Security

How to setup an NGINX-proxy for deployment

HumanPrinter
Explorer

I am trying to configure an NGINX-proxy that will forward all requests from a Universal Forwarder to the Deploymentserver in my Splunk-cluster. I have tried to follow the examples that are available on the internet as wel as on Splunkbase. However, I run into an error which I can't seem to solve.

My setup is as follows:
A windows machine running the Universal Forwarder (version 7.1.2 x64)
A CentOS 7.5 machine running Splunk as a deploymentserver (version 7.2.0)
A CentOS 7.5 machine running NGINX (version 1.12.2)

When I connect the Universal Forwarder directly to the deploymentserver, everything works fine. But when I connect with the NGINX-proxy, the communication breaks down.
NGINX reports a '502 Bad Gateway' and the deploymentserver reports
'WARN HttpListener - Socket error from 10.101.0.243:40076 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'

My NGINX config looks as follows:

user nginx nginx;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
    worker_connections 1024;
    use epoll;
}

http {
    log_format  main_http  '$remote_addr - $remote_user [$time_local] $ssl_protocol/$ssl_cipher "$request" '
                           '$status $body_bytes_sent "$http_referer" '
                           '"$http_user_agent" "$http_x_forwarded_for"';

    upstream splunk_deploymentserver {
        ip_hash;
        server 10.101.0.237:8089;
    }

    server {
        listen 8089 ssl;
        ssl_certificate     ssl/server.pem;
        ssl_certificate_key ssl/server.key;
        access_log  /var/log/nginx/access_splunkdeployment.log  main_http;
        location / {
            proxy_pass http://splunk_deploymentserver;
        }
    }
}

The SSL-certificate that is served by NGINX, is a copy of the SSL-certificate of the deployment server.

Any help on solving this problem is very much appreciated.

Oscar

0 Karma
1 Solution

HumanPrinter
Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

View solution in original post

0 Karma

HumanPrinter
Explorer

The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing

proxy_pass http://splunk_deploymentserver;

into

proxy_pass https://splunk_deploymentserver;

did the trick.
(That was one expensive letter 🙂 )

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...