Using AWS HTTPS ELB with EC2 Splunk Web on HTTP po...

jtran_odecee · ‎09-25-2013

We have an AWS configuration where the splunk server is running on an EC2 instance within a VPC. splunkweb is using HTTP. To prove that we can access splunkweb, we have an ELB entry that listens on HTTP port 80 and redirects to splunk on HTTP port 8000. This works fine.

Now what we want to do is to make the ELB listen on HTTPS port 443 and redirect to splunk on HTTP port 8000, i.e.
User Browser <- SSL -> AWS ELB <- HTTP -> Splunk Web

Basically let AWS ELB handle the SSL from the outside, and within the VPC, splunk will continue to use HTTP to save the extra crypto effort. However this doesn't work.

Is there a recommended way to achieve this?

Thanks,
JT

gstestaccount · ‎11-23-2018

Going off the current most voted answer i have created terraform code to automate setting up a test splunk instance...

Uses splunk enterprise AMI (current at the time)
Installs apache and configures the reverse proxy (workaround for SPL-79993)
Fronts splunk with 2 classic LBs, One for web interface, one for HEC interface
Creates hosted zone with domain you provide (while running the TF code you must login to the aws console to get your Nameserver address for you new R53 hosted zone and update your domain provider with these (ie freenom). if the code timeouts just run it again after you have updated your domain registrar with the route53 name servers provided for you new zone)
Provides valid SSL certs for both loadbalancers (HEC requires a valid cert)
Current Security Group for the HEC LB endpoint is from US-East-1 firehose delivery service. please alter to your specifications

You will need to provide the following

Terraform Profile
domain (I used a free temp domain from freenom)
ssh public key (used to ssh into your splunk instance)
your public ip (used to update Security groups for sshing into your instance as well as connecting to the splunk web interface)

Terrafrom Code:
https://github.com/ChiefRiver/AWSSplunkInstance

,Going off the current most voted answer i have created terraform code to automate setting up a test splunk instance...

Uses splunk enterprise AMI (current at the time)
Installs apache and configures the reverse proxy (workaround for SPL-79993)
Fronts splunk with 2 classic LBs, One for web interface, one for HEC interface
Creates hosted zone with domain you provide (while running the TF code you must login to the aws console to get your Nameserver address for you new R53 hosted zone and update your domain provider with these (ie freenom). if the code timeouts just run it again after you have updated your domain registrar with the route53 name servers provided for you new zone)
Provides valid SSL certs for both loadbalancers (HEC requires a valid cert)

Terrafrom Code:
https://github.com/ChiefRiver/AWSSplunkInstance

Lowell · ‎07-09-2014

These are all Amazon Web Service terms. See the AWS Glossary for more details.

jkat54 · ‎04-08-2014

Until SPL-79993 is corrected in a newer release, here's how we did it:

https request on port 443 <-> AWS ELB Front End Port 443 (ssl terminates) <-> AWS ELB Back End Port 8000 <-> Apache Reverse Proxy (new ssl request created) <-> SplunkWeb (new ssl request terminated).

Below are the configurations that made this work for us:

/etc/httpd/conf/httpd.conf #redirect 80 to 443

Listen 80
<VirtualHost *:80>
ServerName website.com
Redirect permanent / https://website.com/
</VirtualHost>

/etc/httpd/conf.d/ssl.conf # load ssl module, proxypass web_root "/" to https://localhost:8000, and define ssl cert

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName website.com
ProxyPass / https://127.0.0.1:8000/
ProxyPassReverse / https://127.0.0.1:8000/
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/website.crt
SSLCertificateKeyFile /etc/httpd/ssl/website.key
SSLProxyEngine on
SSLProxyVerify none
</VirtualHost>

/opt/splunk/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = /etc/httpd/ssl/website.key
caCertPath = /etc/httpd/ssl/website.crt

We also enabled shibboleth.sso but that isnt shown above. Just mentioning in case someone else wants to message me for those details as well.

MichaelDZapanta · ‎03-06-2019

Hi All,

Has there been any updates if SPL-79993 has been fixed already? Trying to google around but can't find any article regarding the status.

Tnx...

bsanch25 · ‎01-06-2020

I am facing the same issue, and it has been several years since this was originally posted. Does anyone know if Splunk has fixed this issue or what the best practice is for setting up a Load-Balancer in AWS using SSL? I would like to avoid using the Apache workaround if possible.

ssozonoff · ‎10-06-2016

So it seems we are over 2 years down the line since the last comment on this subject and its still not working or then I have missed something ?

Its such a basic thing however.

ssozonoff · ‎10-08-2016

The problem relates to how Splunk deals with redirects and my requirement is SSL termination at the load balancer (ELB).

Thanks,
Serge

jkat54 · ‎10-07-2016

According to this it appears it can be done.

https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/

Looks like you can specify the front end and backend ports, etc.

freaklin · ‎06-27-2016

Hi

I'm using Splunk 6.4.1 and I would like to put my splunkweb behind an AWS ELB to make the https/ssl stuff easier and I would use this question/answer as a how to, but I'm stuck in the first step... I can't even find "https.conf" and "ssl.conf" in my splunkweb server.
This is the most viewed post about it, but It doesn't receive comments since "Feb 27, 2014 at 02:42 AM" when "sylim [Splunk]" told It would receive a fix in a later version.
Well, two years after... Is there a how to? an explained way to do this?

jkat54 · ‎06-27-2016

those are Apache config files and we were using that strategy to integrate sso. I suggest you start a new question and add your version and the architecture you're going for to your question

sylim_splunk · ‎02-27-2014

It is a known issue related to HTTP redirection, SPL-79993 open for the case - the fix will be included in later version. Contact Splunk Support for details.

vguptadevops · ‎03-16-2018

Hello , Just asking if there was any fix available to do this properly ? I am trying to establish exactly the same functionality and it just doesn't work with any AWS Load Balancer (ALB or ELB).

User Browser using HTTPs on 443 --> Hits Load Balancer --->Forward the traffic to backend nodes on HTTP port 8000 .

Note I have got no issues if I just remove the SSL and simply use HTTP it just works well.

I wold appreciate something to work in 2018 for this solution?

shervinfernando · ‎02-18-2014

I know following will work as we use it

User Browser <- SSL -> AWS ELB <- HTTPS -> Splunk Web

for this to happen edit your <splunk home>/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
httpport=8000

vguptadevops · ‎03-15-2018

I am sorry but this is not the right solution and It doesn't work, I exactly tried the same and at the load balancer it just doesn't reach to the instance at all , Although https on port 8000 listens at the instance as I could reach to web UI using that.

But when you configure the Elastic Load Balancer to use SSL and Instance protocol to use HTTPS and port 8000 it just doesn't go beyond the ELB and times out after some time.

lukejadamec · ‎09-25-2013

Generally speaking, Splunk on port 8000 is the target of a reverse proxy that listens for Splunk on port 443, and it does work. What errors are you getting?
What do the AWS, ELB, EC2, and VPC acronyms stand for?

Using AWS HTTPS ELB with EC2 Splunk Web on HTTP port 8000

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation