topic Re: Splunk URL redirect in Deployment Architecture

Splunk URL redirect

gnovak — Wed, 24 Oct 2012 19:45:16 GMT

I know this question appears to have been answered in here before but I'd like to know if this type of functionality will be available with the splunk 5.0 version.

My main search head is mybox1.domain.com:8000. I can access it by https://mybox1.domain.com:8000

I can also get here by typing in https://splunk.domain.com:8000

I'd like to have it where mybox1 or splunk.domain.com will always just show up as https://splunk.domain.com in a browser. This is only internal.

I know you can install a 3rd party webserver like apache, but is there any other way to do this OR is this possibly a new feature on 5.0?

Re: Splunk URL redirect

Ayn — Wed, 24 Oct 2012 19:58:02 GMT

Just change the splunkweb port to 443.

http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Changedefaultvalues#Change_network_ports

Re: Splunk URL redirect

gnovak — Wed, 24 Oct 2012 20:01:53 GMT

Encountered the following error while trying to update: In handler 'server-settings': Parameter httpport: TCP port 443 is not available

Re: Splunk URL redirect

gnovak — Wed, 24 Oct 2012 20:02:22 GMT

https in splunkweb is enabled too....

Re: Splunk URL redirect

bmacias84 — Wed, 24 Oct 2012 20:30:20 GMT

Is port 443 already bound? Long shot if you are running on Linux and Splunk is not running as root, ports under 1024 are restricted.

Re: Splunk URL redirect

gnovak — Wed, 24 Oct 2012 21:50:20 GMT

not running as root and i don't believe it's bound. So users should only have to type in splunk.domain.com and it will automatically go to https and they won't see the port it's using either...I believe I"ll have to redirect port 80 to 8000 as well? not sure never did this before...

Re: Splunk URL redirect

gnovak — Wed, 24 Oct 2012 21:50:39 GMT

am looking at apache as well for this....didn't know if this was something being built into newer version...

Re: Splunk URL redirect

sowings — Wed, 24 Oct 2012 22:10:58 GMT

The thing about showing "no port number" in the browser is a notational convenience which gets rid of those ports for standard HTTP (80) and standard HTTPS (443). You can provide them in either case, but if you don't provide a port, it'll pick one of the defaults depending upon which protocol you've specified. You're going through a lot of hoops just to avoid showing a port number in the browser's location bar. Considering that users will likely just bookmark this anyway, is it worth the effort?

(And if this effort is just to teach yourself a few things about Splunk and HTTP, etc, go for it!)

Re: Splunk URL redirect

bmacias84 — Wed, 24 Oct 2012 23:59:28 GMT

@gnovak, If I read your response Splunk is running as a non-root user, correct? I am no Linux expert (only enough to be dangerous), but ports 443 and 80 are under 1024 which are restricted ports can only be used by root unless specifly granted. Since you are not using root you will not be able blind/listen on those ports. Ignore this if you are not running Linux or your Splunk user started Splunk using su.

For this problem:



setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunk

or

authbind # not sure of the syntax

Once the non-root user has been granted rights it should be as simple as Ayn post.

Other options: use netcat, xinetd or iptables port forwarding. Device level if are using a loadbalancer between your Splunk Search Heads and users have your LB do the translation for you.

Additional Reading:

why-are-the-first-1024-ports-restricted-to-the-root-user-only

pages-man7-capabilities

Re: Splunk URL redirect

gnovak — Thu, 25 Oct 2012 15:28:32 GMT

you are correct. Splunk is running as the Splunk user...

Re: Splunk URL redirect

tmcneely — Wed, 04 Nov 2015 23:15:01 GMT

Use iptables to redirect the port

iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8000

You probably want to save your iptables rules afterwards (which is OS dependent)

Re: Splunk URL redirect

thewer — Thu, 11 Oct 2018 07:22:32 GMT

As per this post (https://answers.splunk.com/answers/5037/using-setcap-to-allow-non-root-splunk-user-to-start-splunkweb-on-port-443.html) I could not get setcap to work:

setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunk

Still wouldnt let me use 443 and when I manually changed it Splunk would not start.

setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunkd

caused LD_LIBRARY_PATH to not work giving

/opt/splunk/bin/splunkd: error while loading shared libraries: libjemalloc.so.2: cannot open shared object file: No such file or directory

So if you are not running as root (which I am not) then I don't think setcap will help.

I have had to use iptables redirection in the end, which on Ubuntu meant added the following to /etc/ufw/.before.rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i eth0 -p tcp --dport 514 -j REDIRECT --to-ports 5514

and then allow the actual listening port through the firewall:

ufw allow from any to any port 8443
ufw allow from any to any port 5514