[graylog2] Redirect of port 9000 to https

Thu, 08 Dec 2016 05:05:01 -0800 

I have now for a while tried to setup graylog with https only access.

I have followed the graylog documentation to the point and are now using 
the nginx solution to access graylog-web using https. This part works fine 
for me, but the problem is it is still accessable using http://fqdn:9000.

I found then I could disable http.port and enable https.port with access to 
keystore like this in /etc/default/graylog-web:

# HTTP server settings.
GRAYLOG_WEB_HTTP_ADDRESS="0.0.0.0"
GRAYLOG_WEB_HTTP_PORT="8443"

# Might be used to adjust the Java heap size. (i.e. "-Xms1024m -Xmx2048m")
#GRAYLOG_WEB_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/graylog/cert/cacerts.jks
 
-Dhttps.port=8443 -Dhttps.keyStore=/etc/graylog/cert/cacerts.jks 
-Dhttps.keyStorePassword=changeit -Dhttp.port=disabled"
GRAYLOG_WEB_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/graylog/cert/cacerts.jks"

# Pass some extra args to graylog-web. (i.e. "-d" to enable debug mode)
GRAYLOG_WEB_ARGS=""

# Program that will be used to wrap the graylog-web command. Useful to
# support programs like authbind.
GRAYLOG_COMMAND_WRAPPER=""

and in /etc/nginx/conf.d/graylog.conf I defined this:

server
{
    listen      443 ssl spdy;
    server_name fqdn;
    # <- your SSL Settings here!
    ssl_certificate     /etc/graylog/cert/graylog-cert.pem;
    ssl_certificate_key /etc/graylog/cert/graylog-key.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    #ssl_password_file  /etc/graylog/cert/graylog.pwd

    location /
    {
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Host $http_host;
        proxy_set_header    X-Graylog-Server-URL https://fqdn/api;
        proxy_pass          https://127.0.0.1:8443;
    }
}

Resulting in a nginx gateway error 502 when trying to access graylog in a 
browser.

How would I be able to get the https access solely without being able to 
access http://fqdn:9000 on the graylog-web?

BR.
René Jensen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/33ae9a88-98c2-4029-927d-af6751a8d10a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to