = 60s
#elasticsearch_idle_timeout = -1s
elasticsearch_max_total_connections = 20
elasticsearch_max_total_connections_per_route = 2
elasticsearch_max_retries = 2
elasticsearch_discovery_enabled = false
#elasticsearch_discovery_filter = rack:42
elasticsearch_discovery_frequency = 30s
elasticsearch_compression_enabled = false

rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_size_per_index = 1073741824
elasticsearch_max_time_per_index = 1d
elasticsearch_disable_version_check = false
no_retention = false
elasticsearch_max_number_of_indices = 30
retention_strategy = close
elasticsearch_shards = 3
elasticsearch_replicas = 2
elasticsearch_index_prefix = graylog
elasticsearch_template_name = graylog-internal
allow_leading_wildcard_searches = false
allow_highlighting = true
elasticsearch_analyzer = standard
elasticsearch_request_timeout = 1m
disable_index_optimization = false
index_optimization_max_num_segments = 1
elasticsearch_index_optimization_timeout = 1h
elasticsearch_index_optimization_jobs = 20
index_ranges_cleanup_interval = 1h
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
outputbuffer_processor_keep_alive_time = 5000
outputbuffer_processor_threads_core_pool_size = 3
outputbuffer_processor_threads_max_pool_size = 30
udp_recvbuffer_sizes = 1048576
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_age = 12h
message_journal_max_size = 5gb
message_journal_flush_age = 1m
message_journal_flush_interval = 1000000
message_journal_segment_age = 1h
message_journal_segment_size = 100mb
async_eventbus_processors = 2
lb_recognition_period_seconds = 3
lb_throttle_threshold_percentage = 95
stream_processing_timeout = 2000
stream_processing_max_faults = 3
alert_check_interval = 60
output_module_timeout = 10000
stale_master_timeout = 2000
shutdown_timeout = 30000

mongodb_uri = mongodb://admin:passwordhere@mg1.mylogs.com,mg2.mylogs.com,mg3.mylogs.com/graylog?replicaSet=rs01&ssl=true
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5

#rules_file = /etc/graylog/server/rules.drl

#transport_email_enabled = false
#transport_email_hostname = mail.mylogs.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_use_tls = true
#transport_email_use_ssl = true
#transport_email_auth_username = graylog@mylogs.com
#transport_email_auth_password = ********
#transport_email_subject_prefix = [graylog]
#transport_email_from_email = graylog@mylogs.com
#transport_email_web_interface_url = https://gl1.mylogs.com:9000/

http_connect_timeout = 5s
http_read_timeout = 10s
http_write_timeout = 10s
#http_proxy_uri =

gc_warning_threshold = 1s
ldap_connection_timeout = 2000
disable_sigar = false
dashboard_widget_default_cache_time = 10s
content_packs_loader_enabled = true
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

gl2’s configuration:

is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret = --somesecretcodehere--
root_username = admin
root_password_sha2 = --sha2digestforadminpasswordhere--
root_email = "cdeng@live.cn"
root_timezone = Asia/Shanghai
plugin_dir = /usr/share/graylog-server/plugin

rest_listen_uri = https://gl2.mylogs.com:9000/api/
rest_transport_uri = https://gl2.mylogs.com:9000/api/
rest_enable_cors = true
rest_enable_gzip = true
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/rest-cert.pem
rest_tls_key_file = /etc/graylog/server/rest-key.pem
#rest_tls_key_password = ********
rest_max_header_size = 8192
rest_thread_pool_size = 16
trusted_proxies = 192.168.1.0/24,10.10.10.0/24

web_enable = true
web_listen_uri = https://gl2.mylogs.com:9000/
web_endpoint_uri = https://gl2.mylogs.com:9000/api/
web_enable_cors = true
web_enable_gzip = true
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/web-cert.pem
web_tls_key_file = /etc/graylog/server/web-key.pem
#web_tls_key_password = ********
web_max_header_size = 8192
web_max_initial_line_length = 4096
web_thread_pool_size = 16

