9

Configure Graylog Nginx reverse proxy with Let's Encrypt SSL | ComputingForGeeks

 3 years ago
source link: https://computingforgeeks.com/configure-graylog-nginx-reverse-proxy-with-letsencrypt-ssl/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Configure Graylog Nginx reverse proxy with Let's Encrypt SSL
Search

Welcome to our guide on Configure Graylog Nginx reverse proxy with Letsencrypt SSL. The last tutorial related to graylog was how to Install Graylog 3 with on CentOS 7. It covered pretty well all setup steps for Graylog. The only downside was that you have to access Graylog UI using IP address and port number without verified SSL certificate.

In this guide, I want us to look at how to Configure Graylog Nginx reverse proxy with Letsencrypt SSL. This way you can use domain or hostname with verified SSL certificate.

Configure Graylog Nginx reverse proxy with Letsencrypt SSL

The first step is to install Letsencrypt client like certbot which we’ll use to request the certificate to be used by Graylog.

Install certbot-auto

Run the following commands to install cerbot tool.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/

Confirm installation by checking version:

$ certbot-auto --version

Open https port on Firewall:

We’ll use http port to request for SSL certificate, so open it on the firewall. If using ufw or iptables, substitute the commands here with equivalent commands.

sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload

Request for SSL certificate

Request for Letsencrypt certificate using a certbot-auto command.

export DOMAIN='graylog.mydomain.com'
export EMAIL="[email protected]"
sudo certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http \
 --agree-tos -n -m $EMAIL --keep-until-expiring

This may take a while since it will start with Bootstrapping dependencies, creating python virtual environment and Installing Python packages to it, and finally the certificate generation. Wait until the command gives a reply that certificates were generated successfully.

A success message looks like this:

.....
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2018-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Install and configure Nginx

Now we need to install and configure Nginx.

sudo yum -y install nginx  # CentOS
sudo apt-get install nginx # Ubuntu / Debian

We’ll put nginx configuration for graylog under /etc/nginx/conf.d/graylog.conf. Replace domain.com with your graylog domain/subdomain name.

server {
 listen 443 ssl;
 server_name domain.com www.domain.com;
 location / {
   proxy_set_header Host $http_host;
   proxy_set_header X-Forwarded-Host $host;
   proxy_set_header X-Forwarded-Server $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://domain.com/api;
   proxy_pass http://127.0.0.1:9000;
   # proxy_pass http://ip-address:9000;
 }
 ssl on;
 ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 ssl_session_timeout 5m;
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/graylog.access.log;
 error_log /var/log/nginx/graylog.error.log;
}

# http to https redirection
server {
    listen 80;
    server_name domain.com www.domain.com;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;
}

Save the configuration and check with nginx if its syntax is valid.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start and enable nginx service

Proceed to start and enable nginx service.

sudo systemctl start nginx
sudo systemctl enable nginx

Visiting specified domain should redirect you to https.

Hope Configure Graylog Nginx reverse proxy with Letsencrypt SSL guide worked for you. I’ll cover Creating Streams, Inputs, and Dashboard in the coming tutorials.

Other guides on Logging:

Install Cluster Logging Operator on OpenShift / OKD 4.x

Enable CloudWatch logging in EKS Kubernetes Cluster

Preserve Systemd Journals Logging with Persistent Storage


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK