Securing Graylog with NGINX

by on under networking
3 minute read

Securing Graylog

Option 1 (Modifying the local nginx server on Graylog)

Create a password file for basic auth.

ubuntu@graylog:/etc/nginx/sites-enabled$ sudo vim /etc/nginx/.htpasswd

Add a .htpasswd user and password. In this case username is foo and password is bar.


Change default site on nginx.

ubuntu@graylog:/etc/nginx/sites-enabled$ sudo vim default

Should look like

server {
      listen 80;
      location / {
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass_request_headers on;
        proxy_connect_timeout 150;
        proxy_send_timeout 100;
        proxy_read_timeout 100;
        proxy_buffering off;
        client_max_body_size 8m;
        client_body_buffer_size 128k;
        expires off;
      error_page 502 /502.html;
      location  /502.html {

        # 2E0PGS changes
        location /sgelf {
                auth_basic "Restricted Area";
                auth_basic_user_file /etc/nginx/.htpasswd;

Restart the service

ubuntu@graylog:/etc/nginx/sites-enabled$ sudo service nginx restart

if you get errors check syslog.

Checking it (CURL)

Normal http gelf on port 12202

peter@desktop:~$ curl -X POST -H 'Content-Type: application/json' -d '{ "short_message": "A short message", "level": 5 }'

Checking http reverse proxy on port 80

peter@desktop:~$ curl -X POST -H 'Content-Type: application/json' -d '{ "short_message": "from sgelf", "level": 5 }'
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>

Try with auth now

peter@desktop:~$ curl -X POST -H 'Content-Type: application/json' -H "Authorization: Basic $(echo -n foo:bar | base64)" -d '{ "short_message": "from sgelf with pass", "level": 5 }'

Create a new site in sites-available named after your domain.

Add the following.

server {
        location / {
                auth_basic "Restricted Area";
                auth_basic_user_file /etc/nginx/.htpasswd;

Symlink that site into sites-enabled to enable it.

Remove default-site.

Add Let’s Encrypt SSL

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt install python-certbot-nginx

sudo certbot --nginx -d

Checking it (CURL)

peter@desktop:~$ curl -X POST -H 'Content-Type: application/json' -H "Authorization: Basic $(echo -n foo:bar | base64)" -d '{ "short_message": "https reverse basic auth proxy", "level": 5 }'

Library for C#

I wrote a C# library for Graylog which also supports reverse proxies: graylog-client


using System;
using System.Diagnostics;

namespace ConsoleApp4
    class Program
        static void Main(string[] args)
            Graylog.Client.GraylogClient graylogClient = new Graylog.Client.GraylogClient("", "", "foo", "bar");

            int i = 0;
            while (i <= 5)
                Stopwatch stopwatch = new Stopwatch();
                    graylogClient.Log("library", 3, "200ms test: " + i.ToString());
                catch (Exception ex)
                    Console.WriteLine("Exception caught: " + ex.ToString());
                Console.WriteLine("Time elapsed in ms: " + stopwatch.ElapsedMilliseconds);


I then suggest whitelisting this behind a firewall or using it across a VPN for added security.

comments powered by Disqus