Getting Data In

SSO with Apache - Splunk detecting browser IP instead of Apache IP

Krishna_R
Path Finder

I'm trying to configure SSO for Splunk with Apache/2.2.14 as a reverse-proxy - both applications running on the same machine (IP is xx.xx.xx.xx), but am not able to make SSO work.

As I see from /debug/sso page,

  1. REMOTE-USER is set as expected
  2. "Incoming request IP received", and "X-Forwarded-For" are shown as yy.yy.yy.yy (which is my browser machine)
  3. "Remote-addr" and "X-Forwarded-Host" are shown as xx.xx.xx.xx (which is Splunk/Apache's host)

My guess is Splunk is looking at 'X-Forwarded-For' header and checks if it is a trusted IP. My understanding is, Splunk should detect the "Incoming request IP" as the same machine, which is listed as a Trusted IP.

Looking at above, I guess either Splunk should use the Remote-addr for trusted IP or Apache should NOT forward request with 'X-Forwarded-For' (my hunch is it has to do something with Apache, so that it behaves differently than any HTTP Forward proxy- but I'm not much into apache/HTTP stuff)

Would appreciate any help to make SSO work.

/debug/sso output:

SSO Settings
SSO Enabled     Yes
splunkd trustedIP   127.0.0.1
splunkweb trustedIP     127.0.0.1,xx.xx.xx.xx
splunkweb SSO Mode  permissive

Splunkweb Settings
Host Name   <servername>
Host IP     xx.xx.xx.xx
Port    8000
Incoming request IP recieved by splunkweb   yy.yy.yy.yy
Is the incoming request IP in splunkweb's list of trustedIPs?   No. SSO will not be used to authenticate this request.

Other HTTP Headers
Authorization   Basic ....
Host    xx.xx.xx.xx:8000
Remote-Addr     xx.xx.xx.xx
Remote-User     krajappa
Via     1.1 localhost
X-Forwarded-For     yy.yy.yy.yy
X-Forwarded-Host    xx.xx.xx.xx
X-Forwarded-Server  localhost

Remote User HTTP Header     REMOTE-USER
Value of REMOTE-USER    krajappa

I've configured Apache/Splunk based on the answers in the forums here, and Splunk docs.

$SPLUNK/etc/system/local/web.conf

[settings]
remoteUser = REMOTE-USER
trustedIP = 127.0.0.1, xx.xx.xx.xx
root_endpoint = /splunk
tools.proxy.on = True

$SPLUNK/etc/system/local/server.conf

[general]
serverName = <servername>
trustedIP = 127.0.0.1,xx.xx.xx.xx

[sslConfig]
sslKeysfilePassword = ...

From Apache httpd.conf:

<VirtualHost *:80>
<Location />
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Enter your NIS Username/Password:"
    PerlAuthenHandler Apache2::AuthenNIS
    PerlSetVar AllowAlternateAuth no
    require valid-user
</Location>

ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass /splunk/ http://xx.xx.xx.xx:8000/splunk/
ProxyPassReverse /splunk/ http://xx.xx.xx.xx:8000/splunk/

RequestHeader set REMOTE_USER %{REMOTE_USER}s
RequestHeader set REMOTE-USER %{REMOTE_USER}s
</VirtualHost>
Tags (2)
1 Solution

gareth
Splunk Employee
Splunk Employee

As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf

In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)

Other than that it looks good

View solution in original post

thiru53
New Member

Hi,

I am also getting same error while running on same machine.

Now i would like to know same scenario on different machines.

Can you please explain briefly.

Please consider following steps:

  1. i have installed Splunk on x.x.x.x machine.
  2. LDAP server/Directory service running on y.y.y.y machine.
0 Karma

gareth
Splunk Employee
Splunk Employee

As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf

In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)

Other than that it looks good

Krishna_R
Path Finder

that did the trick. thanks!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...