Solved: SSO with Apache - Splunk detecting browser IP inst...

Krishna_R · ‎02-04-2011

I'm trying to configure SSO for Splunk with Apache/2.2.14 as a reverse-proxy - both applications running on the same machine (IP is xx.xx.xx.xx), but am not able to make SSO work.

As I see from /debug/sso page,

REMOTE-USER is set as expected
"Incoming request IP received", and "X-Forwarded-For" are shown as yy.yy.yy.yy (which is my browser machine)
"Remote-addr" and "X-Forwarded-Host" are shown as xx.xx.xx.xx (which is Splunk/Apache's host)

My guess is Splunk is looking at 'X-Forwarded-For' header and checks if it is a trusted IP. My understanding is, Splunk should detect the "Incoming request IP" as the same machine, which is listed as a Trusted IP.

Looking at above, I guess either Splunk should use the Remote-addr for trusted IP or Apache should NOT forward request with 'X-Forwarded-For' (my hunch is it has to do something with Apache, so that it behaves differently than any HTTP Forward proxy- but I'm not much into apache/HTTP stuff)

Would appreciate any help to make SSO work.

/debug/sso output:

SSO Settings
SSO Enabled     Yes
splunkd trustedIP   127.0.0.1
splunkweb trustedIP     127.0.0.1,xx.xx.xx.xx
splunkweb SSO Mode  permissive

Splunkweb Settings
Host Name   <servername>
Host IP     xx.xx.xx.xx
Port    8000
Incoming request IP recieved by splunkweb   yy.yy.yy.yy
Is the incoming request IP in splunkweb's list of trustedIPs?   No. SSO will not be used to authenticate this request.

Other HTTP Headers
Authorization   Basic ....
Host    xx.xx.xx.xx:8000
Remote-Addr     xx.xx.xx.xx
Remote-User     krajappa
Via     1.1 localhost
X-Forwarded-For     yy.yy.yy.yy
X-Forwarded-Host    xx.xx.xx.xx
X-Forwarded-Server  localhost

Remote User HTTP Header     REMOTE-USER
Value of REMOTE-USER    krajappa

I've configured Apache/Splunk based on the answers in the forums here, and Splunk docs.

$SPLUNK/etc/system/local/web.conf

[settings]
remoteUser = REMOTE-USER
trustedIP = 127.0.0.1, xx.xx.xx.xx
root_endpoint = /splunk
tools.proxy.on = True

$SPLUNK/etc/system/local/server.conf

[general]
serverName = <servername>
trustedIP = 127.0.0.1,xx.xx.xx.xx

[sslConfig]
sslKeysfilePassword = ...

From Apache httpd.conf:

<VirtualHost *:80>
<Location />
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Enter your NIS Username/Password:"
    PerlAuthenHandler Apache2::AuthenNIS
    PerlSetVar AllowAlternateAuth no
    require valid-user
</Location>

ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass /splunk/ http://xx.xx.xx.xx:8000/splunk/
ProxyPassReverse /splunk/ http://xx.xx.xx.xx:8000/splunk/

RequestHeader set REMOTE_USER %{REMOTE_USER}s
RequestHeader set REMOTE-USER %{REMOTE_USER}s
</VirtualHost>

gareth · ‎02-04-2011

As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf

In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)

Other than that it looks good

View solution in original post

thiru53 · ‎11-11-2011

Hi,

I am also getting same error while running on same machine.

Now i would like to know same scenario on different machines.

Can you please explain briefly.

Please consider following steps:

i have installed Splunk on x.x.x.x machine.
LDAP server/Directory service running on y.y.y.y machine.

gareth · ‎02-04-2011

As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf

In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)

Other than that it looks good

Krishna_R · ‎02-05-2011

that did the trick. thanks!

SSO with Apache - Splunk detecting browser IP instead of Apache IP

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...