Security

How to setup an NGINX-proxy for deployment

HumanPrinter
Explorer

I am trying to configure an NGINX-proxy that will forward all requests from a Universal Forwarder to the Deploymentserver in my Splunk-cluster. I have tried to follow the examples that are available on the internet as wel as on Splunkbase. However, I run into an error which I can't seem to solve.

My setup is as follows:
A windows machine running the Universal Forwarder (version 7.1.2 x64)
A CentOS 7.5 machine running Splunk as a deploymentserver (version 7.2.0)
A CentOS 7.5 machine running NGINX (version 1.12.2)

When I connect the Universal Forwarder directly to the deploymentserver, everything works fine. But when I connect with the NGINX-proxy, the communication breaks down.
NGINX reports a '502 Bad Gateway' and the deploymentserver reports
'WARN HttpListener - Socket error from 10.101.0.243:40076 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'

My NGINX config looks as follows:

user nginx nginx;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
    worker_connections 1024;
    use epoll;
}

http {
    log_format  main_http  '$remote_addr - $remote_user [$time_local] $ssl_protocol/$ssl_cipher "$request" '
                           '$status $body_bytes_sent "$http_referer" '
                           '"$http_user_agent" "$http_x_forwarded_for"';

    upstream splunk_deploymentserver {
        ip_hash;
        server 10.101.0.237:8089;
    }

    server {
        listen 8089 ssl;
        ssl_certificate     ssl/server.pem;
        ssl_certificate_key ssl/server.key;
        access_log  /var/log/nginx/access_splunkdeployment.log  main_http;
        location / {
            proxy_pass http://splunk_deploymentserver;
        }
    }
}

The SSL-certificate that is served by NGINX, is a copy of the SSL-certificate of the deployment server.

Any help on solving this problem is very much appreciated.

Oscar

0 Karma
1 Solution

HumanPrinter
Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

View solution in original post

0 Karma

HumanPrinter
Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...