Setup Graylog Behind Apache Reverse Proxy

Setup Apache to reverse proxy to Graylog with SSL redirect

Last Updated: 
2020/02/12

Graylog is one of the tools we often use for basic, centralized logging. It has limitations and without deep analysis or review tools it is not well suited to high-security scenarios - but for what it is meant for, its a great solution.

Graylog is a JAVA based web application which uses Elasticsearch for the heavy data storage and Mongo DB for parameters and operational elements.

As most JAVA web applications, it is compiled into jar files for execution via JVM and can be difficult to customize, edit or configure for simple changes - such as enabling SSL. For a single server deployment you can easily configure Graylog behind an Apache or NGINX web server reverse proxy. External connections will be made to the web server which will, in-turn, connect to Graylog and return the data as if coming from Apache or NGINX web server.

Here are the basic steps to setup and configure Graylog access via Apache reverse proxy on CentOS 7 with SSL and SSL redirection...

[This assumes you already have a CentOS 7 base install with Graylog setup and working on port 9000]

# First install the needed components - Apache and SSL
yum install mod_ssl openssl
yum install httpd

# Make sure to add the required firewall rules for firewalld, if you haven't already
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=12900/tcp
firewall-cmd --permanent --zone=public --add-port=514/tcp
firewall-cmd --permanent --zone=public --add-port=5140/tcp
firewall-cmd --reload

# Create an Apache conf file for SSL redirection of port 80 to 443 and for the reverse proxy on port 443

<VirtualHost *:80>
ServerName graylog
ServerAlias graylog.yourdomain.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName graylog
ServerAlias graylog.yourdomain.com
ProxyRequests Off
SSLEngine on
# Note: SSL settings only need to be defined once!
SSLCertificateFile /etc/pki/tls/certs/certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.key
SSLCACertificateFile /etc/pki/tls/certs/cachain.cer
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "https://graylog.yourdomain.com/"
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
</VirtualHost>

# If you previously had Graylog working directly on port 9000, make sure to change the GRAYLOG conf file to connect to localhost IP (127.0.0.1) again. On CentOS 7 the Graylog config file is in the directory /etc/graylog/server/server.conf.

You can simply comment out the "http_bind_address" line which will result in Graylog using the default setting of 127.0.0.1 localhost loopback address.

http_bind_address = 192.168.XX.XX:9000  -> #http_bind_address = 192.168.XX.XX:9000

# Restart Graylog
systemctl restart graylog-server

# Then restart Apache
systemctl restart httpd

Sitemap | Tech Articles | Cordeos News | Tech Notes | IT Support Jobs