Nginx Reverse Proxy

Nginx
NGINX can be configured as a reverse proxy in front of your Humio bunch .
For this exercise the proxy waiter will accept all request at http://example.com and expose Humio on http://example.com/internal/humio/ .
For this to work, the proxy must be set up to forward incoming requests with a localization starting with /internal/humio to the Humio server and Humio must be configured with a proxy prefix url /internal/humio. This is done by letting the proxy add the header X-Forwarded-Prefix.

Humio requires the proxy to add the header X-Forwarded-Prefix only when Humio is hosted at at a non-empty prefix .
frankincense hosting Humio at http://humio.example.com/ works without adding a header. An case shape snip for an NGINX localization ( a share of the sum NGINX shape required ) is :

humio

location /internal/humio {
  proxy_set_header    X-Forwarded-Prefix /internal/humio;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header    X-Real-IP $remote_addr;
  proxy_redirect      http:// https://;
  expires             off;

  # Following headers are important to establish a WebSocket connection to LSP (see below).
  proxy_set_header    Upgrade $http_upgrade;
  proxy_set_header    Connection "upgrade";
  proxy_http_version 1.1;
  proxy_set_header    Host $host;
  proxy_pass          http://localhost:8080;
}

If it is not feasible for you to add the header X-Forwarded-Prefix in your proxy, there is a fall-back solution : You can set PROXY_PREFIX_URL in your /home/humio/humio-config.env .
The proxy_read_timeout setting above may be excessively low for longer operations like exporting question results from large queries involving aggregate data. If you find requests like that are timing out after 25 seconds, then you should increase the proxy_read_timeout measure to accommodate what you need .
Humio implements a linguistic process Server Protocol ( LSP ) to provide better feedback within the User Interface when, for example, constructing a question in Humio. This communication is done through a WebSocket connection and requires some extra NGINX shape. The placement section should contain at least these directives :

humio

# Following headers are important to establish the WebSocket connection
proxy_set_header    Upgrade $http_upgrade;
proxy_set_header    Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header    Host $host;
proxy_pass          http://localhost:8080;

Below is an example for a cluster with multiple hosts :

humio

upstream humio-backends {
  zone humio 32000000;
  # Humio 1.2.10 to 1.12 only:
  # hash $hashkey consistent;
  server 10.0.2.1:8080 max_fails=0 fail_timeout=10s max_conns=256;
  server 10.0.2.2:8080 max_fails=0 fail_timeout=10s max_conns=256;
  server 10.0.2.3:8080 max_fails=0 fail_timeout=10s max_conns=256;
}

location /internal/humio {
  proxy_set_header    X-Forwarded-Prefix /internal/humio;
  proxy_set_header    X-Forwarded-Proto $scheme;
  proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header    X-Real-IP $remote_addr;

  # Humio 1.2.10 to 1.12 only:
  # Use hash query hash from request when present, otherwise try to be random.
  # (nginx names all headers using lowercase with "_". The header is actually "Humio-Query-Session")
  #
  # set $hashkey "${connection} ${msec}";
  # if ($http_humio_query_session ~ .) {
  #   set $hashkey $http_humio_query_session;
  # }

  proxy_redirect      http:// https://;
  expires             off;

# Following headers are important to establish a WebSocket connection to LSP (see above).
proxy_set_header    Upgrade $http_upgrade;
proxy_set_header    Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header    Host $host;
proxy_pass          http://humio-backends;
}

If you ’ re not an NGINX technical then we recommend reading the doctor and trying out the configuration charming at nginxconfig which helps to generate a well structured and complete NGINX shape .

Adding TLS to NGINX using LetsEncrypt

If you turn on authentication in Humio we recommend that you besides run the Humio UI on TLS only and not on plain HTTP. This section shows an exercise of how to add TLS to the NGINX configuration above .
If you use a rearward proxy other than NGINX, please refer to the documentation for that proxy on how to enable TLS. The letsencrypt parts here will likely be the same careless of proxy, except possibly the command that need executing to get the proxy to reload the security files :

Configure NGINX to Redirect HTTP to HTTPS

It ’ second common to require an HTTPS connection quite than HTTP. If you are using NGINX this is quite comfortable to do, just add this server block to your configuration .

humio

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name _;
  return 301 https://$host$request_uri;
}