elasticsearch_hosts = https://graylog:passwordhere@es1.mylogs.com:9200,\
                      https://graylog:passwordhere@es2.mylogs.com:9200,\
                      https://graylog:passwordhere@es3.mylogs.com:9200
elasticsearch_connect_timeout = 10s
elasticsearch_socket_timeout = 60s
#elasticsearch_idle_timeout = -1s
elasticsearch_max_total_connections = 20
elasticsearch_max_total_connections_per_route = 2
elasticsearch_max_retries = 2
elasticsearch_discovery_enabled = false
#elasticsearch_discovery_filter = rack:42
elasticsearch_discovery_frequency = 30s
elasticsearch_compression_enabled = false

rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_size_per_index = 1073741824
elasticsearch_max_time_per_index = 1d
elasticsearch_disable_version_check = false
no_retention = false
elasticsearch_max_number_of_indices = 30
retention_strategy = close
elasticsearch_shards = 3
elasticsearch_replicas = 2
elasticsearch_index_prefix = graylog
elasticsearch_template_name = graylog-internal
allow_leading_wildcard_searches = false
allow_highlighting = true
elasticsearch_analyzer = standard
elasticsearch_request_timeout = 1m
disable_index_optimization = false
index_optimization_max_num_segments = 1
elasticsearch_index_optimization_timeout = 1h
elasticsearch_index_optimization_jobs = 20
index_ranges_cleanup_interval = 1h
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
outputbuffer_processor_keep_alive_time = 5000
outputbuffer_processor_threads_core_pool_size = 3
outputbuffer_processor_threads_max_pool_size = 30
udp_recvbuffer_sizes = 1048576
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_age = 12h
message_journal_max_size = 5gb
message_journal_flush_age = 1m
message_journal_flush_interval = 1000000
message_journal_segment_age = 1h
message_journal_segment_size = 100mb
async_eventbus_processors = 2
lb_recognition_period_seconds = 3
lb_throttle_threshold_percentage = 95
stream_processing_timeout = 2000
stream_processing_max_faults = 3
alert_check_interval = 60
output_module_timeout = 10000
stale_master_timeout = 2000
shutdown_timeout = 30000

mongodb_uri = mongodb://admin:passwordhere@mg1.mylogs.com,mg2.mylogs.com,mg3.mylogs.com/graylog?replicaSet=rs01&ssl=true
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5

#rules_file = /etc/graylog/server/rules.drl

#transport_email_enabled = false
#transport_email_hostname = mail.mylogs.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_use_tls = true
#transport_email_use_ssl = true
#transport_email_auth_username = graylog@mylogs.com
#transport_email_auth_password = ********
#transport_email_subject_prefix = [graylog]
#transport_email_from_email = graylog@mylogs.com
#transport_email_web_interface_url = https://gl2.mylogs.com:9000/

http_connect_timeout = 5s
http_read_timeout = 10s
http_write_timeout = 10s
#http_proxy_uri =

gc_warning_threshold = 1s
ldap_connection_timeout = 2000
disable_sigar = false
dashboard_widget_default_cache_time = 10s
content_packs_loader_enabled = true
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

and gl3’s configuration:

is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret = --somesecretcodehere--
root_username = admin
root_password_sha2 = --sha2digestforadminpasswordhere--
root_email = "cdeng@live.cn"
root_timezone = Asia/Shanghai
plugin_dir = /usr/share/graylog-server/plugin

rest_listen_uri = https://gl3.mylogs.com:9000/api/
rest_transport_uri = https://gl3.mylogs.com:9000/api/
rest_enable_cors = true
rest_enable_gzip = true
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/rest-cert.pem
rest_tls_key_file = /etc/graylog/server/rest-key.pem
#rest_tls_key_password = ********
rest_max_header_size = 8192
rest_thread_pool_size = 16
trusted_proxies = 192.168.1.0/24,10.10.10.0/24

web_enable = true
web_listen_uri = https://gl3.mylogs.com:9000/
web_endpoint_uri = https://gl3.mylogs.com:9000/api/
web_enable_cors = true
web_enable_gzip = true
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/web-cert.pem
web_tls_key_file = /etc/graylog/server/web-key.pem
#web_tls_key_password = ********
web_max_header_size = 8192
web_max_initial_line_length = 4096
web_thread_pool_size = 16

elasticsearch_hosts = https://graylog:passwordhere@es1.mylogs.com:9200,\
                      https://graylog:passwordhere@es2.mylogs.com:9200,\
                      https://graylog:passwordhere@es3.mylogs.com:9200
elasticsearch_connect_timeout = 10s
elasticsearch_socket_timeout = 60s
#elasticsearch_idle_timeout = -1s
elasticsearch_max_total_connections = 20
elasticsearch_max_total_connections_per_route = 2
elasticsearch_max_retries = 2
elasticsearch_discovery_enabled = false
#elasticsearch_discovery_filter = rack:42
elasticsearch_discovery_frequency = 30s
elasticsearch_compression_enabled = false

rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_size_per_index = 1073741824
elasticsearch_max_time_per_index = 1d
elasticsearch_disable_version_check = false
no_retention = false
elasticsearch_max_number_of_indices = 30
retention_strategy = close
elasticsearch_shards = 3
elasticsearch_replicas = 2
elasticsearch_index_prefix = graylog
elasticsearch_template_name = graylog-internal
allow_leading_wildcard_searches = false
allow_highlighting = true
elasticsearch_analyzer = standard
elasticsearch_request_timeout = 1m
disable_index_optimization = false
index_optimization_max_num_segments = 1
elasticsearch_index_optimization_timeout = 1h
elasticsearch_index_optimization_jobs = 20
index_ranges_cleanup_interval = 1h
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
outputbuffer_processor_keep_alive_time = 5000
outputbuffer_processor_threads_core_pool_size = 3
outputbuffer_processor_threads_max_pool_size = 30
udp_recvbuffer_sizes = 1048576
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_age = 12h
message_journal_max_size = 5gb
message_journal_flush_age = 1m
message_journal_flush_interval = 1000000
message_journal_segment_age = 1h
message_journal_segment_size = 100mb
async_eventbus_processors = 2
lb_recognition_period_seconds = 3
lb_throttle_threshold_percentage = 95
stream_processing_timeout = 2000
stream_processing_max_faults = 3
alert_check_interval = 60
output_module_timeout = 10000
stale_master_timeout = 2000
shutdown_timeout = 30000

mongodb_uri = mongodb://admin:passwordhere@mg1.mylogs.com,mg2.mylogs.com,mg3.mylogs.com/graylog?replicaSet=rs01&ssl=true
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5

#rules_file = /etc/graylog/server/rules.drl

#transport_email_enabled = false
#transport_email_hostname = mail.mylogs.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_use_tls = true
#transport_email_use_ssl = true
#transport_email_auth_username = graylog@mylogs.com
#transport_email_auth_password = ********
#transport_email_subject_prefix = [graylog]
#transport_email_from_email = graylog@mylogs.com
#transport_email_web_interface_url = https://gl3.mylogs.com:9000/

http_connect_timeout = 5s
http_read_timeout = 10s
http_write_timeout = 10s
#http_proxy_uri =

gc_warning_threshold = 1s
ldap_connection_timeout = 2000
disable_sigar = false
dashboard_widget_default_cache_time = 10s
content_packs_loader_enabled = true
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

(Charles Deng) #4

although i have fixed the above server certificate verification issue by add the name of upstream as a SAN into certificates of all graylog servers. but the story comes with another problem: when i configure the SSL stream proxy for GELF over HTTPs Inputs, nginx report the following error:

2018/02/26 13:36:59 [emerg] 4526#0: the shared memory zone "glc.mylogs.com" is already declared for a different use in /etc/nginx/conf.d/stream/graylog.gelf-over-https.conf:7

for graylog web & rest proxy, i have defined the following upstream:

upstream glc.mylogs.com {

  zone glc.mylogs.com 64k;
  server gl1.mylogs.com:9000 weight=1 max_fails=3 fail_timeout=30s;
  server gl2.mylogs.com:9000 weight=1 max_fails=3 fail_timeout=30s;
  server gl3.mylogs.com:9000 weight=1 max_fails=3 fail_timeout=30s;

}

and i also defined upstream for GELF over HTTPs Input as following:

upstream glc.mylogs.com {

  zone glc.mylogs.com 64k;
  server gl1.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl2.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl3.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;

}

It seems that upstreams cannot share same name, is there any workaround for this?


