- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk URL redirect
I know this question appears to have been answered in here before but I'd like to know if this type of functionality will be available with the splunk 5.0 version.
My main search head is mybox1.domain.com:8000. I can access it by https://mybox1.domain.com:8000
I can also get here by typing in https://splunk.domain.com:8000
I'd like to have it where mybox1 or splunk.domain.com will always just show up as https://splunk.domain.com in a browser. This is only internal.
I know you can install a 3rd party webserver like apache, but is there any other way to do this OR is this possibly a new feature on 5.0?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per this post (https://answers.splunk.com/answers/5037/using-setcap-to-allow-non-root-splunk-user-to-start-splunkwe...) I could not get setcap to work:
setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunk
Still wouldnt let me use 443 and when I manually changed it Splunk would not start.
setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunkd
caused LD_LIBRARY_PATH to not work giving
/opt/splunk/bin/splunkd: error while loading shared libraries: libjemalloc.so.2: cannot open shared object file: No such file or directory
So if you are not running as root (which I am not) then I don't think setcap will help.
I have had to use iptables redirection in the end, which on Ubuntu meant added the following to /etc/ufw/.before.rules:
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i eth0 -p tcp --dport 514 -j REDIRECT --to-ports 5514
and then allow the actual listening port through the firewall:
ufw allow from any to any port 8443
ufw allow from any to any port 5514
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use iptables to redirect the port
iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8000
You probably want to save your iptables rules afterwards (which is OS dependent)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gnovak, If I read your response Splunk is running as a non-root user, correct? I am no Linux expert (only enough to be dangerous), but ports 443 and 80 are under 1024 which are restricted ports can only be used by root unless specifly granted. Since you are not using root you will not be able blind/listen on those ports. Ignore this if you are not running Linux or your Splunk user started Splunk using su.
For this problem:
setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunk
or
authbind # not sure of the syntax
Once the non-root user has been granted rights it should be as simple as Ayn post.
Other options: use netcat, xinetd or iptables port forwarding. Device level if are using a loadbalancer between your Splunk Search Heads and users have your LB do the translation for you.
Additional Reading:
why-are-the-first-1024-ports-restricted-to-the-root-user-only
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are correct. Splunk is running as the Splunk user...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just change the splunkweb port to 443.
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Changedefaultvalues#Change_network_ports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The thing about showing "no port number" in the browser is a notational convenience which gets rid of those ports for standard HTTP (80) and standard HTTPS (443). You can provide them in either case, but if you don't provide a port, it'll pick one of the defaults depending upon which protocol you've specified. You're going through a lot of hoops just to avoid showing a port number in the browser's location bar. Considering that users will likely just bookmark this anyway, is it worth the effort?
(And if this effort is just to teach yourself a few things about Splunk and HTTP, etc, go for it!)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
am looking at apache as well for this....didn't know if this was something being built into newer version...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not running as root and i don't believe it's bound. So users should only have to type in splunk.domain.com and it will automatically go to https and they won't see the port it's using either...I believe I"ll have to redirect port 80 to 8000 as well? not sure never did this before...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is port 443 already bound? Long shot if you are running on Linux and Splunk is not running as root, ports under 1024 are restricted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https in splunkweb is enabled too....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Encountered the following error while trying to update: In handler 'server-settings': Parameter httpport: TCP port 443 is not available