Configure NGINX to use LetsEncrypt Certificate

The follow snip sets up NGINX to use the certificate issued and renewed above and tells NGINX to use port 443 for TLS connections, and port 80 for plain HTTP connections. It serves the files from the “ ancestor ” directory required by letsencrypt for validating the ownership of the domains. On TLS all other requests are handled by the “ placement ” sections. On port 80 for homely HTTP, the config redirects all requests that do not start with “. ” to TLS .

humio

ssl_certificate /etc/letsencrypt/live/${FQDN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${FQDN}/privkey.pem;

ssl_protocols TLSv1.2;

server {
  ssl on;
  listen [::]:443;
  listen 443;
  server_name ${FQDN};

  # letsencrypt webroot:
  root /var/www/html;
  location ~ /.well-known {
    allow all;
  }
}

server {
  ssl off;
  listen [::]:80;
  listen 80;
  server_name ${FQDN};

  # letsencrypt webroot:
  root /var/www/html;
  location ~ /.well-known {
    allow all;
  }
  # Everything that does not start with ".", redir to https.
  location ~ /[^.] {
    return 301 https://\$server_name\$request_uri;
  }
}

Reload nginx

shell

systemctl reload nginx

eminence
Configuring TLS is complex and slowly to get amiss. Standards change and config files are complex. To work about this we recommend using the SSL Config Generator from Mozilla. This and nginxconfig help you choose the proper and most secure shape possible. It ’ second authoritative to besides put a recurring notice in your calendar to force a periodic review of these settings ; they change quite a bit over time .

Getting the initial certificate

Issue the certificate using letsencrypt. The letsencrypt servers must be able to lookup the name in DNS and get in allude with the server running the dominate for the march to succeed. ( If this is not potential for you, then see the letsencrypt documentation on how to issue certificates using TXT records, or other means of obtaining certificates )

shell

letsencrypt certonly -a webroot --webroot-path =/var/www/html -m  `` $ { YOUR_EMAIL } `` --agree-tos --domains  `` $ { FQDN  } ``

Auto-Renewal through letsencrypt

The following snip sets up a crontab entry that checks if the certificate needs refilling and renews it if needed. If the certificate is renewed, nginx gets reloaded to use the newly certificate. Using a elementary text editor, create a file in the /etc/cron.weekly/ directory—name it humio-letsencrypt and copy the follow lines into it :

shell

 # ! /bin/sh
letsencrypt renew -a webroot --webroot-path =/var/www/html -m  `` $ { YOUR_EMAIL } ``  & & systemctl reload nginx

You ’ ll have to replace ${YOUR_EMAIL} with your e-mail address. When you ’ re finished, save the file and use chmod to set the permissions to 755. The cron utility will then run this file once a workweek to review letsencrypt .

NGINX inside Docker

The above examples assume that NGINX was running as a plain systemd-controlled on the host organization. If you plan to run NGINX inside a Docker container, NGINX even needs to be able to read the certificate files. note that NGINX needs to start as solution inside the container in order to read the mount files. The indicate solution is to add the following to the Docker run dominate, keeping letsencrypt outside the stevedore container :

shell

-v /etc/letsencrypt:/etc/letsencrypt:ro

We suggest this in order to not loose the files that letsencrypt stores in /etc/letsencrypt as you have to start over and issue from strike if those files are lost. The refilling then needs to restart the stevedore container rather. Again, using a simple textbook editor program, create a file named humio-letsencrypt in the /etc/cron.weekly/ and copy these lines into it :

shell

 # ! /bin/sh
 # # Renewal for nginx wirh nginx inside a stevedore container :
letsencrypt renew -a webroot --webroot-path =/var/www/html -m  `` $ { YOUR_EMAIL } ``  & & docker restart your-nginx-container

Use chmod to set the permissions to 755 .

Adding TLS to NGINX using Certificate from Other Providers

beginning from the template for letsencrypt above, then edit the surveil lines :

shell

ssl_certificate /path/to/your/public_key_fullchain.pem ;
ssl_certificate_key /path/to/your/cert_private_key.pem ;

Troubleshooting

HTTP/1.0 requests must not have a collocate entity .
If you run into a site where Humio is logging an error similar to this

shell

HTTP/1.0 requests must not have a chunked entity

then the problem is likely that you ’ ve not specified proxy_http_version 1.1; in your location definition. This typically shows up when using a log shipper like Filebeat with compaction enabled, which uses chunked encoding. That requires HTTP/1.1 or HTTP/2.0 to work by rights with Humio .

Leave a Reply

Your email address will not be published.