Security

How to access splunk web interface behind Nginx

barryv
Explorer

Hi, I am new to both Nginx and Splunk. I am trying to setup splunk runing on a linux machine with Nginx. I tried multiple setup options for setting up a proxy_pass/upstream - but none seem to work.

I would like to set it so that mydomain.com/splunk would reach the splunk web management page.

Thanks!

Tags (1)
1 Solution

Johnvey
Contributor

There are 2 parts to this. Let's say you want to proxy a Splunk instance at:

http://www.example.com/splunkserver

1) Configure Splunk's root endpoint

Splunkweb must be configured to use the same root endpoint as the fronting endpoint, which is /splunkserver in this example. Edit the web config (or create if it doesn't exist):

$SPLUNK_HOME/etc/system/local/web.conf

and add the following to the [settings] stanza:

root_endpoint = /splunkserver

Depending on how you configure your proxy server, you may also have to add:

tools.proxy.on = True

This setting is described in detail in the CherryPy docs.

Restart your Splunk server.

2) Setup your web/proxy server

You must configure your fronting proxy server to forward requests to a specific endpoint over to the Splunk server.

View solution in original post

alkamiadmin
New Member

The above information is, helpful, but is not specific to NGINX. I spent a few hours on this and got this working. I wanted to share as I'm both a fan of NGINX and Splunk. I am using NGINX v1.6.2 and Splunk (on Windows) v6.2.2

Your Site .conf file referenced in nginx.conf

server {
        listen <IP-Address-of-NGINX-For-Splunk>:80;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
        location / {
        # Redirect to HTTPS
        return 301 https://$server_name$request_uri;
        }
}

server {
        listen <IP-Address-of-NGINX-For-Splunk>:443 ssl;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
     #Resolve HTTP Error 414 Request-URI-Too-Large
        large_client_header_buffers 6 16k;
     #Certificate & Key .PEM Format
        ssl_certificate /etc/ssl/<name-of-cert>.crt;
        ssl_certificate_key /etc/ssl/<name-of-key>.key;
     #PFS
        ssl_dhparam /etc/ssl/<name-of-DH-key>.dh;
     #HSTS
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
     #OSCP
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/alk-splunk02.oscp;
     #CIPHERS
        include sites.common;
        location / {
            proxy_pass_request_headers on;
            proxy_set_header x-real-IP $remote_addr;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header host $host;
            proxy_pass https://<IP-Address-of-Your-Splunk-Server>:8000;
        }
}

A+ Rating on SSL Labs provided you have a SHA256 Cert from trusted CA and intermediates provided inside .crt file
This is sites.common:

     #OSCP Stapling
        resolver <DNS-Server-IP-1-You-Want> <DNS-Server-IP-2-You-Want> valid=300s;
        resolver_timeout 5s;

     #Cipher Specification and Session Cache
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL';
        proxy_ssl_session_reuse off;
0 Karma

Johnvey
Contributor

There are 2 parts to this. Let's say you want to proxy a Splunk instance at:

http://www.example.com/splunkserver

1) Configure Splunk's root endpoint

Splunkweb must be configured to use the same root endpoint as the fronting endpoint, which is /splunkserver in this example. Edit the web config (or create if it doesn't exist):

$SPLUNK_HOME/etc/system/local/web.conf

and add the following to the [settings] stanza:

root_endpoint = /splunkserver

Depending on how you configure your proxy server, you may also have to add:

tools.proxy.on = True

This setting is described in detail in the CherryPy docs.

Restart your Splunk server.

2) Setup your web/proxy server

You must configure your fronting proxy server to forward requests to a specific endpoint over to the Splunk server.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...