Getting Data In

SSO with Apache - Splunk detecting browser IP instead of Apache IP

Krishna_R
Path Finder

I'm trying to configure SSO for Splunk with Apache/2.2.14 as a reverse-proxy - both applications running on the same machine (IP is xx.xx.xx.xx), but am not able to make SSO work.

As I see from /debug/sso page,

  1. REMOTE-USER is set as expected
  2. "Incoming request IP received", and "X-Forwarded-For" are shown as yy.yy.yy.yy (which is my browser machine)
  3. "Remote-addr" and "X-Forwarded-Host" are shown as xx.xx.xx.xx (which is Splunk/Apache's host)

My guess is Splunk is looking at 'X-Forwarded-For' header and checks if it is a trusted IP. My understanding is, Splunk should detect the "Incoming request IP" as the same machine, which is listed as a Trusted IP.

Looking at above, I guess either Splunk should use the Remote-addr for trusted IP or Apache should NOT forward request with 'X-Forwarded-For' (my hunch is it has to do something with Apache, so that it behaves differently than any HTTP Forward proxy- but I'm not much into apache/HTTP stuff)

Would appreciate any help to make SSO work.

/debug/sso output:

SSO Settings
SSO Enabled     Yes
splunkd trustedIP   127.0.0.1
splunkweb trustedIP     127.0.0.1,xx.xx.xx.xx
splunkweb SSO Mode  permissive

Splunkweb Settings
Host Name   <servername>
Host IP     xx.xx.xx.xx
Port    8000
Incoming request IP recieved by splunkweb   yy.yy.yy.yy
Is the incoming request IP in splunkweb's list of trustedIPs?   No. SSO will not be used to authenticate this request.

Other HTTP Headers
Authorization   Basic ....
Host    xx.xx.xx.xx:8000
Remote-Addr     xx.xx.xx.xx
Remote-User     krajappa
Via     1.1 localhost
X-Forwarded-For     yy.yy.yy.yy
X-Forwarded-Host    xx.xx.xx.xx
X-Forwarded-Server  localhost

Remote User HTTP Header     REMOTE-USER
Value of REMOTE-USER    krajappa

I've configured Apache/Splunk based on the answers in the forums here, and Splunk docs.

$SPLUNK/etc/system/local/web.conf

[settings]
remoteUser = REMOTE-USER
trustedIP = 127.0.0.1, xx.xx.xx.xx
root_endpoint = /splunk
tools.proxy.on = True

$SPLUNK/etc/system/local/server.conf

[general]
serverName = <servername>
trustedIP = 127.0.0.1,xx.xx.xx.xx

[sslConfig]
sslKeysfilePassword = ...

From Apache httpd.conf:

<VirtualHost *:80>
<Location />
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Enter your NIS Username/Password:"
    PerlAuthenHandler Apache2::AuthenNIS
    PerlSetVar AllowAlternateAuth no
    require valid-user
</Location>

ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass /splunk/ http://xx.xx.xx.xx:8000/splunk/
ProxyPassReverse /splunk/ http://xx.xx.xx.xx:8000/splunk/

RequestHeader set REMOTE_USER %{REMOTE_USER}s
RequestHeader set REMOTE-USER %{REMOTE_USER}s
</VirtualHost>
Tags (2)
1 Solution

gareth
Splunk Employee
Splunk Employee

As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf

In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)

Other than that it looks good

View solution in original post

thiru53
New Member

Hi,

I am also getting same error while running on same machine.

Now i would like to know same scenario on different machines.

Can you please explain briefly.

Please consider following steps:

  1. i have installed Splunk on x.x.x.x machine.
  2. LDAP server/Directory service running on y.y.y.y machine.
0 Karma

gareth
Splunk Employee
Splunk Employee

As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf

In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)

Other than that it looks good

Krishna_R
Path Finder

that did the trick. thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...