I use Graylog to centrally capture and store many logfiles. The multi-tier solution based on Elasticsearch and MongoDB is awesome!
I also use Nginx a lot. In this case, I use it as reverse proxy to provide a secure access to Graylog. The web-frontend of Graylog works like a charm if you follow the instructions in the Graylog documentation here.
But the native API calls via the
Nginx reverse proxy never really worked with Graylog 4.x, at least not for me. The Developer tools of the browser (Chromium Edge) showed me a lot of 404 and the “real” URL of the backend. In my case that is http://127.0.0.1:9000
! The client is then not able to access the API or the API web-frontend (swagger).
I couldn’t find a solution on the Graylog end. So, I came up with this config for my Nginx reverse-proxy:
location / {
# Only Allow the Cloudflare Servers to use this URL (Not Scope)
include /etc/nginx/snippets/enatec_CloudFlareAllowlist.conf;
# Set some Default for Reverse Proxies (Not Scope)
include /etc/nginx/snippets/enatec_proxydefaults.conf;
# This is not required
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
# Mostly the GrayLog defaults
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://127.0.0.1:9000;
# This is not required
proxy_http_version 1.1;
# We want do control the returned content/URLs
proxy_redirect off;
# Apply the Filter to every content the Backend returns
sub_filter_types *;
sub_filter_once off;
# Modify the Header (not required)
sub_filter_last_modified on;
# This is where we replace http://127.0.0.1:9000 with the called hostname
sub_filter "http://$proxy_host" "$scheme://$host:$server_port";
# Remove the Version string (optinal)
sub_filter "4.0.5+d95b909" "latest";
# Fix the Link (optional)
sub_filter "https://developers.helloreverb.com/swagger/" "https://swagger.io";
}
There is also a Gist available.
What this does:
- Use the Nginx
sub_filetr
functionality to rewrite the backend URL - Remove the fully API version and replace it with the word “latest” (optional)
- Repleace the Swagger Link (optional and nice to have)
In my case (above) I also limit the access to the well-known Cloudflare addresses! That has nothing to do with the functionality and is just an additional security layer for me.
It is not a full Site config! It’s just the location for the published Graylog. In my case it is a single node installation. You can have more than one node in your Graylog cluster (and you should, at least in production), but this makes the config easier to understand!