I have installed the VMWare appliance, downloaded from http://docs.graylog.org/en/latest/pages/installation/virtual_machine_appliances.html version 1.2.1 I have installed it and recieving logs works fine. The problem I am having is when trying to enable HTTPS. This is a feature I see as standard when setting up a new server where users login.
So there seems to be two parts to this. First create a java keystore. This I have done withouth problems. The next part is where to actually change the port to 443, enable HTTPS, and define the keystore and its password. I have looked at the following guide: https://groups.google.com/forum/#!topic/graylog2/h9tgxGN8yoQ Seems you need to edit the init script and modify the parameters: * -Dhttps.port=443 * *-Dhttps.keyStore="/opt/graylog2/key/graylog2.keystore" * *-Dhttps.keyStorePassword="XXXXX" * *-Dhttp.port=disabled* Now when I run: ps aux I can see that the process /opt/graylog/embedded/jre/bin/java is started by the user graylog, and it contains for example the parameter: -Dhttp.port=9000 -Dhttp.address=0.0.0.0 But where is this process started from? I checked /etc/init.d/ of course, but there is no graylog there. root@HOSTNAME:/opt/graylog/conf# ls -l /etc/init.d/ total 156 -rwxr-xr-x 1 root root 4596 Apr 24 22:13 apparmor -rwxr-xr-x 1 root root 1919 Jan 18 2011 console-setup lrwxrwxrwx 1 root root 21 Sep 22 15:17 cron -> /lib/init/upstart-job -rwxr-xr-x 1 root root 2813 Nov 25 2014 dbus -rwxr-xr-x 1 root root 1217 Mar 7 2013 dns-clean lrwxrwxrwx 1 root root 21 Mar 14 2012 friendly-recovery -> /lib/init/upstart-job -rwxr-xr-x 1 root root 1105 May 13 16:51 grub-common -rwxr-xr-x 1 root root 1329 Mar 13 2014 halt -rwxr-xr-x 1 root root 1864 Nov 12 2012 irqbalance -rwxr-xr-x 1 root root 1293 Mar 13 2014 killprocs -rwxr-xr-x 1 root root 1990 Jan 22 2013 kmod -rwxr-xr-x 1 root root 4479 Mar 20 2014 networking -rwxr-xr-x 1 root root 1818 Apr 3 2013 ntp -rwxr-xr-x 1 root root 1346 Mar 13 2015 ondemand -rwxr-xr-x 1 root root 1466 Mar 11 2014 open-vm-tools -rwxr-xr-x 1 root root 561 Apr 21 2015 pppd-dns -rwxr-xr-x 1 root root 1192 May 27 2013 procps -rwxr-xr-x 1 root root 6120 Mar 13 2014 rc -rwxr-xr-x 1 root root 782 Mar 13 2014 rc.local -rwxr-xr-x 1 root root 117 Mar 13 2014 rcS -rw-r--r-- 1 root root 2427 Mar 13 2014 README -rwxr-xr-x 1 root root 639 Mar 13 2014 reboot -rwxr-xr-x 1 root root 2918 Jun 13 2014 resolvconf -rwxr-xr-x 1 root root 4395 Apr 17 2014 rsync -rwxr-xr-x 1 root root 2913 Dec 4 2013 rsyslog -rwxr-xr-x 1 root root 3920 Mar 13 2014 sendsigs -rwxr-xr-x 1 root root 590 Mar 13 2014 single -rw-r--r-- 1 root root 4290 Mar 13 2014 skeleton -rwxr-xr-x 1 root root 4077 May 2 2014 ssh -rwxr-xr-x 1 root root 731 Feb 5 2014 sudo -rwxr-xr-x 1 root root 6173 Apr 14 2014 udev -rwxr-xr-x 1 root root 2721 Mar 13 2014 umountfs -rwxr-xr-x 1 root root 2260 Mar 13 2014 umountnfs.sh -rwxr-xr-x 1 root root 1872 Mar 13 2014 umountroot -rwxr-xr-x 1 root root 3111 Mar 13 2014 urandom root@SRVSEOPSSYSLOG01:/opt/graylog/conf# I have tried to grep for some of the parameters in all files in the filesystem. I found some interesting files here: /opt/graylog/sv/graylog-web/run It had a line with: exec chpst -P -U graylog -u graylog /opt/graylog/web/bin/graylog-web-interface -Dconfig.file=/opt/graylog/conf/graylog-web-interface.conf -Dhttp.port=9000 -Dhttp.address=0.0.0.0 -Dpidfile.path=/var/opt/graylog/web.pid -Dlogger.file=/opt/graylog/conf/web-logger.xml I changed this to 9001 and did: graylogctl reconfigure The port stays at 9000 and when I check the file again it has changed back to 9000. So this configuration must be in some other file. Ok, so when running graylogctl reconfigure I noticed that its running chef. So eventually I found a folder called: /opt/graylog/embedded/cookbooks/graylog/templates/default In here was a file called sv-graylog-web-run.erb With a line saying exec chpst -P -U <%= node['graylog']['user']['username'] %> -u <%= node['graylog']['user']['username'] %> <%= @options[:install_directory] %>/web/bin/<%= @options[:web_jar] %> -Dconfig.file=<%= @options[:install_directory] %>/conf/graylog-web-interface.conf -Dhttp.port=<%= node['graylog']['graylog-web']['port'] %> -Dhttp.address=<%= @options[:bind_address] %> -Dpidfile.path=<%= node['graylog']['var_directory'] %>/web.pid -Dlogger.file=/opt/graylog/conf/web-logger.xml Ok so here we have some options. We can either overwrite it staticly, or understand where it gets the variables from. Lets do it the easy way, so we change it to: exec chpst -P -U <%= node['graylog']['user']['username'] %> -u <%= node['graylog']['user']['username'] %> <%= @options[:install_directory] %>/web/bin/<%= @options[:web_jar] %> -Dconfig.file=<%= @options[:install_directory] %>/conf/graylog-web-interface.conf -Dhttp.port=disabled -Dhttp.address=<%= @options[:bind_address] %> -Dhttps.port=443 -Dhttps.keyStore="/opt/graylog-key/KEYSTOREFILE" -Dhttps.keyStorePassword="PASSWORD" -Dpidfile.path=<%= node['graylog']['var_directory'] %>/web.pid -Dlogger.file=/opt/graylog/conf/web-logger.xml then we run graylogctl reconfigure Ok, partial success now. It replies on 443 but it has a standard certificate with commonName "graylog". Strange. Or well, I didnt actually try before I made the change. So I reverted the configuration and did graylogctl reconfigure again. Try HTTPS. Same as before, works but with a self-signed certificate. Ok, so if I can find this certificate, then I could maybe replace it, or where is this configured? netstat -tulpn shows tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1855/nginx.conf tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1855/nginx.conf So nothing is actually listening to port 9000? And we seem to come to the same server regardless if we do port 9000, 80 or HTTPS on 443. At least 80 and 443 seem to be handeled by nginx.conf, so lets continue the search there. /opt/graylog/conf/nginx/nginx.conf >From the configuration it seems its proxying 80 and 443 to localhost :9000 proxy_pass http://localhost:9000/; So the mission is more clear We now want to: Disable port 80 on nginx Only have port 9000 listen on localhost Set a correct certificate on port 443 but in nginx ssl on; ssl_certificate /opt/graylog/conf/nginx/ca/graylog.crt; ssl_certificate_key /opt/graylog/conf/nginx/ca/graylog.key; Ok, so now we need to redo the SSL, since we do not use a java keystore here. openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr Send the CSR file to the CA, and get a certificate back. Now we have one keyfile and one certificate file, that we can replace the default ones with. Files replaced. Now lets kill nginx and then run graylogctl reconfigure root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx nginx: no process found After running graylogctl reconfigure it works! Now we need to get rid of port 9000 and port 80 I tried to change /opt/graylog/conf/nginx/nginx.conf directly but it was overwritten by chef, so we need to find the correct cookbook and edit it there Edit the /opt/graylog/embedded/cookbooks/graylog/templates/default/nginx.conf.erb and remove the if to enable the 301 redirect to HTTPS (dont forget the end part) Now the final thing is to make it stop listning in port 9000 I tried to change the file: /opt/graylog/embedded/cookbooks/graylog/templates/default/ sv-graylog-web-run.erb and set -Dhttp.address=127.0.0.1 But it still listened to port 9000 from the outside. In the end I just did iptables -A INPUT -p tcp -s localhost --dport 9000 -j ACCEPT iptables -A INPUT -p tcp --dport 9000 -j DROP Sorry for the rant and the unstructured post, but maybe someone else can find useful information here. Would be kind of nice if this information was in the documentation, but I couldnt find any reference. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e096db9a-1cc4-422a-a6fe-25ff431feeb5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
