欢迎使用有关使用Letsencrypt SSL配置Graylog Nginx反向代理的指南。与Graylog相关的最后一个教程是如何在CentOS 7上安装Graylog3. 它涵盖了Grayray的所有设置步骤。唯一的缺点是我们必须使用IP地址和端口号访问Graylog UI，而无需经过验证的SSL证书。

在本指南中，我希望我们研究如何使用Letsencrypt SSL配置Graylog Nginx反向代理。这样，我们可以将域名或者主机名与经过验证的SSL证书一起使用。

使用Letsencrypt SSL配置Graylog Nginx反向代理

第一步是安装Letsencrypt客户端(如certbot)，该客户端很好地用于请求Graylog使用的证书。

安装certbot-auto

运行以下命令以安装cerbot工具。

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/

通过检查版本确认安装：

$certbot-auto --version

在防火墙上打开https端口：

请使用http端口请求SSL证书，因此请在防火墙上将其打开。如果使用ufw或者iptables，请在此处用等效命令替换命令。

sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload

要求SSL证书

使用certbot-auto命令请求Letsencrypt证书。

export DOMAIN='graylog.mydomain.com'
export EMAIL="theitroad@localhost"
sudo certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http \
 --agree-tos -n -m $EMAIL --keep-until-expiring

这可能需要一段时间，因为它将从引导依赖项开始，创建python虚拟环境并为其安装Python包，最后生成证书。等到命令给出答复，证明证书已成功生成。

成功消息如下所示：

.....
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2016-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG/Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

安装和配置Nginx

现在，我们需要安装和配置Nginx。

sudo yum -y install nginx  # CentOS
sudo apt-get install nginx # Ubuntu/Debian

在/etc/nginx/conf.d/graylog.conf下放置Graylog的Nginx配置。用graylog域名/子域名替换domain.com。

server {
 listen 443 ssl;
 server_name domain.com www.domain.com;
 location/{
   proxy_set_header Host $http_host;
   proxy_set_header X-Forwarded-Host $host;
   proxy_set_header X-Forwarded-Server $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://domain.com/api;
   proxy_pass http://127.0.0.1:9000;
   # proxy_pass http://ip-address:9000;
 }
 ssl on;
 ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 ssl_session_timeout 5m;
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 access_log /var/log/nginx/graylog.access.log;
 error_log /var/log/nginx/graylog.error.log;
}

# http to https redirection
server {
    listen 80;
    server_name domain.com www.domain.com;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;
}

保存配置，并使用nginx检查其语法是否有效。

$sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

启动并启用Nginx服务

继续启动并启用nginx服务。

sudo systemctl start nginx
sudo systemctl enable nginx

访问指定的域应将我们重定向到https。