- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to configure SSO for Splunk with Apache/2.2.14 as a reverse-proxy - both applications running on the same machine (IP is xx.xx.xx.xx), but am not able to make SSO work.
As I see from /debug/sso page,
- REMOTE-USER is set as expected
- "Incoming request IP received", and "X-Forwarded-For" are shown as yy.yy.yy.yy (which is my browser machine)
- "Remote-addr" and "X-Forwarded-Host" are shown as xx.xx.xx.xx (which is Splunk/Apache's host)
My guess is Splunk is looking at 'X-Forwarded-For' header and checks if it is a trusted IP. My understanding is, Splunk should detect the "Incoming request IP" as the same machine, which is listed as a Trusted IP.
Looking at above, I guess either Splunk should use the Remote-addr for trusted IP or Apache should NOT forward request with 'X-Forwarded-For' (my hunch is it has to do something with Apache, so that it behaves differently than any HTTP Forward proxy- but I'm not much into apache/HTTP stuff)
Would appreciate any help to make SSO work.
/debug/sso output:
SSO Settings
SSO Enabled Yes
splunkd trustedIP 127.0.0.1
splunkweb trustedIP 127.0.0.1,xx.xx.xx.xx
splunkweb SSO Mode permissive
Splunkweb Settings
Host Name <servername>
Host IP xx.xx.xx.xx
Port 8000
Incoming request IP recieved by splunkweb yy.yy.yy.yy
Is the incoming request IP in splunkweb's list of trustedIPs? No. SSO will not be used to authenticate this request.
Other HTTP Headers
Authorization Basic ....
Host xx.xx.xx.xx:8000
Remote-Addr xx.xx.xx.xx
Remote-User krajappa
Via 1.1 localhost
X-Forwarded-For yy.yy.yy.yy
X-Forwarded-Host xx.xx.xx.xx
X-Forwarded-Server localhost
Remote User HTTP Header REMOTE-USER
Value of REMOTE-USER krajappa
I've configured Apache/Splunk based on the answers in the forums here, and Splunk docs.
$SPLUNK/etc/system/local/web.conf
[settings]
remoteUser = REMOTE-USER
trustedIP = 127.0.0.1, xx.xx.xx.xx
root_endpoint = /splunk
tools.proxy.on = True
$SPLUNK/etc/system/local/server.conf
[general]
serverName = <servername>
trustedIP = 127.0.0.1,xx.xx.xx.xx
[sslConfig]
sslKeysfilePassword = ...
From Apache httpd.conf:
<VirtualHost *:80>
<Location />
Order allow,deny
Allow from all
AuthType Basic
AuthName "Enter your NIS Username/Password:"
PerlAuthenHandler Apache2::AuthenNIS
PerlSetVar AllowAlternateAuth no
require valid-user
</Location>
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass /splunk/ http://xx.xx.xx.xx:8000/splunk/
ProxyPassReverse /splunk/ http://xx.xx.xx.xx:8000/splunk/
RequestHeader set REMOTE_USER %{REMOTE_USER}s
RequestHeader set REMOTE-USER %{REMOTE_USER}s
</VirtualHost>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf
In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)
Other than that it looks good
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am also getting same error while running on same machine.
Now i would like to know same scenario on different machines.
Can you please explain briefly.
Please consider following steps:
- i have installed Splunk on x.x.x.x machine.
- LDAP server/Directory service running on y.y.y.y machine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
As you're using Apache 2.x you should remove the "tools.proxy.on = True" line from web.conf
In server.conf trustedIP only needs to be set to 127.0.0.1 (since splunkweb and splunkd are on the same machine)
Other than that it looks good
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that did the trick. thanks!
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)