Configure Graylog Nginx proxy with Let’s Encrypt SSL

Posted on 124 views

Welcome to our guide on Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL. The last tutorial related to graylog was how install Graylog server on Ubuntu / CentOS 7 / CentOS 8 Linux systems. It covered pretty well all setup steps for Graylog. The only downside was that you have to access Graylog UI using IP address and port number without verified SSL certificate.

In this guide, I want us to look at how to Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL. This way you can use domain or hostname with verified SSL certificate.

Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL

The first step is to install Let’s Encrypt client like certbot which we’ll use to request the certificate to be used by Graylog.

Install certbot Let’s Encrypt SSL tool

Run the following commands to install cerbot tool.

# Ubuntu / Debian
sudo apt update
sudo apt install certbot

# Fedora
sudo dnf install certbot

# CentOS 8 / CentOS 7
sudo yum -y install epel-release
sudo yum -y install certbot

Confirm installation by checking version:

$ certbot --version
certbot 1.21.0

Open https port on Firewall

We’ll use http port to request for SSL certificate, so open it on the firewall. If using ufw or iptables, substitute the commands here with equivalent commands.

sudo firewall-cmd --add-service=http,https --permanent
sudo firewall-cmd --reload

Stop nginx service if running:

sudo systemctl stop nginx

Request for SSL certificate

Request for Let’s Encrypt certificate using a certbot-auto command.

export DOMAIN='graylog.mydomain.com'
export EMAIL="[email protected]"
sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

This may take a while since it will start with Bootstrapping dependencies, creating python virtual environment and Installing Python packages to it, and finally the certificate generation. Wait until the command gives a reply that certificates were generated successfully.

A success message looks like this:

.....
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2018-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Install and configure Nginx

Now we need to install and configure Nginx.

# CentOS / RHEL
sudo yum -y install nginx 

# Ubuntu / Debian 
sudo apt install nginx

We’ll put nginx configuration for graylog under /etc/nginx/conf.d/graylog.conf. Replace domain.com with your graylog domain/subdomain name.

server 
 listen 443 ssl;
 server_name graylog.mydomain.com;
 location / 
   proxy_set_header Host $http_host;
   proxy_set_header X-Forwarded-Host $host;
   proxy_set_header X-Forwarded-Server $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://domain.com/api;
   proxy_pass http://127.0.0.1:9000;
   # proxy_pass http://ip-address:9000;
 
 ssl on;
 ssl_certificate /etc/letsencrypt/live/graylog.mydomain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/graylog.mydomain.com/privkey.pem;
 ssl_session_timeout 5m;
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/graylog.access.log;
 error_log /var/log/nginx/graylog.error.log;


# http to https redirection
server 
    listen 80;
    server_name graylog.mydomain.com;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;

Save the configuration and check with nginx if its syntax is valid.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start and enable nginx service

Proceed to start and enable nginx service.

sudo systemctl restart nginx
sudo systemctl enable nginx

Visiting specified domain should redirect you to https.

graylog_nodes

Hope Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL guide worked for you. I’ll cover Creating Streams, Inputs, and Dashboard in the coming tutorials.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.