Hi all,
I finally decided to post and get help from here to deal with Splunk configuration behind a reverse Proxy.
I've read and searched for many posts all over the Internet and this forum, found various solutions expected to solve this but still i have some issues.
I have an internal Reverse Proxy, Nginx running SSL requesting directly Splunk web server, also running SSL.
This almost works, i can get access to Splunk, login and so on, i can open any application and dashboards with no issue.
BUT under a few cases, it does not work as expected, some examples:
My Splunk configuration is:
local/web.conf
root_endpoint = /splunk
enableSplunkWebSSL = 1
tools.proxy.on = True (--> I tried with and whitout)
under nginx:
location /splunk/ {
proxy_pass https://splunkserver:8000;
access_log /var/log/nginx/splunk.access.log;
error_log /var/log/nginx/splunk.error.log;
}
Off course, when requesting directly internally to the Splunk web server, everything works as expected.
I also tested with Apache running as reverse proxy, and got exactly the same issue.
Tried with the reverse proxy running SSL and the Splunk backend running http, same thing.
Tried "SSOMode = permissive", no change.
I searched for any interesting error in nginx logs, and splunk web logs, nothing... all i get is related GET and POST operations with code 200 for GET, so normal...
I'm suspecting problems with cookie session or something abnormal in http header, or perhaps something related to SSO splunk config, or SSL negociation and cyphers...
Getting out of idea!
Does anyone can help me getting my reverse proxy configuration to work 🙂
Tnanks!
Guilhem
Corrected with Splunk 6 version, working with Splunk behind Nginx reverse proxy works perfectly with the configuration above.
Good News: What you are trying should work.
Bad News: What you are trying should work.
The documentation here may help: http://wiki.splunk.com/Community:SplunkBehindAProxy
The issue is the url re-writing. It looks like some of the urls are not being re-written correctly.
If you analyze the source of your hung pages, you will likely see references to:
http://server:8000/
or http://server/
or https://server:8000/
or http://server/splunk
instead of the one thing that will work, https://nginxserver/splunk
Once you determine what isn't being re-written correctly, you next step is to write a nginx rewire rule to fix the issue. This is documented here: http://nginx.org/en/docs/http/ngx_http_rewrite_module.html
Once you have it all working, post back here. I would love to see what you come up with!
Hi,
Thank you for answering this quite old post...
I have no doubt your analysis is right, and probably looking at nginx logs to find hung pages and generate rewrite rules would have corrected the situation.
But anyway and fortunately, what was not working using Splunk 5 version became to suddenly work with 6th version.
I guess a few things have been corrected, working with Splunk behind an nginx reverse proxy works like a charm now with the expected configuration.
Yup. Reverse https proxy with SSO definitely works. Have you tried with IIS? I've not tried with apache or nginx.
Hi,
Anyone with a full working reverse proxy configuration ?
Thanks!