Welcome to our guide on Configure Graylog Nginx reverse proxy with Letsencrypt SSL. The last tutorial related to graylog was how to Install Graylog 3 with on CentOS 7. It covered pretty well all setup steps for Graylog. The only downside was that you have to access Graylog UI using IP address and port number without verified SSL certificate.

In this guide, I want us to look at how to Configure Graylog Nginx reverse proxy with Letsencrypt SSL. This way you can use domain or hostname with verified SSL certificate.

Configure Graylog Nginx reverse proxy with Letsencrypt SSL

The first step is to install Letsencrypt client like certbot which we’ll use to request the certificate to be used by Graylog.

Install certbot-auto

Run the following commands to install cerbot tool.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/

Confirm installation by checking version:

$ certbot-auto --version

Open https port on Firewall:

We’ll use http port to request for SSL certificate, so open it on the firewall. If using ufw or iptables, substitute the commands here with equivalent commands.

sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload

Request for SSL certificate

Request for Letsencrypt certificate using a certbot-auto command.

export DOMAIN='graylog.mydomain.com'
export EMAIL="[email protected]"
sudo certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http \
 --agree-tos -n -m $EMAIL --keep-until-expiring

This may take a while since it will start with Bootstrapping dependencies, creating python virtual environment and Installing Python packages to it, and finally the certificate generation. Wait until the command gives a reply that certificates were generated successfully.

A success message looks like this:

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2018-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Install and configure Nginx

Now we need to install and configure Nginx.

sudo yum -y install nginx  # CentOS
sudo apt-get install nginx # Ubuntu / Debian

We’ll put nginx configuration for graylog under /etc/nginx/conf.d/graylog.conf. Replace domain.com with your graylog domain/subdomain name.

server {
 listen 443 ssl;
 server_name domain.com www.domain.com;
 location / {
   proxy_set_header Host $http_host;
   proxy_set_header X-Forwarded-Host $host;
   proxy_set_header X-Forwarded-Server $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://domain.com/api;
   # proxy_pass http://ip-address:9000;
 ssl on;
 ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/graylog.access.log;
 error_log /var/log/nginx/graylog.error.log;

# http to https redirection
server {
    listen 80;
    server_name domain.com www.domain.com;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;

Save the configuration and check with nginx if its syntax is valid.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start and enable nginx service

Proceed to start and enable nginx service.

sudo systemctl start nginx
sudo systemctl enable nginx

Visiting specified domain should redirect you to https.

graylog nodes

Hope Configure Graylog Nginx reverse proxy with Letsencrypt SSL guide worked for you. I’ll cover Creating Streams, Inputs, and Dashboard in the coming tutorials.

Other guides on Logging:

Install Cluster Logging Operator on OpenShift / OKD 4.x

Enable CloudWatch logging in EKS Kubernetes Cluster

Preserve Systemd Journals Logging with Persistent Storage

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here