Security
Highlighted

Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

Splunk Employee
Splunk Employee

Since upgrading to Splunk 6.2.0/6.2.1 the "File or Directory" browser in Data inputs is broken: folders cannot be expanded anymore and 404 (Not Found) errors are returned. This has always been working fine on 6.1.x, however I notice that the GUI has changed as well. The issue doesn't occur if you don't use reverse proxy.

The exact functionality can be reached from Splunkweb in following way:

Settings -> Data -> Data Inputs -> Local Inputs -> Files & directories -> New

Finally click on the "Browse"-button right to the "File or Directory" field and try to expand folders.

From further checks apache access_log tells:

10.73.64.119 - - [11/Feb/2015:15:55:26 +0000] "GET /en-GB/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&count=1000&_=1423669944903 HTTP/1.1" 200 586
10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /en-GB/splunkd/__raw/servicesNS/admin/launcher/admin/file-explorer/%2Fetc?output_mode=json&count=10000&sort_key=hasSubNodes&sort_key=name&sort_dir=desc&sort_mode=num&_=1423669944900 HTTP/1.1" 404 268
10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /favicon.ico HTTP/1.1" 303 611
10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /en-GB/favicon.ico HTTP/1.1" 200 8348

What's going wrong here? Could you please help? Thanks a lot in advance.

Highlighted

Re: Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

Splunk Employee
Splunk Employee

You can use following approach in order to solve your issue: please check following directive:

http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

If this is not set to "NoDecode", then the proxy will try to decode and, in case like this one when it has to deal with slashes, this will lead to a failure, because it doesn't manage it as a string as it should. You can verify your Apache version by using for instance the command:

rpm -qa | grep httpd

If you are using an Apache version older than 2.2.18, then please upgrade and change the directive accordingly.

Here is an example about the Apache configuration after the change:

<VirtualHost 10.10.10.22:80> 
ProxyPass / http://10.10.10.18:8000/ 
ProxyPassReverse / http://10.10.10.18:8000/ 
AllowEncodedSlashes NoDecode 
</VirtualHost>

So please set AllowEncodedSlashes NoDecode under the appropriate VirtualHost. Adding it anywhere else will not solve the issue. Restart Apache afterwards in order to apply changes.

Hope this helps.

View solution in original post

Highlighted

Re: Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

Builder

Nice Answer.
Just a quick question; you made it sound like you were answering someone else's question!!! why? 😛

0 Karma
Highlighted

Re: Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

Splunk Employee
Splunk Employee

hi Markthompson--Matteo is a member of our Support team, and we often post questions and answers we encounter when handling customer cases so that other users can benefit from the experience--this is why he asked and answered his own question this way 🙂

Highlighted

Re: Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

Community Manager
Community Manager

Hi @markthompson

Piggybacking off of @piebob 's comment, here are some examples of other posts where support folks bring common issues they come across working with customers to the community on Splunk Answers 🙂
http://blogs.splunk.com/2015/02/05/smart-answers-9/

Cheers!

Highlighted

Re: Apache reverse proxy in front of splunkweb breaks file selection browser on 6.2 and 6.2.1

Builder

@piebob & @ppablo_splunk - haha, I didn't even realise, probably should've noticed the _splunk 😛 Good answer anyhow. 😛