Security

Can I run SplunkWeb on port 80 on Linux without running as root?

Explorer

I've seen the other questions regarding this topic and only the Solaris question & answer get close.

I am looking to change the default port Splunkweb runs on from 8000 to 80 for obvious usability reasons. I start Splunk as user "splunk" so naturally the user can't start processes on port 80.

Is there a work around for this outside of using a server/device to translate 8000 to 80 (ie> Apache)?

Note: Having the server start up as root is out of the question due to security concerns.

1 Solution

Contributor

Binding privileged ports as a non-root user involves different solutions depending on your platform. A decent writeup can be found here:

http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege...

Many customers elect to use a web proxy like Apache, the most commonly available service, to proxy port 80 through to Splunk on port 8000. This passes on the binding responsibility to Apache so one does not have to configure the splunk user. A template for doing this can be found in the Splunk documentation for configuring SSO.

View solution in original post

Splunk Employee
Splunk Employee

You could also use some sort of port redirection method to connect incoming connections on 80 to the nonpriveledged port, but this forgoes some of the security advantages of using a low port (it's hard for local users to spoof your service if they don't have the capability.)

Personally I'd rather use either of the two options outlined by Johnvey.

0 Karma

Contributor

Binding privileged ports as a non-root user involves different solutions depending on your platform. A decent writeup can be found here:

http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege...

Many customers elect to use a web proxy like Apache, the most commonly available service, to proxy port 80 through to Splunk on port 8000. This passes on the binding responsibility to Apache so one does not have to configure the splunk user. A template for doing this can be found in the Splunk documentation for configuring SSO.

View solution in original post

Explorer

Yeah I've already implemented a proxy in the past so I'm well aware that it's a viable solution but I am trying to minimize dependencies for Splunkweb being accessible.

I definitely need to check into setcap as that is new to me and from that thread it appears that's the solution I am looking for.

0 Karma

Contributor

You should be able to modify the web.conf with the following setting:

[settings]
httpport = 80

Splunk Employee
Splunk Employee

The question isn't about how to configure Splunk to run on port 80, it's about how to configure the OS so that the Splunk user is allowed to bind to that port.

By default, port 80 is in the 'restricted' list of ports, so only the root user, and possibly other privileged users are allowed access it. The restricted ports are 1024 and lower

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!