Thanks Jochen for the clarification, But still no clue on how one secures REST with Docker / VM / AWS ... setups
Quoting the documentation <http://docs.graylog.org/en/2.0/pages/configuring_webif.html#https-setup>: We highly recommend securing your Graylog installation using SSL/TLS to > make sure that no sensitive data is sent over the wire in plain text. To > make this work, you need to do two things: > > > - Enable TLS for the Graylog REST API (rest_enable_tls) > - Enable TLS for the web interface endpoint (web_enable_tls) > > You also need to make sure that you have proper certificates in place, > which are valid and trusted by the clients. Not enabling TLS for either one > of them will result in a browser error about mixed content and the web > interface will cease to work. > It is obvious that this is highly recommended for production setups, which we want to follow Perhaps clarity needs to be added to mention that it's not applicable to all environments. Furthermore, The graylog-ctl script documentation can benefit from a mention of security in the Production Readiness <http://docs.graylog.org/en/2.0/pages/installation/graylog_ctl.html#production-readiness> Section and hopefully one day some details and examples on how to achieve that. Thanks Production readiness > > You can use the Graylog appliances (OVA, Docker, AWS, ...) for small > production setups but please consider to harden the security of the box > before. > > > - Set another password for the default ubuntu user > - Disable remote password logins in /etc/ssh/sshd_config and deploy > proper ssh keys > - Seperate the box network-wise from the outside, otherwise > Elasticsearch can be reached by anyone > > If you want to create your own customised setup take a look at our other > installation methods > <http://docs.graylog.org/en/2.0/pages/installation.html#installing>. > On Monday, June 13, 2016 at 3:32:53 AM UTC-4, Jochen Schalanda wrote: > > Hi, > > On Monday, 13 June 2016 02:54:55 UTC+2, 123Dev wrote: >> >> *graylog-ctl enforce-ssl *is not setting the REST transport on HTTPS >> >> In our case API browser is on: http://10.20.1.229:12900/api-browser and >> is accessible >> If I try to check if it is also accessible on SSL, >> https://10.20.1.229:12900/api-browser *it fails* >> >> Would be nice if *enforse-ssl *would set this correctly? >> > > That's completely correct as it is. The official virtual machine and > Docker images are using nginx for TLS (HTTPS) termination and not Graylog > itself. > > Cheers, > Jochen > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/00646845-60c0-47ad-ae6e-4aabd76264ba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
