Hi 123Dev
Playing with *rest_listen_uri* didn't work for me. Neither writing it
manually at */opt/graylog/conf/graylog.conf*, or using *custom_attributes*
in */etc/graylog/graylog-settings.json*.
I made:
- A *graylog-ctl cleanse*
- Then, *graylog-ctl reconfigure.*
- Then, *graylog-ctl enforce-ssl*.
- For last a *graylog-ctl reconfigure*.
And all I see from chef logs is the lines added to *nginx.conf.*
*rest_listen_uri, rest_enable_tls, rest_tls_cert_file, rest_tls_key_file,
rest_tls_key_password*,
in */opt/graylog/conf/graylog.conf* are intact. The last four are commented:
*nginx.conf file*
+++ /opt/graylog/conf/nginx/.nginx.conf20160613-5301-141gd8f 2016-06-13 06:
15:50.852181342 +0000
@@ -13,12 +13,31 @@
server {
listen 80;
+ return 301 https://$host:443$request_uri;
+ error_page 502 /502.html;
+ location /502.html {
+ internal;
+ }
+ }
+
+ server {
+ listen 443;
+
+ ssl on;
+ ssl_certificate /opt/graylog/conf/nginx/ca/graylog.crt;
+ ssl_certificate_key /opt/graylog/conf/nginx/ca/graylog.key;
+ ssl_session_timeout 5m;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-
AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA
:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:
ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-
AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-
CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-
SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+ ssl_prefer_server_ciphers on;
+
location / {
proxy_pass http://localhost:9000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Graylog-Server-URL https://$host:443/api;
proxy_pass_request_headers on;
proxy_connect_timeout 150;
proxy_send_timeout 100;
@@ -27,11 +46,17 @@
client_max_body_size 8m;
client_body_buffer_size 128k;
}
+
+ location /api/ {
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $http_host;
+ proxy_pass http://localhost:12900/;
+ }
+
error_page 502 /502.html;
location /502.html {
internal;
}
}
*graylog.conf file*
# Enable HTTPS support for the REST API. This secures the communication
with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by
default. Uncomment the
# next line to enable it.
#rest_enable_tls = true
# The X.509 certificate file to use for securing the REST API.
#rest_tls_cert_file = /path/to/graylog2.crt
# The private key to use for securing the REST API.
#rest_tls_key_file = /path/to/graylog2.key
# The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = secret
Then, I tried to change */etc/graylog/graylog-settings.json* and then
*graylog-ctl
reconfigure* file with:
"custom_attributes": {
"graylog-server": {
"rest_listen_uri": "<uri-here>"
}
}
- https://192.168.0.162, it at least get the server up but then it
complains that *https://192.168.0.165:443/api/* is not reachable.
- https://192.168.0.162:443, won't even boot up. *graylog tail* tells
me that server get cough in an infinite loop, stopping -> restarting ->
stopping -> restarting.
- https://192.168.0.162:12900, same as the first one.
What else have you try?
Pasqual T
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/1d624f2a-d8d2-4de7-ab9e-a1fe91577904%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
