Deployment Architecture

Splunk URL redirect

gnovak
Builder

I know this question appears to have been answered in here before but I'd like to know if this type of functionality will be available with the splunk 5.0 version.

My main search head is mybox1.domain.com:8000. I can access it by https://mybox1.domain.com:8000

I can also get here by typing in https://splunk.domain.com:8000

I'd like to have it where mybox1 or splunk.domain.com will always just show up as https://splunk.domain.com in a browser. This is only internal.

I know you can install a 3rd party webserver like apache, but is there any other way to do this OR is this possibly a new feature on 5.0?

thewer
Explorer

As per this post (https://answers.splunk.com/answers/5037/using-setcap-to-allow-non-root-splunk-user-to-start-splunkwe...) I could not get setcap to work:

setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunk

Still wouldnt let me use 443 and when I manually changed it Splunk would not start.

setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunkd

caused LD_LIBRARY_PATH to not work giving

/opt/splunk/bin/splunkd: error while loading shared libraries: libjemalloc.so.2: cannot open shared object file: No such file or directory

So if you are not running as root (which I am not) then I don't think setcap will help.

I have had to use iptables redirection in the end, which on Ubuntu meant added the following to /etc/ufw/.before.rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i eth0 -p tcp --dport 514 -j REDIRECT --to-ports 5514

and then allow the actual listening port through the firewall:

ufw allow from any to any port 8443
ufw allow from any to any port 5514
0 Karma

tmcneely
Engager

Use iptables to redirect the port

iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8000

You probably want to save your iptables rules afterwards (which is OS dependent)

0 Karma

bmacias84
Champion

@gnovak, If I read your response Splunk is running as a non-root user, correct? I am no Linux expert (only enough to be dangerous), but ports 443 and 80 are under 1024 which are restricted ports can only be used by root unless specifly granted. Since you are not using root you will not be able blind/listen on those ports. Ignore this if you are not running Linux or your Splunk user started Splunk using su.

For this problem:


setcap 'cap_net_bind_service=+ep' $SPLUNK_HOME/bin/splunk
or
authbind # not sure of the syntax

Once the non-root user has been granted rights it should be as simple as Ayn post.

Other options: use netcat, xinetd or iptables port forwarding. Device level if are using a loadbalancer between your Splunk Search Heads and users have your LB do the translation for you.

Additional Reading:

why-are-the-first-1024-ports-restricted-to-the-root-user-only

pages-man7-capabilities

gnovak
Builder

you are correct. Splunk is running as the Splunk user...

0 Karma

Ayn
Legend

sowings
Splunk Employee
Splunk Employee

The thing about showing "no port number" in the browser is a notational convenience which gets rid of those ports for standard HTTP (80) and standard HTTPS (443). You can provide them in either case, but if you don't provide a port, it'll pick one of the defaults depending upon which protocol you've specified. You're going through a lot of hoops just to avoid showing a port number in the browser's location bar. Considering that users will likely just bookmark this anyway, is it worth the effort?

(And if this effort is just to teach yourself a few things about Splunk and HTTP, etc, go for it!)

0 Karma

gnovak
Builder

am looking at apache as well for this....didn't know if this was something being built into newer version...

0 Karma

gnovak
Builder

not running as root and i don't believe it's bound. So users should only have to type in splunk.domain.com and it will automatically go to https and they won't see the port it's using either...I believe I"ll have to redirect port 80 to 8000 as well? not sure never did this before...

0 Karma

bmacias84
Champion

Is port 443 already bound? Long shot if you are running on Linux and Splunk is not running as root, ports under 1024 are restricted.

gnovak
Builder

https in splunkweb is enabled too....

0 Karma

gnovak
Builder

Encountered the following error while trying to update: In handler 'server-settings': Parameter httpport: TCP port 443 is not available

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.