Hi, the idea for SSL on the appliances is to use nginx for ssl termination. To do this just replace the certificate in /opt/graylog/conf/nginx/ca (in case you dont want to use a self-signed cert). Run sudo graylog-ctl enforce-ssl and sudo graylog-ctl reconfigure.
Afterwards http connections are forwarded to port 443 and port 9000 is not reachable anymore. All connections should be encrypted. Cheers, Marius On 23 October 2015 at 12:44, <jon...@gmail.com> wrote: > I have installed the VMWare appliance, downloaded from > http://docs.graylog.org/en/latest/pages/installation/virtual_machine_appliances.html > version 1.2.1 > I have installed it and recieving logs works fine. > The problem I am having is when trying to enable HTTPS. This is a feature > I see as standard when setting up a new server where users login. > > So there seems to be two parts to this. > First create a java keystore. This I have done withouth problems. > The next part is where to actually change the port to 443, enable HTTPS, > and define the keystore and its password. > > I have looked at the following guide: > https://groups.google.com/forum/#!topic/graylog2/h9tgxGN8yoQ > > Seems you need to edit the init script and modify the parameters: > * -Dhttps.port=443 * > *-Dhttps.keyStore="/opt/graylog2/key/graylog2.keystore" * > *-Dhttps.keyStorePassword="XXXXX" * > *-Dhttp.port=disabled* > > Now when I run: ps aux I can see that the > process /opt/graylog/embedded/jre/bin/java is started by the user graylog, > and it contains for example the parameter: > -Dhttp.port=9000 > -Dhttp.address=0.0.0.0 > > But where is this process started from? > I checked /etc/init.d/ of course, but there is no graylog there. > root@HOSTNAME:/opt/graylog/conf# ls -l /etc/init.d/ > total 156 > -rwxr-xr-x 1 root root 4596 Apr 24 22:13 apparmor > -rwxr-xr-x 1 root root 1919 Jan 18 2011 console-setup > lrwxrwxrwx 1 root root 21 Sep 22 15:17 cron -> /lib/init/upstart-job > -rwxr-xr-x 1 root root 2813 Nov 25 2014 dbus > -rwxr-xr-x 1 root root 1217 Mar 7 2013 dns-clean > lrwxrwxrwx 1 root root 21 Mar 14 2012 friendly-recovery -> > /lib/init/upstart-job > -rwxr-xr-x 1 root root 1105 May 13 16:51 grub-common > -rwxr-xr-x 1 root root 1329 Mar 13 2014 halt > -rwxr-xr-x 1 root root 1864 Nov 12 2012 irqbalance > -rwxr-xr-x 1 root root 1293 Mar 13 2014 killprocs > -rwxr-xr-x 1 root root 1990 Jan 22 2013 kmod > -rwxr-xr-x 1 root root 4479 Mar 20 2014 networking > -rwxr-xr-x 1 root root 1818 Apr 3 2013 ntp > -rwxr-xr-x 1 root root 1346 Mar 13 2015 ondemand > -rwxr-xr-x 1 root root 1466 Mar 11 2014 open-vm-tools > -rwxr-xr-x 1 root root 561 Apr 21 2015 pppd-dns > -rwxr-xr-x 1 root root 1192 May 27 2013 procps > -rwxr-xr-x 1 root root 6120 Mar 13 2014 rc > -rwxr-xr-x 1 root root 782 Mar 13 2014 rc.local > -rwxr-xr-x 1 root root 117 Mar 13 2014 rcS > -rw-r--r-- 1 root root 2427 Mar 13 2014 README > -rwxr-xr-x 1 root root 639 Mar 13 2014 reboot > -rwxr-xr-x 1 root root 2918 Jun 13 2014 resolvconf > -rwxr-xr-x 1 root root 4395 Apr 17 2014 rsync > -rwxr-xr-x 1 root root 2913 Dec 4 2013 rsyslog > -rwxr-xr-x 1 root root 3920 Mar 13 2014 sendsigs > -rwxr-xr-x 1 root root 590 Mar 13 2014 single > -rw-r--r-- 1 root root 4290 Mar 13 2014 skeleton > -rwxr-xr-x 1 root root 4077 May 2 2014 ssh > -rwxr-xr-x 1 root root 731 Feb 5 2014 sudo > -rwxr-xr-x 1 root root 6173 Apr 14 2014 udev > -rwxr-xr-x 1 root root 2721 Mar 13 2014 umountfs > -rwxr-xr-x 1 root root 2260 Mar 13 2014 umountnfs.sh > -rwxr-xr-x 1 root root 1872 Mar 13 2014 umountroot > -rwxr-xr-x 1 root root 3111 Mar 13 2014 urandom > root@SRVSEOPSSYSLOG01:/opt/graylog/conf# > > I have tried to grep for some of the parameters in all files in the > filesystem. > I found some interesting files here: > /opt/graylog/sv/graylog-web/run > It had a line with: > exec chpst -P -U graylog -u graylog > /opt/graylog/web/bin/graylog-web-interface > -Dconfig.file=/opt/graylog/conf/graylog-web-interface.conf -Dhttp.port=9000 > -Dhttp.address=0.0.0.0 -Dpidfile.path=/var/opt/graylog/web.pid > -Dlogger.file=/opt/graylog/conf/web-logger.xml > I changed this to 9001 and did: > graylogctl reconfigure > The port stays at 9000 and when I check the file again it has changed back > to 9000. So this configuration must be in some other file. > > Ok, so when running graylogctl reconfigure I noticed that its running chef. > So eventually I found a folder called: > /opt/graylog/embedded/cookbooks/graylog/templates/default > > In here was a file called sv-graylog-web-run.erb > With a line saying > exec chpst -P -U <%= node['graylog']['user']['username'] %> -u <%= > node['graylog']['user']['username'] %> <%= @options[:install_directory] > %>/web/bin/<%= @options[:web_jar] %> -Dconfig.file=<%= > @options[:install_directory] %>/conf/graylog-web-interface.conf > -Dhttp.port=<%= node['graylog']['graylog-web']['port'] %> > -Dhttp.address=<%= @options[:bind_address] %> -Dpidfile.path=<%= > node['graylog']['var_directory'] %>/web.pid > -Dlogger.file=/opt/graylog/conf/web-logger.xml > > Ok so here we have some options. We can either overwrite it staticly, or > understand where it gets the variables from. > Lets do it the easy way, so we change it to: > exec chpst -P -U <%= node['graylog']['user']['username'] %> -u <%= > node['graylog']['user']['username'] %> <%= @options[:install_directory] > %>/web/bin/<%= @options[:web_jar] %> -Dconfig.file=<%= > @options[:install_directory] %>/conf/graylog-web-interface.conf > -Dhttp.port=disabled -Dhttp.address=<%= @options[:bind_address] %> > -Dhttps.port=443 -Dhttps.keyStore="/opt/graylog-key/KEYSTOREFILE" > -Dhttps.keyStorePassword="PASSWORD" -Dpidfile.path=<%= > node['graylog']['var_directory'] %>/web.pid > -Dlogger.file=/opt/graylog/conf/web-logger.xml > > then we run graylogctl reconfigure > > Ok, partial success now. It replies on 443 but it has a standard > certificate with commonName "graylog". Strange. > Or well, I didnt actually try before I made the change. So I reverted the > configuration and did graylogctl reconfigure again. > Try HTTPS. Same as before, works but with a self-signed certificate. > Ok, so if I can find this certificate, then I could maybe replace it, or > where is this configured? > > netstat -tulpn shows > tcp 0 0 0.0.0.0:443 0.0.0.0:* > LISTEN 1855/nginx.conf > tcp 0 0 0.0.0.0:80 0.0.0.0:* > LISTEN 1855/nginx.conf > > So nothing is actually listening to port 9000? And we seem to come to the > same server regardless if we do port 9000, 80 or HTTPS on 443. > At least 80 and 443 seem to be handeled by nginx.conf, so lets continue > the search there. > > /opt/graylog/conf/nginx/nginx.conf > > From the configuration it seems its proxying 80 and 443 to localhost :9000 > proxy_pass http://localhost:9000/; > > So the mission is more clear > > We now want to: > Disable port 80 on nginx > Only have port 9000 listen on localhost > Set a correct certificate on port 443 but in nginx > > ssl on; > ssl_certificate /opt/graylog/conf/nginx/ca/graylog.crt; > ssl_certificate_key /opt/graylog/conf/nginx/ca/graylog.key; > > Ok, so now we need to redo the SSL, since we do not use a java keystore > here. > openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr > Send the CSR file to the CA, and get a certificate back. > Now we have one keyfile and one certificate file, that we can replace the > default ones with. > Files replaced. Now lets kill nginx and then run graylogctl reconfigure > > root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx > root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx > root@HOSTNAME:/opt/graylog/conf/nginx/ca# killall nginx > nginx: no process found > > After running graylogctl reconfigure it works! > > Now we need to get rid of port 9000 and port 80 > > I tried to change /opt/graylog/conf/nginx/nginx.conf directly but it was > overwritten by chef, so we need to find the correct cookbook and edit it > there > Edit the > /opt/graylog/embedded/cookbooks/graylog/templates/default/nginx.conf.erb > and remove the if to enable the 301 redirect to HTTPS (dont forget the end > part) > Now the final thing is to make it stop listning in port 9000 > I tried to change the file: > /opt/graylog/embedded/cookbooks/graylog/templates/default/ > sv-graylog-web-run.erb > and set -Dhttp.address=127.0.0.1 > But it still listened to port 9000 from the outside. > > In the end I just did > > iptables -A INPUT -p tcp -s localhost --dport 9000 -j ACCEPT > iptables -A INPUT -p tcp --dport 9000 -j DROP > > > Sorry for the rant and the unstructured post, but maybe someone else can > find useful information here. > Would be kind of nice if this information was in the documentation, but I > couldnt find any reference. > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/e096db9a-1cc4-422a-a6fe-25ff431feeb5%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/e096db9a-1cc4-422a-a6fe-25ff431feeb5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Steckelhörn 11 20457 Hamburg Germany https://www.graylog.com <https://www.torch.sh/> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAMqbBb%2BGDGdO_Lnu4sRVmLsFW6ncaN4-LQbPAhcdo4K8gwRGow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
