I have some questions on using Nginx as Reverse Proxy and loadbalancer:
I want to put the Graylog Cluster in internal IP networks, and put Nginxs between externel networks and internal networks as Reverse Proxy and loadbalancer for log collectors and management from externel networks. but i don’t want to put the communication among Graylog Cluster go through Nginxs. my questions are,
-
with this deployment requirements, if we should let the rest_transport_uri and web_endpoint_uri untouched in the configuration ?
-
if above is true. is there any options related to this have to be set in the configuration?
I have tried to setup a network as following:
manager(Broswer,192.168.3.2) — external network (192.168.3.0/24) —(lbe.mylogs.com/192.168.3.3 nginx lbi.mylogs.com/10.10.10.41) —internal network(10.10.10.0/24)—(graylog cluster: gl*.mylogs.com/10.10.10.3*)
and there is no ip route available between 192.168.3.0/24(external) and 10.10.10.0/24(internal)
when i using the following nginx configuration for reverse http proxy:
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
upstream glc.mylogs.com {
server gl1.mylogs.com:9000;
server gl2.mylogs.com:9000;
server gl3.mylogs.com:9000;
}
server {
listen 80;
server_name lbe.mylogs.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name lbe.mylogs.com;
ssl on;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 192.168.3.2 valid=300s ipv6=off;
# resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_certificate /etc/nginx/certs/lbe-node-cert.pem;
ssl_certificate_key /etc/nginx/certs/lbe-node-key.pem;
ssl_trusted_certificate /etc/nginx/certs/ca-cert.pem;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
# include /etc/nginx/default.d/*.conf;
location / {
proxy_bind 10.10.10.41;
proxy_pass https://glc.mylogs.com;
proxy_ssl_certificate /etc/nginx/certs/lbe-node-cert.pem;
proxy_ssl_certificate_key /etc/nginx/certs/lbe-node-key.pem;
proxy_ssl_trusted_certificate /etc/nginx/certs/ca-cert.pem;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/api;
}
}
}
when access the web interface from external network via https://lbe.mylogs.com, i got the following error report from error_log of nginx:
2018/02/19 14:55:12 [debug] 1405#0: *1 http proxy header:
"GET / HTTP/1.0
Host: lbe.mylogs.com
X-Forwarded-Host: lbe.mylogs.com
X-Forwarded-Server: lbe.mylogs.com
X-Forwarded-For: 192.168.3.2
X-Graylog-Server-URL: https://lbe.mylogs.com/api
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
"
...
2018/02/19 14:55:12 [debug] 1405#0: *1 X509_check_host(): no match
2018/02/19 14:55:12 [error] 1405#0: *1 upstream SSL certificate does not match "glc.mylogs.com" while SSL handshaking to upstream, client: 192.168.3.2, server: lbe.mylogs.com, request: "GET / HTTP/1.1", upstream: "https://10.10.10.31:9000/", host: "lbe.mylogs.com"
2018/02/19 14:55:12 [debug] 1405#0: *1 http next upstream, 2
2018/02/19 14:55:12 [debug] 1405#0: *1 free rr peer 3 4
2018/02/19 14:55:12 [warn] 1405#0: *1 upstream server temporarily disabled while SSL handshaking to upstream, client: 192.168.3.2, server: lbe.mylogs.com, request: "GET / HTTP/1.1", upstream: "https://10.10.10.31:9000/", host: "lbe.mylogs.com"
2018/02/19 14:55:12 [debug] 1405#0: *1 free rr peer failed: 000055D8D12C7C08 0
2018/02/19 14:55:12 [debug] 1405#0: *1 close http upstream connection: 13
2018/02/19 14:55:12 [debug] 1405#0: *1 SSL_shutdown: 1
...
2018/02/19 14:55:12 [debug] 1405#0: *1 HTTP/1.1 502 Bad Gateway
Server: nginx/1.12.2
Date: Mon, 19 Feb 2018 06:55:12 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
Is this mean that i have to put the upstream server name(i.e. glc.mylogs.com) as SAN for each cert of each graylog server(i.e gl1.mylogs.com, gl2.mylogs.com and gl3.mylogs.com in my trial)?
thanks.
–charles