topic Re: Splunk behind reverse proxy in Security

Splunk behind reverse proxy

abradanini — Fri, 02 Jul 2010 16:08:45 GMT

I have tried to configure a reverse proxy (using nginx) to Splunk but not work correctly. Splunk and proxy server are in the same machine. When accessing to Splunk by proxy the browser is redirectet to localhost:8000 and not work. Using the same proxy server to access other web services work fine. I have also setting the parameter tools.proxy.on to True but behavior not change. The problem was found on Linux and also Windows.

My Splunk version is the latest (4.1.3).

This is my web.conf (in etc/system/local)

 [settings]                                                            
    root_endpoint = /splunk                                               
    tools.proxy.on = True                                                 
    server.socket_host = 127.0.0.1

What's wrong? Thanks

Re: Splunk behind reverse proxy

cfergus — Thu, 08 Jul 2010 22:40:50 GMT

I would suspect that you want tools.proxy.on = False

Also, the root_endpoint says that splunk will be served from :8000/splunk. Exclude that parameter if that's not what you want.

I'd try hitting the URL http://myserver:8000/splunk

Re: Splunk behind reverse proxy

dave_at_seddon_ — Tue, 07 Dec 2010 11:40:34 GMT

Greetings,

We're using Splunk 4 (4.1.6 build 89596) and wanted to setup forward proxy, where the proxy is on a separate machine. Most of the other examples I found assumed the proxy and splunk run on the same server.

The main issue with doing this is that Splunk really wants to redirect the user directly to itself. The worst bit is that does the redirect using HTML, not any HTTP headers. (If it used HTTP headers, then Apache's mod_proxy could do the rewrite (Possibly the module mod_proxy_html can rewrite the HTML for you, but I haven't tried this). Dear splunk developers, it would be cool if you could fix the redirection method 🙂 ).

I found that when you set 'tools.proxy.on = True' then Splunk assumes that the Web/Proxy server is running locally on the same server as the Splunk. In this case, it keeps redirecting to 127.0.0.1. Therefore, if you are running a separate Web/Proxy server, then you do NOT want to set this (leave it blank, or set 'tools.proxy.on = false').

Our solution was to set /opt/splunk/etc/system/local/web.conf like this:

[settings]
root_endpoint = /splunk
httpport = 80

Then on the separate machine running Apache (we actually are using Apache with SSL) the lines we added to the existing mod_proxy configuration were:

ProxyPass /splunk http://10.0.0.10/splunk
ProxyPassReverse /splunk http://10.0.0.10/splunk

Enjoy!

Kind regards,

Dave Seddon

dave at seddon ca

Re: Splunk behind reverse proxy

tskinnerivsec — Fri, 21 Jun 2013 17:51:04 GMT

Have you tried using a Juniper SA device or a MAG as the reverse proxy? I am having a similar issue. Could someone assist with using the Juniper devices as the reverse proxy?

Re: Splunk behind reverse proxy

tskinnerivsec — Fri, 21 Jun 2013 18:16:37 GMT

I did just figure out how to use the Juniper Device as a reverse proxy. In addition to configuring the reverse proxy, I also had to create a custom headers rewriting policy that allowed custom headers to be written. If anyone else needs help with this configuration, give me a shout.