Security

How to configure Splunk Enterprise in front of AWS ELB instance

fman82
Explorer

We have deployed Splunk Enterprise on an EC2 instance behind a classic ELB in AWS with HTTPS enabled (screenshots attached). Splunk runs in plain HTTP in the default port but we have set in our web.conf the following

tools.proxy.base=https://<our-domain>
tools.proxy.on=true

Though when we visit the Splunk HTTPS, we can see the login page and authenticate successfully , then it redirects us in a https://127.0.0.1:8000/en-US/app/launcher and not our ELB URL. Help appreciated.

Labels (1)
0 Karma

wwangsa_splunk
Splunk Employee
Splunk Employee
0 Karma

fman82
Explorer

Thanks. But are we saying we need to put a reverse proxy in front of SplunkWeb for this to work?

It seems overkill for something so basic. It seems that SplunkWeb just isn't taking the correct base host & port as defined in tools.proxy.base in the web.conf

0 Karma

rathjunk
Engager

I'm having the same issue. The tools.proxy.base configuration does not seem to be working as it always points to 127.0.0.1:8000, it does not matter what I add as a base.

tools.proxy.on = <boolean>
* Whether or not the Splunk platform instance is behind a reverse proxy server.
* If set to "true", the instance assumes that it is behind a reverse proxy and
  uses HTTP header information from the proxy to log access requests, secure
  its cookies properly, and generate valid URLs for redirect responses.
* All of the instance's HTTP services will use information from
  "X-Forwarded-*", "Front-End-Https", and "X-Url-Scheme" headers, where
  available, to override what it receives from proxied requests.
* If you set this to "true", you must also set 'tools.proxy.base' to a valid
  host name and network port.
* If set to "false", the instance relies on its own internal HTTP server
  settings and the immediate client's HTTP headers for the information needed
  for access request logging, cookie securing, and redirect URL generation.
* Default: false

tools.proxy.base = <scheme>://<URL>
* The proxy base URL in Splunk Web.
* Default: empty string

 

0 Karma

rathjunk
Engager

It is disappointing that Splunk does not provide this capability out of the box. You would expect this from the tools.proxy.base setting but it just keeps pointing back to localhost:8000. So, to resolve termination of HTTPS traffic on my ELB and pass HTTP to the instance,  I had to do add a reverse proxy. It is an overkill unfortunately @fman82 but easy to setup.

In short, I added Nginx and setup a redirection of all 80 traffic to 443 using the following configuration:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name <elb.hostname.domain>;
  return 301 https://$host$request_uri;
}

Keep in mind you may need to open port 80 on the ELB and all the internal HTTP Splunk redirects are handled by Nginx.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...