topic Re: port forwarding for web interface in Security

port forwarding for web interface

RobertRi — Mon, 07 Jan 2013 14:20:26 GMT

This is not really a splunk question but maybe someone has an useful hint for me to solve my problem.
We run a Redhat Splunk AllInOne server with SSL Webaccess on Port 8999
https://server1.comp.my:8999

Now I got a DNS alias for splunk.comp.my which resolves to serve1.comp.my.

If I now enter splunk.comp.my in InternetExplorer, it should take me to my server but not on port 8999.

Is there a possibility in splunk to redirect incomming requests from http:port80 to https:8999?

Or can I use any redhat specific tools to to so?

Thanks for your help

Robert

Re: port forwarding for web interface

Drainy — Mon, 07 Jan 2013 14:28:30 GMT

You can do it with IPTables, a quick Google threw up this;
http://forum.slicehost.com/index.php?p=/discussion/2497/iptables-redirect-port-80-to-port-8080/p1

Looks like the command you need 🙂

Re: port forwarding for web interface

RobertRi — Mon, 07 Jan 2013 14:32:26 GMT

Thanks, I found a similar answer after googling before, but at this moment I'm not really firm with that tool.

Re: port forwarding for web interface

RobertRi — Mon, 07 Jan 2013 14:39:07 GMT

Another thing is if I only redirect the port from 80 to 8999, what about the http to https ?

Re: port forwarding for web interface

Drainy — Mon, 07 Jan 2013 15:34:22 GMT

Ah, I missed that. It becomes a little more complex when you want to do that, from memory I believe the only way is to run a separate apache server with a certain module enabled. Someone with experience of this might post a better answer 🙂

Re: port forwarding for web interface

yannK — Mon, 07 Jan 2013 17:00:30 GMT

easy way, setup apache and put a web page on the http://.. that tells the users to click to https://
or setup a .htaccess redirector to make it automatic.

Re: port forwarding for web interface

tpederson — Mon, 10 Mar 2014 21:58:26 GMT

I just got done setting this up, so I'll post my full SSL setup. It might be a little more than needed, but this is the first Google result I saw for multiple Splunk SSL searches. So, use as much or as little as you like, and lets hope it helps some other poor schlub like myself. 🙂

This was done on a Red Hat system. Since linux considers ports under 1024 sacred, you need to use a higher port when running as a non-root user. Otherwise, you have to run Splunk as root, which is a NO NO. In order to fix that, I used iptables and redirected from 8443 to 443. So, some commands are Red Hat specific, but usually it's pretty easy to Google the distro specific method.

Setup Splunk to run using SSL with Apache redirects

1) Transfer your cert and private key files to ${SPLUNK_HOME}/etc/auth/splunkweb/. They have to be in PEM format. Make note of the file names for the next step.

2) Edit /opt/splunk/etc/system/local/web.conf replace any lines with the ones below:

[settings]
enableSplunkWebSSL = 1
httpport = 8443
privKeyPath = etc/auth/splunkweb/${splunkPrivateKeyFile}
caCertPath = etc/auth/splunkweb/${splunkCertificateFile}

Obviously, you can use whatever SSL port you want. Don't forget to substitute the key and cert filenames too. Finally, that's not a typo, the paths are relative to ${SPLUNK_HOME}.

3) Use IP tables to redirect port 8443 to 443

I think the method to permanently save your iptables lines differs for other distros. So, do some googling if you're not using Red Hat.

iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
/sbin/service iptables save

4) Setup an Apache redirect for common ports

This might be overkill, but I started my two Splunk servers on the default port (8000). So, having a bunch of people thinking Splunk is down, or having to help them update bookmarks sounded like a drag. So, since an Apache redirect is so easy, I just took anyone going to port 8000 and shot them over to port 443. I also included port 80 just because I could. If you have something running on port 80, just remove that VirtualHost.

Make a new conf file in your apache dir, I called mine: /etc/httpd/conf.d/splunkRedirect.conf

Put this in that file:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName splunk.integral7.com
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</VirtualHost>

Listen 8000
NameVirtualHost *:8000
<VirtualHost *:8000>
ServerName splunk.integral7.com
RewriteEngine On
RewriteCond %{SERVER_PORT} ^8000$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</VirtualHost>

5) Restart Splunk, then Apache

The order is important here, you need Splunk to let go of port 8000 so Apache can grab it for the redirect.

service splunk restart
service httpd restart

And, you're done! Since the redirect is done using mod_rewrite, any bookmarked pages should work the same, but use HTTPS instead of HTTP.