Welcome to our guide on Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL. The last tutorial related to graylog was how install Graylog server on Ubuntu / CentOS 7 / CentOS 8 Linux systems. It covered pretty well all setup steps for Graylog. The only downside was that you have to access Graylog UI using IP address and port number without verified SSL certificate.
In this guide, I want us to look at how to Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL. This way you can use domain or hostname with verified SSL certificate.
Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL
The first step is to install Let’s Encrypt client like certbot which we’ll use to request the certificate to be used by Graylog.
Install certbot Let’s Encrypt SSL tool
Run the following commands to install cerbot tool.
# Ubuntu / Debian sudo apt update sudo apt install certbot # Fedora sudo dnf install certbot # CentOS 8 / CentOS 7 sudo yum -y install epel-release sudo yum -y install certbot
Confirm installation by checking version:
$ certbot --version certbot 1.21.0
Open https port on Firewall
We’ll use http port to request for SSL certificate, so open it on the firewall. If using ufw or iptables, substitute the commands here with equivalent commands.
sudo firewall-cmd --add-service=http,https --permanent sudo firewall-cmd --reload
Stop nginx service if running:
sudo systemctl stop nginx
Request for SSL certificate
Request for Let’s Encrypt certificate using a certbot-auto command.
export DOMAIN='graylog.mydomain.com' export EMAIL="[email protected]" sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
This may take a while since it will start with Bootstrapping dependencies, creating python virtual environment and Installing Python packages to it, and finally the certificate generation. Wait until the command gives a reply that certificates were generated successfully.
A success message looks like this:
..... IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2018-06-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Install and configure Nginx
Now we need to install and configure Nginx.
# CentOS / RHEL sudo yum -y install nginx # Ubuntu / Debian sudo apt install nginx
We’ll put nginx configuration for graylog under /etc/nginx/conf.d/graylog.conf. Replace domain.com with your graylog domain/subdomain name.
server listen 443 ssl; server_name graylog.mydomain.com; location / proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://domain.com/api; proxy_pass http://127.0.0.1:9000; # proxy_pass http://ip-address:9000; ssl on; ssl_certificate /etc/letsencrypt/live/graylog.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/graylog.mydomain.com/privkey.pem; ssl_session_timeout 5m; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/graylog.access.log; error_log /var/log/nginx/graylog.error.log; # http to https redirection server listen 80; server_name graylog.mydomain.com; add_header Strict-Transport-Security max-age=2592000; rewrite ^ https://$server_name$request_uri? permanent;
Save the configuration and check with nginx if its syntax is valid.
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Start and enable nginx service
Proceed to start and enable nginx service.
sudo systemctl restart nginx sudo systemctl enable nginx
Visiting specified domain should redirect you to https.
Hope Configure Graylog Nginx reverse proxy with Let’s Encrypt SSL guide worked for you. I’ll cover Creating Streams, Inputs, and Dashboard in the coming tutorials.