Security

How to setup an NGINX-proxy for deployment

HumanPrinter
Explorer

I am trying to configure an NGINX-proxy that will forward all requests from a Universal Forwarder to the Deploymentserver in my Splunk-cluster. I have tried to follow the examples that are available on the internet as wel as on Splunkbase. However, I run into an error which I can't seem to solve.

My setup is as follows:
A windows machine running the Universal Forwarder (version 7.1.2 x64)
A CentOS 7.5 machine running Splunk as a deploymentserver (version 7.2.0)
A CentOS 7.5 machine running NGINX (version 1.12.2)

When I connect the Universal Forwarder directly to the deploymentserver, everything works fine. But when I connect with the NGINX-proxy, the communication breaks down.
NGINX reports a '502 Bad Gateway' and the deploymentserver reports
'WARN HttpListener - Socket error from 10.101.0.243:40076 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'

My NGINX config looks as follows:

user nginx nginx;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
    worker_connections 1024;
    use epoll;
}

http {
    log_format  main_http  '$remote_addr - $remote_user [$time_local] $ssl_protocol/$ssl_cipher "$request" '
                           '$status $body_bytes_sent "$http_referer" '
                           '"$http_user_agent" "$http_x_forwarded_for"';

    upstream splunk_deploymentserver {
        ip_hash;
        server 10.101.0.237:8089;
    }

    server {
        listen 8089 ssl;
        ssl_certificate     ssl/server.pem;
        ssl_certificate_key ssl/server.key;
        access_log  /var/log/nginx/access_splunkdeployment.log  main_http;
        location / {
            proxy_pass http://splunk_deploymentserver;
        }
    }
}

The SSL-certificate that is served by NGINX, is a copy of the SSL-certificate of the deployment server.

Any help on solving this problem is very much appreciated.

Oscar

0 Karma
1 Solution

HumanPrinter
Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

View solution in original post

0 Karma

HumanPrinter
Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...