Security

Can I run SplunkWeb on port 80 on Linux without running as root?

jradkowskiAAMC
Explorer

I've seen the other questions regarding this topic and only the Solaris question & answer get close.

I am looking to change the default port Splunkweb runs on from 8000 to 80 for obvious usability reasons. I start Splunk as user "splunk" so naturally the user can't start processes on port 80.

Is there a work around for this outside of using a server/device to translate 8000 to 80 (ie> Apache)?

Note: Having the server start up as root is out of the question due to security concerns.

1 Solution

Johnvey
Contributor

Binding privileged ports as a non-root user involves different solutions depending on your platform. A decent writeup can be found here:

http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege...

Many customers elect to use a web proxy like Apache, the most commonly available service, to proxy port 80 through to Splunk on port 8000. This passes on the binding responsibility to Apache so one does not have to configure the splunk user. A template for doing this can be found in the Splunk documentation for configuring SSO.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

You could also use some sort of port redirection method to connect incoming connections on 80 to the nonpriveledged port, but this forgoes some of the security advantages of using a low port (it's hard for local users to spoof your service if they don't have the capability.)

Personally I'd rather use either of the two options outlined by Johnvey.

0 Karma

Johnvey
Contributor

Binding privileged ports as a non-root user involves different solutions depending on your platform. A decent writeup can be found here:

http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege...

Many customers elect to use a web proxy like Apache, the most commonly available service, to proxy port 80 through to Splunk on port 8000. This passes on the binding responsibility to Apache so one does not have to configure the splunk user. A template for doing this can be found in the Splunk documentation for configuring SSO.

jradkowskiAAMC
Explorer

Yeah I've already implemented a proxy in the past so I'm well aware that it's a viable solution but I am trying to minimize dependencies for Splunkweb being accessible.

I definitely need to check into setcap as that is new to me and from that thread it appears that's the solution I am looking for.

0 Karma

BunnyHop
Contributor

You should be able to modify the web.conf with the following setting:

[settings]
httpport = 80

Mick
Splunk Employee
Splunk Employee

The question isn't about how to configure Splunk to run on port 80, it's about how to configure the OS so that the Splunk user is allowed to bind to that port.

By default, port 80 is in the 'restricted' list of ports, so only the root user, and possibly other privileged users are allowed access it. The restricted ports are 1024 and lower

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...