Configure Graylog Nginx reverse proxy with Letsencrypt SSL


(: May 5, 2018)

Welcome to our guide on Configure Graylog Nginx reverse proxy with Letsencrypt SSL. The last tutorial related to graylog was how to Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7. It covered pretty well all setup steps for Graylog. The only downside was that you have to access Graylog UI using IP address and port number without verified SSL certificate.

In this guide, I want us to look at how to Configure Graylog Nginx reverse proxy with Letsencrypt SSL. This way you can use domain or hostname with verified SSL certificate.

Configure Graylog Nginx reverse proxy with Letsencrypt SSL

The first step is to install Letsencrypt client like certbot which we’ll use to request the certificate to be used by Graylog.{text-align:left} img{margin:0 auto 0 0}

Install certbot-auto

# wget -P /usr/local/bin
# chmod a+x /usr/local/bin/certbot-auto

Open https port on Firewall:

We’ll use http port to request for SSL certificate, so open it on the firewall. If using ufw or iptables, substitute the commands here with equivalent commands.

# firewall-cmd --add-service={http,https} --permanent
# firewall-cmd --reload

Request for SSL certificate

Request for Letsencrypt certificate using a certbot-auto command.

# export DOMAIN=`hostname -f`
# export EMAIL="[email protected]"
# certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http 
 --agree-tos -n -m $EMAIL --keep-until-expiring

This may take a while since it will start with Bootstrapping dependencies, creating python virtual environment and Installing Python packages to it, and finally the certificate generation. Wait until the command gives a reply that certificates were generated successfully.

A success message looks like this:

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
/etc/letsencrypt/live/ Your cert will expire on 2018-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:

Install and configure Nginx

Now we need to install and configure Nginx.

# yum -y install nginx  --> CentOS
# apt-get install nginx --> Ubuntu 16.04, Debian 8/9

We’ll put nginx configuration for graylog under /etc/nginx/conf.d/graylog.conf. Replace with your graylog domain/subdomain name.

 listen 443 ssl;
 location /
 proxy_set_header Host $http_host;
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL;
 # proxy_pass http://ip-address:9000;
 ssl on;
 ssl_certificate /etc/letsencrypt/live/;
 ssl_certificate_key /etc/letsencrypt/live/;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/graylog.access.log;
 error_log /var/log/nginx/graylog.error.log;

# http to https redirection
server {
    listen 80;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;

Save the configuration and check with nginx if its syntax is valid.

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start and enable nginx service

Proceed to start and enable nginx service.

# systemctl start nginx
# systemctl enable nginx

Visiting specified domain should redirect you to https.

Hope Configure Graylog Nginx reverse proxy with Letsencrypt SSL guide worked for you. I’ll cover Creating Streams, Inputs, and Dashboard in the coming tutorials.{text-align:left} img{margin:0 auto 0 0}

Comments are closed, but trackbacks and pingbacks are open.