I'm using graylog2/server:2.0.1-2 docker image from here
https://hub.docker.com/r/graylog2/server/. So I'm going to do everything
behind the nginx reverse proxy with https to secure communication both web
interface and rest api. This is my nginx configuration
server {
listen 80;
server_name graylog.example.com;
## redirect http to https ##
rewrite ^ https://graylog.example.com$request_uri? permanent;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate_key /etc/nginx/certs/graylog.example.com.key;
ssl_certificate /etc/nginx/certs/graylog.example.com.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload";
#add_header X-Frame-Options DENY;
#add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
chunked_transfer_encoding on;
server_name graylog.example.com;
server_tokens off; ## Don't show the nginx version number, a security
best practice
## Increase this if you want to upload large attachments
client_max_body_size 0;
## Individual nginx logs for this vhost
access_log /var/log/nginx/graylog.example.com_access.log;
error_log /var/log/nginx/graylog.example.com_error.log;
location / {
include proxy_params;
proxy_pass http://graylog_web_backend;
}
location /api {
rewrite ^/api(.*)$ $1 break;
include proxy_params;
proxy_pass http://graylog_api_backend;
}
}
upstream graylog_web_backend {
server 172.17.0.1:9000;
}
upstream graylog_api_backend {
server 172.17.0.1:12900;
}
This is environment that I used to config graylog container
GRAYLOG_PASSWORD_SECRET: CHANGEME
GRAYLOG_REST_TRANSPORT_URI: https://graylog.example.com/
GRAYLOG_WEB_ENDPOINT_URI: https://graylog.example.com/api/
I can access to web interface and logged in to graylog. But if I access to
System / Overview page. I got this message log from docker logs -f graylog
command
2016-05-26 06:00:51,111 WARN : org.graylog2.shared.rest.resources.
ProxiedResource - Unable to call
https://graylog.example.com:12900/system/metrics/multiple
on node <e5b8ba1e-94e6-4af1-93c5-5cafb8a44800>, caught exception: Read
timed out (class java.net.SocketTimeoutException)
2016-05-26 06:00:52,934 WARN : org.graylog2.shared.rest.resources.
ProxiedResource - Unable to call https://graylog.example.com:12900/system/jobs
on node <e5b8ba1e-94e6-4af1-93c5-5cafb8a44800>, caught exception: Read
timed out (class java.net.SocketTimeoutException)
2016-05-26 06:00:52,975 WARN : org.graylog2.shared.rest.resources.
ProxiedResource - Unable to call
https://graylog.example.com:12900/system/metrics/multiple
on node <e5b8ba1e-94e6-4af1-93c5-5cafb8a44800>, caught exception: Read
timed out (class java.net.SocketTimeoutException)
2016-05-26 06:00:54,897 WARN : org.graylog2.shared.rest.resources.
ProxiedResource - Unable to call
https://graylog.example.com:12900/system/metrics/multiple
on node <e5b8ba1e-94e6-4af1-93c5-5cafb8a44800>, caught exception: Read
timed out (class java.net.SocketTimeoutException)
2016-05-26 06:00:56,912 WARN : org.graylog2.shared.rest.resources.
ProxiedResource - Unable to call
https://graylog.example.com:12900/system/metrics/multiple
on node <e5b8ba1e-94e6-4af1-93c5-5cafb8a44800>, caught exception: Read
timed out (class java.net.SocketTimeoutException)
So I assume that the system still think that rest api still at port 12900.
Anyone try this before? any work around? Or any proper way to do this?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/97d7b879-f22d-42fc-a85e-099ceff08d8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
