The process for configuring SSL for your graylog web interface isn't all
that different from what Andre provided.
You'll need to create a directory for your keystore file. Only the the
account that's used to run the graylog2 web interface service (it should
not be root!) should have access to the folder/file. We didn't put our
keystore under the Graylog web interface directory, we keep ours in a
separate path so that we don't have to remember to move it when we upgrade
Graylog.
If you just want to use a self signed certificate, then the keytool
commands Andre provided should work.
If you have your own CA or access to a CA, you just need to create/convert
the web interface certificates to pkcs12 format before importing in to the
keystore. I don't believe the keytool will accept any other formats.
There are plenty of guides for creating pkcs12 files available on the
internet, but please make sure that you protect your certificates with
passwords when you create them.
Let's say you have/want to use the following settings:
keystore directory: /opt/graylog-key
pkcs12 file: /tmp/gl2ssl.p12
pkcs12 certificate password: donotusethis
pkcs12 certificate alias: graylog2
graylog web interface service account name: graylog-web
(note that the pkcs12 certificate alias refers to the alias used when the
certificate was originally created.)
then you can run these commands:
# mkdir /opt/graylog-key
# cd /opt/graylog-key
# keytool -importkeystore -deststorepass "changethispassword" -destkeypass
"changethispassword" -destkeystore graylog.keystore -srckeystore
/tmp/gl2ssl.p12 -srcstoretype PKCS12 -srcstorepass "donotusethis" -alias
graylog2
# chown -R graylog-web:graylog-web /opt/graylog-key
# chmod 700 /opt/graylog-key
# chmod 600 /opt/graylog-key/*
Verify you can access your key:
# su -s /bin/sh graylog-web -c "file /opt/graylog-key/graylog.keystore"
If it returns "/opt/graylog2-key/graylog.keystore: java keystore" then the
service account will be able to read the keystore file.
Now you have the keystore file "graylog.keystore" in the /opt/graylog-key
directory. The password will be whatever you put in place for the text
"changethispassword". Now you'll want to insert the SSL parameters in to
your web interface init command/script after the "java" command:
*Djava.net.preferIPv4Stack=true -Dhttps.port=8443
-Dhttps.keyStore="/opt/graylog-key/graylog.keystore"
-Dhttps.keyStorePassword="changethispassword" -Dhttp.port=disabled*
This will start up the web interface using SSL only, with the certificate
you provided, on tcp port 8443. If you want to use a privileged port (like
443) then you might want to try having java listen on a high port and using
iptables to redirect traffic from 443 to the port the java process is
listening on. For example, if you want to allow users on the subnet
10.100.1.0/24 to connect to Graylog2 on TCP port 443, with with Graylog
web service listening on 8443 (This works with CentOS6, and should work on
RHEL6 as well)
# iptables -t nat -I PREROUTING --src 10.100.1.0/24 --dst {YOUR GRAYLOG2
IP} -p tcp --dport 443 -j REDIRECT --to-ports 8443
Test access by opening https://{YOUR GRAYLOG2 IP} from a system in the src
IP range. There's other ways to allow Java/Graylog2 to bind to 443 to
listen, but I think it's it's more complex and more likely to create other
problems. After you've verified access to Graylog2 is working, save your
iptables setting:
# service iptables save
... and make sure you handle your pkcs12 file appropriately. Don't just
leave it sitting on your system in the tmp folder.
I would like to add one thing to note: Unfortunately, anyone who's logged
in will be able to view your process list and see the plain text password
for your keystore. Ensuring you have the proper permissions on that file
is important, and make sure that nobody has access to the system unless
they actually need it. Hiding the process from other users is possible,
but not really practical. I'm not sure having a keystore with no password
would work, but even if it did work I think that's an even bigger weakness
than having the password viewable in the process list. If you have a need
for something more secure, you might want to look in to proxying access
with nginx or apache and using those processes to handle SSL.
On Wednesday, July 9, 2014 8:50:52 AM UTC, Ankit Mittal wrote:
>
> Hi Andre,
>>
>
> You have shared very useful information.
> Please help me doing the same in my graylog environment.
> I am using Graylog2 0.20.3 and running graylog from tar.gz file ( not
> using .rpm ) on linux RHEL 6.
> Kindly port the steps for implementing the https protocol in gfraylog web
> interface.
>
>
> Thanks and Regards
> Ankit Mittal
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
