Security

How to access splunk web interface behind Nginx

barryv
Explorer

Hi, I am new to both Nginx and Splunk. I am trying to setup splunk runing on a linux machine with Nginx. I tried multiple setup options for setting up a proxy_pass/upstream - but none seem to work.

I would like to set it so that mydomain.com/splunk would reach the splunk web management page.

Thanks!

Tags (1)
1 Solution

Johnvey
Contributor

There are 2 parts to this. Let's say you want to proxy a Splunk instance at:

http://www.example.com/splunkserver

1) Configure Splunk's root endpoint

Splunkweb must be configured to use the same root endpoint as the fronting endpoint, which is /splunkserver in this example. Edit the web config (or create if it doesn't exist):

$SPLUNK_HOME/etc/system/local/web.conf

and add the following to the [settings] stanza:

root_endpoint = /splunkserver

Depending on how you configure your proxy server, you may also have to add:

tools.proxy.on = True

This setting is described in detail in the CherryPy docs.

Restart your Splunk server.

2) Setup your web/proxy server

You must configure your fronting proxy server to forward requests to a specific endpoint over to the Splunk server.

View solution in original post

alkamiadmin
New Member

The above information is, helpful, but is not specific to NGINX. I spent a few hours on this and got this working. I wanted to share as I'm both a fan of NGINX and Splunk. I am using NGINX v1.6.2 and Splunk (on Windows) v6.2.2

Your Site .conf file referenced in nginx.conf

server {
        listen <IP-Address-of-NGINX-For-Splunk>:80;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
        location / {
        # Redirect to HTTPS
        return 301 https://$server_name$request_uri;
        }
}

server {
        listen <IP-Address-of-NGINX-For-Splunk>:443 ssl;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
     #Resolve HTTP Error 414 Request-URI-Too-Large
        large_client_header_buffers 6 16k;
     #Certificate & Key .PEM Format
        ssl_certificate /etc/ssl/<name-of-cert>.crt;
        ssl_certificate_key /etc/ssl/<name-of-key>.key;
     #PFS
        ssl_dhparam /etc/ssl/<name-of-DH-key>.dh;
     #HSTS
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
     #OSCP
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/alk-splunk02.oscp;
     #CIPHERS
        include sites.common;
        location / {
            proxy_pass_request_headers on;
            proxy_set_header x-real-IP $remote_addr;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header host $host;
            proxy_pass https://<IP-Address-of-Your-Splunk-Server>:8000;
        }
}

A+ Rating on SSL Labs provided you have a SHA256 Cert from trusted CA and intermediates provided inside .crt file
This is sites.common:

     #OSCP Stapling
        resolver <DNS-Server-IP-1-You-Want> <DNS-Server-IP-2-You-Want> valid=300s;
        resolver_timeout 5s;

     #Cipher Specification and Session Cache
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL';
        proxy_ssl_session_reuse off;
0 Karma

Johnvey
Contributor

There are 2 parts to this. Let's say you want to proxy a Splunk instance at:

http://www.example.com/splunkserver

1) Configure Splunk's root endpoint

Splunkweb must be configured to use the same root endpoint as the fronting endpoint, which is /splunkserver in this example. Edit the web config (or create if it doesn't exist):

$SPLUNK_HOME/etc/system/local/web.conf

and add the following to the [settings] stanza:

root_endpoint = /splunkserver

Depending on how you configure your proxy server, you may also have to add:

tools.proxy.on = True

This setting is described in detail in the CherryPy docs.

Restart your Splunk server.

2) Setup your web/proxy server

You must configure your fronting proxy server to forward requests to a specific endpoint over to the Splunk server.

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...