topic Re: How to access splunk web interface behind Nginx in Security

How to access splunk web interface behind Nginx

barryv — Wed, 11 Aug 2010 21:46:26 GMT

Hi, I am new to both Nginx and Splunk. I am trying to setup splunk runing on a linux machine with Nginx. I tried multiple setup options for setting up a proxy_pass/upstream - but none seem to work.

I would like to set it so that mydomain.com/splunk would reach the splunk web management page.

Thanks!

Re: How to access splunk web interface behind Nginx

Johnvey — Thu, 12 Aug 2010 00:46:47 GMT

There are 2 parts to this. Let's say you want to proxy a Splunk instance at:

http://www.example.com/splunkserver

1) Configure Splunk's root endpoint

Splunkweb must be configured to use the same root endpoint as the fronting endpoint, which is /splunkserver in this example. Edit the web config (or create if it doesn't exist):

$SPLUNK_HOME/etc/system/local/web.conf

and add the following to the [settings] stanza:

root_endpoint = /splunkserver

Depending on how you configure your proxy server, you may also have to add:

tools.proxy.on = True

This setting is described in detail in the CherryPy docs.

Restart your Splunk server.

2) Setup your web/proxy server

You must configure your fronting proxy server to forward requests to a specific endpoint over to the Splunk server.

Re: How to access splunk web interface behind Nginx

alkamiadmin — Wed, 22 Apr 2015 15:55:40 GMT

The above information is, helpful, but is not specific to NGINX. I spent a few hours on this and got this working. I wanted to share as I'm both a fan of NGINX and Splunk. I am using NGINX v1.6.2 and Splunk (on Windows) v6.2.2

Your Site .conf file referenced in nginx.conf

server {
        listen <IP-Address-of-NGINX-For-Splunk>:80;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
        location / {
        # Redirect to HTTPS
        return 301 https://$server_name$request_uri;
        }
}

server {
        listen <IP-Address-of-NGINX-For-Splunk>:443 ssl;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
     #Resolve HTTP Error 414 Request-URI-Too-Large
        large_client_header_buffers 6 16k;
     #Certificate & Key .PEM Format
        ssl_certificate /etc/ssl/<name-of-cert>.crt;
        ssl_certificate_key /etc/ssl/<name-of-key>.key;
     #PFS
        ssl_dhparam /etc/ssl/<name-of-DH-key>.dh;
     #HSTS
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
     #OSCP
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/alk-splunk02.oscp;
     #CIPHERS
        include sites.common;
        location / {
            proxy_pass_request_headers on;
            proxy_set_header x-real-IP $remote_addr;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header host $host;
            proxy_pass https://<IP-Address-of-Your-Splunk-Server>:8000;
        }
}

A+ Rating on SSL Labs provided you have a SHA256 Cert from trusted CA and intermediates provided inside .crt file
This is sites.common:

     #OSCP Stapling
        resolver <DNS-Server-IP-1-You-Want> <DNS-Server-IP-2-You-Want> valid=300s;
        resolver_timeout 5s;

     #Cipher Specification and Session Cache
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL';
        proxy_ssl_session_reuse off;