(Charles Deng) #5

even i change the upstream name from glc.mylogs.com to inputs.mylogs.com as following:

upstream inputs.mylogs.com {

  zone inputs.mylogs.com 64k;
  server gl1.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl2.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl3.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;

}

there remain error reported:

2018/02/26 14:06:41 [emerg] 4589#0: the shared memory zone "SSL" is already declared for a different use in /etc/nginx/conf.d/stream/graylog.gelf-over-https.conf:43  

(Jochen) #6

Don’t reuse “names” when they should be unique.
Please refer to the nginx documentation for details: https://nginx.org/en/docs/


(Charles Deng) #7

Hi Jochen,

which names do you mean? indeed, i can understand the zone names should be unique as they will be put into shared memory and shared by workers, but i have no idea why upstream names should be unique in different contexts. i have a quickly go through nginx’s documents, there is no clear text on which names in different contexts will be with different namespaces, which names will be in a same namespace even appears in different contexts.

anyway, as i have already try to comments out the zone directives and using different upstream names, for example, in http conext, i have defined the following upstream:

upstream glc.mylogs.com {

  #  zone glc.mylogs.com 64k;
  server gl1.mylogs.com:9000 weight=1 max_fails=2 fail_timeout=30s;
  server gl2.mylogs.com:9000 weight=1 max_fails=2 fail_timeout=30s;
  server gl3.mylogs.com:9000 weight=1 max_fails=2 fail_timeout=30s;

}

and in the stream context, i have defined the following upstream:

upstream gls.mylogs.com {

  # zone gls.mylogs.com 64k;
  server gl1.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl2.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl3.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;

}

I remain got error as following:

2018/02/26 20:15:15 [emerg] 5101#0: the shared memory zone "SSL" is already declared for a different use in /etc/nginx/conf.d/stream/graylog.gelf-over-https.conf:43

Another problem is that if we turn on proxy_ssl_verify in nginx. it check against the upstream name instead of the names of real graylog servers, so we have forced to add one SAN per upstream name to all certificates of all graylog servers, it is quite cumbersome to me.

by the way, i am using nginx-1.12.2-1 come with CentOS 7.4.


(Jochen) #8

The name “SSL”.

nginx even tells you where to start looking:


(Charles Deng) #9

where the name “SSL” comes? for example, the configuration for stream as:

in the /etc/nginx.conf

stream {

  include /etc/nginx/conf.d/stream/*.conf;

}

in the /etc/nginx/conf.d/stream/graylog.gelf-over-https.conf

upstream gls.mylogs.com {

# zone gls.mylogs.com 64k;
  server gl1.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl2.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;
  server gl3.mylogs.com:12201 weight=1 max_fails=2 fail_timeout=30s;

}

server {
  listen        12201 ssl;
  ssl_protocols                   TLSv1.2;
  ssl_prefer_server_ciphers	on;
  ssl_ciphers	                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve                  secp384r1;
  ssl_session_cache               shared:SSL:10m;
  ssl_session_timeout	        10m;
  ssl_handshake_timeout         10s;
  ssl_session_tickets             off;
  ssl_certificate                 /etc/nginx/certs/node-cert.pem;
  ssl_certificate_key             /etc/nginx/certs/node-key.pem;
  ssl_trusted_certificate         /etc/nginx/certs/ca-cert.pem;
  ssl_dhparam                     /etc/nginx/certs/dhparam.pem;
  proxy_bind 10.10.10.41;
  proxy_pass gls.mylogs.com;
  proxy_ssl on;
  proxy_ssl_certificate          /etc/nginx/certs/node-cert.pem;
  proxy_ssl_certificate_key      /etc/nginx/certs/node-key.pem;
  proxy_ssl_trusted_certificate  /etc/nginx/certs/ca-cert.pem;
  proxy_ssl_protocols            TLSv1.2;
  proxy_ssl_ciphers              "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  proxy_ssl_verify               on;
  proxy_ssl_verify_depth         2;
  proxy_ssl_session_reuse        on;
  proxy_buffer_size 1024k;
  proxy_timeout 30s;
  proxy_connect_timeout 3s;

}

(Jochen) #10

How about from /etc/nginx/conf.d/stream/graylog.gelf-over-https.conf in line 43, just as the nginx error message mentioned?

See https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache for details.


(Charles Deng) #11

Jochen, Thank you very much.

it works now. maybe this will benefits others, as a summary, we should make sure the following two names be unique

1. the **zone name** in upstream context should be unique.
2. the **name in the value of ssl_session_cache** should be unique.

the names of upstreams in different contexts can be same. it is look nice to me.

Best Wishes
charles


(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.