[graylog2] Redirect of port 9000 to https

Thu, 08 Dec 2016 05:05:01 -0800 

I have now for a while tried to setup graylog with https only access.

I have followed the graylog documentation to the point and are now using 
the nginx solution to access graylog-web using https. This part works fine 
for me, but the problem is it is still accessable using http://fqdn:9000.

I found then I could disable http.port and enable https.port with access to 
keystore like this in /etc/default/graylog-web:

# HTTP server settings.
GRAYLOG_WEB_HTTP_ADDRESS="0.0.0.0"
GRAYLOG_WEB_HTTP_PORT="8443"

# Might be used to adjust the Java heap size. (i.e. "-Xms1024m -Xmx2048m")
#GRAYLOG_WEB_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/graylog/cert/cacerts.jks
 
-Dhttps.port=8443 -Dhttps.keyStore=/etc/graylog/cert/cacerts.jks 
-Dhttps.keyStorePassword=changeit -Dhttp.port=disabled"
GRAYLOG_WEB_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/graylog/cert/cacerts.jks"

# Pass some extra args to graylog-web. (i.e. "-d" to enable debug mode)
GRAYLOG_WEB_ARGS=""

# Program that will be used to wrap the graylog-web command. Useful to
# support programs like authbind.
GRAYLOG_COMMAND_WRAPPER=""

and in /etc/nginx/conf.d/graylog.conf I defined this:

server
{
    listen      443 ssl spdy;
    server_name fqdn;
    # <- your SSL Settings here!
    ssl_certificate     /etc/graylog/cert/graylog-cert.pem;
    ssl_certificate_key /etc/graylog/cert/graylog-key.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    #ssl_password_file  /etc/graylog/cert/graylog.pwd

    location /
    {
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Graylog-Server-URL https://fqdn/api;
        proxy_pass          https://127.0.0.1:8443;
    }
}

Resulting in a nginx gateway error 502 when trying to access graylog in a 
browser.

How would I be able to get the https access solely without being able to 
access http://fqdn:9000 on the graylog-web?

BR.
René Jensen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/33ae9a88-98c2-4029-927d-af6751a8d10a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to