Hi, the idea for SSL on the appliances is to use nginx for ssl termination. To do this just replace the certificate in /opt/graylog/conf/nginx/ca (in case you dont want to use a self-signed cert). Run sudo graylog-ctl enforce-ssl and sudo graylog-ctl reconfigure.
Afterwards http connections are forwarded to port 443 and port 9000 is not reachable anymore. All connections should be encrypted. Cheers, Marius On 23 October 2015 at 12:44, <[email protected]> wrote: > I have installed the VMWare appliance, downloaded from > http://docs.graylog.org/en/latest/pages/installation/virtual_machine_appliances.html > version 1.2.1 > I have installed it and recieving logs works fine. > The problem I am having is when trying to enable HTTPS. This is a feature > I see as standard when setting up a new server where users login. > > So there seems to be two parts to this. > First create a java keystore. This I have done withouth problems. > The next part is where to actually change the port to 443, enable HTTPS, > and define the keystore and its password. > > I have looked at the following guide: > https://groups.google.com/forum/#!topic/graylog2/h9tgxGN8yoQ > > Seems you need to edit the init script and modify the parameters: > * -Dhttps.port=443 * > *-Dhttps.keyStore="/opt/graylog2/key/graylog2.keystore" * > *-Dhttps.keyStorePassword="XXXXX" * > *-Dhttp.port=disabled* > > Now when I run: ps aux I can see that the > process /opt/graylog/embedded/jre/bin/java is started by the user graylog, > and it contains for example the parameter: > -Dhttp.port=9000 > -Dhttp.address=0.0.0.0 > > But where is this process started from? > I checked /etc/init.d/ of course, but there is no graylog there. > root@HOSTNAME:/opt/graylog/conf# ls -l /etc/init.d/ > total 156 > -rwxr-xr-x 1 root root 4596 Apr 24 22:13 apparmor > -rwxr-xr-x 1 root root 1919 Jan 18 2011 console-setup > lrwxrwxrwx 1 root root 21 Sep 22 15:17 cron -> /lib/init/upstart-job > -rwxr-xr-x 1 root root 2813 Nov 25 2014 dbus > -rwxr-xr-x 1 root root 1217 Mar 7 2013 dns-clean > lrwxrwxrwx 1 root root 21 Mar 14 2012 friendly-recovery -> > /lib/init/upstart-job > -rwxr-xr-x 1 root root 1105 May 13 16:51 grub-common > -rwxr-xr-x 1 root root 1329 Mar 13 2014 halt > -rwxr-xr-x 1 root root 1864 Nov 12 2012 irqbalance > -rwxr-xr-x 1 root root 1293 Mar 13 2014 killprocs > -rwxr-xr-x 1 root root 1990 Jan 22 2013 kmod > -rwxr-xr-x 1 root root 4479 Mar 20 2014 networking > -rwxr-xr-x 1 root root 1818 Apr 3 2013 ntp > -rwxr-xr-x 1 root root 1346 Mar 13 2015 ondemand > -rwxr-xr-x 1 root root 1466 Mar 11 2014 open-vm-tools > -rwxr-xr-x 1 root root 561 Apr 21 2015 pppd-dns > -rwxr-xr-x 1 root root 1192 May 27 2013 procps > -rwxr-xr-x 1 root root 6120 Mar 13 2014 rc > -rwxr-xr-x 1 root root 782 Mar 13 2014 rc.local > -rwxr-xr-x 1 root root 117 Mar 13 2014 rcS > -rw-r--r-- 1 root root 2427 Mar 13 2014 README > -rwxr-xr-x 1 root root 639 Mar 13 2014 reboot > -rwxr-xr-x 1 root root 2918 Jun 13 2014 resolvconf > -rwxr-xr-x 1 root root 4395 Apr 17 2014 rsync > -rwxr-xr-x 1 root root 2913 Dec 4 2013 rsyslog > -rwxr-xr-x 1 root root 3920 Mar 13 2014 sendsigs > -rwxr-xr-x 1 root root 590 Mar 13 2014 single > -rw-r--r-- 1 root root 4290 Mar 13 2014 skeleton > -rwxr-xr-x 1 root root 4077 May 2 2014 ssh > -rwxr-xr-x 1 root root 731 Feb 5 2014 sudo > -rwxr-xr-x 1 root root 6173 Apr 14 2014 udev > -rwxr-xr-x 1 root root 2721 Mar 13 2014 umountfs > -rwxr-xr-x 1 root root 2260 Mar 13 2014 umountnfs.sh > -rwxr-xr-x 1 root root 1872 Mar 13 2014 umountroot > -rwxr-xr-x 1 root root 3111 Mar 13 2014 urandom > root@SRVSEOPSSYSLOG01:/opt/graylog/conf# > > I have tried to grep for some of the parameters in all files in the > filesystem. > I found some interesting files here: > /opt/graylog/sv/graylog-web/run > It had a line with: > exec chpst -P -U graylog -u graylog > /opt/graylog/web/bin/graylog-web-interface > -Dconfig.file=/opt/graylog/conf/graylog-web-interface.conf -Dhttp.port=9000 > -Dhttp.address=0.0.0.0 -Dpidfile.path=/var/opt/graylog/web.pid > -Dlogger.file=/opt/graylog/conf/web-logger.xml > I changed this to 9001 and did: > graylogctl reconfigure > The port stays at 9000 and when I check the file again it has changed back > to 9000. So this configuration must be in some other file. > > Ok, so when running graylogctl reconfigure I noticed that its running chef. > So eventually I found a folder called: > /opt/graylog/embedded/cookbooks/graylog/templates/default > > In here was a file called sv-graylog-web-run.erb > With a line saying > exec chpst -P -U <%= node['graylog']['user']['username'] %> -u <%= > node['graylog']['user']['username'] %> <%= @options[:install_directory] > %>/web/bin/<%= @options[:web_jar] %> -Dconfig.file=<%= > @options[:install_directory] %>/conf/graylog-web-interface.conf > -Dhttp.port=<%= node['graylog']['graylog-web']['port'] %> > -Dhttp.address=<%= @options[:bind_address] %> -Dpidfile.path=<%= > node['graylog']['var_directory'] %>/web.pid > -Dlogger.file=/opt/graylog/conf/web-logger.xml > > Ok so here we have some options. We can either overwrite it staticly, or > understand where it gets the variables from. > Lets do it the easy way, so we change it to: > exec chpst -P -U <%= node['graylog']['user']['username'] %> -u <%= > node['graylog']['user']['username'] %> <%= @options[:install_directory] > %>/web/bin/<%= @options[:web_jar] %> -Dconfig.file=<%= > @options[:install_directory] %>/conf/graylog-web-interface.conf > -Dhttp.port=disabled -Dhttp.address=<%= @options[:bind_address] %> > -Dhttps.port=443 -Dhttps.keyStore="/opt/graylog-key/KEYSTOREFILE" > -Dhttps.keyStorePassword="PASSWORD" -Dpidfile.path=<%= > node['graylog']['var_directory'] %>/web.pid > -Dlogger.file=/opt/graylog/conf/web-logger.xml > > then we run graylogctl reconfigure > > Ok, partial success now. It replies on 443 but it has a standard > certificate with commonName "graylog". Strange. > Or well, I didnt actually try before I made the change. So I reverted the > configuration and did graylogctl reconfigure again. > Try HTTPS. Same as before, works but with a self-signed certificate. > Ok, so if I can find this certificate, then I could maybe replace it, or > where is this configured? > > netstat -tulpn shows > tcp 0 0 0.0.0.0:443 0.0.0.0:* > LISTEN 1855/nginx.conf > tcp 0 0 0.0.0.0:80 0.0.0.0:* > LISTEN 1855/nginx.conf > > So nothing is actually listening to port 9000? And we seem to come to the > same server regardless if we do port 9000, 80 or HTTPS on 443. > At least 80 and 443 seem to be handeled by nginx.conf, so lets continue > the search there. > > /opt/graylog/conf/nginx/nginx.conf > > From the configuration it seems its proxying 80 and 443 to localhost :9000 > proxy_pass http://localhost:9000/; > > So the mission is more clear > > We now want to: > Disable port 80 on nginx > Only have port 9000 listen on localhost > Set a correct certificate on port 443 but in nginx > > ssl on; > ssl_certificate /opt/graylog/conf/nginx/ca/graylog.crt; > ssl_certificate_key /opt/graylog/conf/nginx/ca/graylog.key; > > Ok, so now we need to redo the SSL, since we do not use a java keystore > here. > openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr > Send the CSR file to the CA, and get a certificate back. > Now we have one keyfile and one certificate file, that we can replace the > default ones with. > Files replaced. Now lets kill nginx and then run graylogctl reconfigure > > root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx > root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx > root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx > nginx: no process found > > After running graylogctl reconfigure it works! > > Now we need to get rid of port 9000 and port 80 > > I tried to change /opt/graylog/conf/nginx/nginx.conf directly but it was > overwritten by chef, so we need to find the correct cookbook and edit it > there > Edit the > /opt/graylog/embedded/cookbooks/graylog/templates/default/nginx.conf.erb > and remove the if to enable the 301 redirect to HTTPS (dont forget the end > part) > Now the final thing is to make it stop listning in port 9000 > I tried to change the file: > /opt/graylog/embedded/cookbooks/graylog/templates/default/ > sv-graylog-web-run.erb > and set -Dhttp.address=127.0.0.1 > But it still listened to port 9000 from the outside. > > In the end I just did > > iptables -A INPUT -p tcp -s localhost --dport 9000 -j ACCEPT > iptables -A INPUT -p tcp --dport 9000 -j DROP > > > Sorry for the rant and the unstructured post, but maybe someone else can > find useful information here. > Would be kind of nice if this information was in the documentation, but I > couldnt find any reference. > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/e096db9a-1cc4-422a-a6fe-25ff431feeb5%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/e096db9a-1cc4-422a-a6fe-25ff431feeb5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Steckelhörn 11 20457 Hamburg Germany https://www.graylog.com <https://www.torch.sh/> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAMqbBb%2BGDGdO_Lnu4sRVmLsFW6ncaN4-LQbPAhcdo4K8gwRGow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
