Security

Splunk web redirect to FQDN?

edwardrose
Contributor

I was looking around and maybe my googling is the best today, but I cannot seem to find a way to redirect the Splunk webserver. Basically our customers can access our Splunk servers with either the short name:

https://splunkit:8000

Or the FQDN

https://splunkit.mydomain.com:8000

My question is how do I get the Splunk webserver to redirect the short name to the FQDN? We are getting dedicated certs for the Splunk web interface and need customer's to access the FQDN for the certs to be valid. Any help or docs would be awesome thanks.

-ed

0 Karma
1 Solution

acharlieh
Influencer

I don't believe the Splunk webserver will do this. Even if it could, I'm not sure if it would be a supported change. However instead you could setup a proxy / load balancer (such as an F5) in front of your Splunk Web interface. (Having a load balancer in front of SplunkWeb on your search heads is something you'd want for Search Head Clustering anyways.)

Your load balancer would have to support name based virtual hosting so that requests to the short name would be served with a 301 redirect, but responses to the FQDN would be proxied to the appropriate search head.

Now with regards to the certificate errors, If your load balancer supports SNI, the load balancer could serve a certificate with the simple name (likely issued by the customer's internal CA infrastructure) to requests for the simple name. If the load balancer does not support flexing based on SNI, then you are looking at getting a certificate with multiple Subject Alternative Names as @teunlaan mentions in their comment.

Alternatively... you could see if the network & device management folks at the company would get rid of their DNS Suffix search list. In this case only the FQDN would work for folks, and if you have enough messaging and training, possibly they will come around to not use unqualified names... but that's much more difficult of course.

View solution in original post

0 Karma

acharlieh
Influencer

I don't believe the Splunk webserver will do this. Even if it could, I'm not sure if it would be a supported change. However instead you could setup a proxy / load balancer (such as an F5) in front of your Splunk Web interface. (Having a load balancer in front of SplunkWeb on your search heads is something you'd want for Search Head Clustering anyways.)

Your load balancer would have to support name based virtual hosting so that requests to the short name would be served with a 301 redirect, but responses to the FQDN would be proxied to the appropriate search head.

Now with regards to the certificate errors, If your load balancer supports SNI, the load balancer could serve a certificate with the simple name (likely issued by the customer's internal CA infrastructure) to requests for the simple name. If the load balancer does not support flexing based on SNI, then you are looking at getting a certificate with multiple Subject Alternative Names as @teunlaan mentions in their comment.

Alternatively... you could see if the network & device management folks at the company would get rid of their DNS Suffix search list. In this case only the FQDN would work for folks, and if you have enough messaging and training, possibly they will come around to not use unqualified names... but that's much more difficult of course.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Agreed. This is something that needs to be configured as part of the larger DNS/FQND setup. As in, this is part of networking configuration for the environment, not Splunk itself.

0 Karma

teunlaan
Contributor

I don't know how to redirect it. You could also create certificates with aliases. Your certificate will be valid for short AND FQDN

Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...