Security

How to setup an NGINX-proxy for deployment

Explorer

I am trying to configure an NGINX-proxy that will forward all requests from a Universal Forwarder to the Deploymentserver in my Splunk-cluster. I have tried to follow the examples that are available on the internet as wel as on Splunkbase. However, I run into an error which I can't seem to solve.

My setup is as follows:
A windows machine running the Universal Forwarder (version 7.1.2 x64)
A CentOS 7.5 machine running Splunk as a deploymentserver (version 7.2.0)
A CentOS 7.5 machine running NGINX (version 1.12.2)

When I connect the Universal Forwarder directly to the deploymentserver, everything works fine. But when I connect with the NGINX-proxy, the communication breaks down.
NGINX reports a '502 Bad Gateway' and the deploymentserver reports
'WARN HttpListener - Socket error from 10.101.0.243:40076 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'

My NGINX config looks as follows:

user nginx nginx;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
    worker_connections 1024;
    use epoll;
}

http {
    log_format  main_http  '$remote_addr - $remote_user [$time_local] $ssl_protocol/$ssl_cipher "$request" '
                           '$status $body_bytes_sent "$http_referer" '
                           '"$http_user_agent" "$http_x_forwarded_for"';

    upstream splunk_deploymentserver {
        ip_hash;
        server 10.101.0.237:8089;
    }

    server {
        listen 8089 ssl;
        ssl_certificate     ssl/server.pem;
        ssl_certificate_key ssl/server.key;
        access_log  /var/log/nginx/access_splunkdeployment.log  main_http;
        location / {
            proxy_pass http://splunk_deploymentserver;
        }
    }
}

The SSL-certificate that is served by NGINX, is a copy of the SSL-certificate of the deployment server.

Any help on solving this problem is very much appreciated.

Oscar

0 Karma
1 Solution

Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

View solution in original post

0 Karma

Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!