Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

mgaraventa_splu
Splunk Employee
Splunk Employee
‎02-24-2015 05:10 AM

Since upgrading to Splunk 6.2.0/6.2.1 the "File or Directory" browser in Data inputs is broken: folders cannot be expanded anymore and 404 (Not Found) errors are returned. This has always been working fine on 6.1.x, however I notice that the GUI has changed as well. The issue doesn't occur if you don't use reverse proxy.

The exact functionality can be reached from Splunkweb in following way:

Settings -> Data -> Data Inputs -> Local Inputs -> Files & directories -> New

Finally click on the "Browse"-button right to the "File or Directory" field and try to expand folders.

From further checks apache access_log tells:

10.73.64.119 - - [11/Feb/2015:15:55:26 +0000] "GET /en-GB/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&count=1000&_=1423669944903 HTTP/1.1" 200 586
10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /en-GB/splunkd/__raw/servicesNS/admin/launcher/admin/file-explorer/%2Fetc?output_mode=json&count=10000&sort_key=hasSubNodes&sort_key=name&sort_dir=desc&sort_mode=num&_=1423669944900 HTTP/1.1" 404 268
10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /favicon.ico HTTP/1.1" 303 611
10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /en-GB/favicon.ico HTTP/1.1" 200 8348

What's going wrong here? Could you please help? Thanks a lot in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

mgaraventa_splu
Splunk Employee
Splunk Employee
‎02-24-2015 05:14 AM

You can use following approach in order to solve your issue: please check following directive:

http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

If this is not set to "NoDecode", then the proxy will try to decode and, in case like this one when it has to deal with slashes, this will lead to a failure, because it doesn't manage it as a string as it should. You can verify your Apache version by using for instance the command: 

rpm -qa | grep httpd

If you are using an Apache version older than 2.2.18, then please upgrade and change the directive accordingly.

Here is an example about the Apache configuration after the change:

<VirtualHost 10.10.10.22:80> 
ProxyPass / http://10.10.10.18:8000/ 
ProxyPassReverse / http://10.10.10.18:8000/ 
AllowEncodedSlashes NoDecode 
</VirtualHost>

So please set AllowEncodedSlashes NoDecode under the appropriate VirtualHost. Adding it anywhere else will not solve the issue. Restart Apache afterwards in order to apply changes.

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

mgaraventa_splu
Splunk Employee
Splunk Employee
‎02-24-2015 05:14 AM

You can use following approach in order to solve your issue: please check following directive:

http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

If this is not set to "NoDecode", then the proxy will try to decode and, in case like this one when it has to deal with slashes, this will lead to a failure, because it doesn't manage it as a string as it should. You can verify your Apache version by using for instance the command: 

rpm -qa | grep httpd

If you are using an Apache version older than 2.2.18, then please upgrade and change the directive accordingly.

Here is an example about the Apache configuration after the change:

<VirtualHost 10.10.10.22:80> 
ProxyPass / http://10.10.10.18:8000/ 
ProxyPassReverse / http://10.10.10.18:8000/ 
AllowEncodedSlashes NoDecode 
</VirtualHost>

So please set AllowEncodedSlashes NoDecode under the appropriate VirtualHost. Adding it anywhere else will not solve the issue. Restart Apache afterwards in order to apply changes.

Hope this helps.

Reply
Solved! Jump to solution

markthompson
Builder
‎02-25-2015 01:15 AM

@piebob & @ppablo_splunk - haha, I didn't even realise, probably should've noticed the _splunk 😛 Good answer anyhow. 😛

Reply
Solved! Jump to solution

markthompson
Builder
‎02-24-2015 05:27 AM

Nice Answer.
Just a quick question; you made it sound like you were answering someone else's question!!! why? 😛

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎02-24-2015 10:42 AM

Hi @markthompson

Piggybacking off of @piebob 's comment, here are some examples of other posts where support folks bring common issues they come across working with customers to the community on Splunk Answers 🙂
http://blogs.splunk.com/2015/02/05/smart-answers-9/

Cheers!

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎02-24-2015 08:13 AM

hi Markthompson--Matteo is a member of our Support team, and we often post questions and answers we encounter when handling customer cases so that other users can benefit from the experience--this is why he asked and answered his own question this way 🙂

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...