Security

Using AWS HTTPS ELB with EC2 Splunk Web on HTTP port 8000

jtran_odecee
Engager

We have an AWS configuration where the splunk server is running on an EC2 instance within a VPC. splunkweb is using HTTP. To prove that we can access splunkweb, we have an ELB entry that listens on HTTP port 80 and redirects to splunk on HTTP port 8000. This works fine.

Now what we want to do is to make the ELB listen on HTTPS port 443 and redirect to splunk on HTTP port 8000, i.e.
    User Browser <- SSL -> AWS ELB <- HTTP -> Splunk Web

Basically let AWS ELB handle the SSL from the outside, and within the VPC, splunk will continue to use HTTP to save the extra crypto effort. However this doesn't work.

Is there a recommended way to achieve this?

Thanks,
JT

Tags (4)

gstestaccount
New Member

Going off the current most voted answer i have created terraform code to automate setting up a test splunk instance...

  • Uses splunk enterprise AMI (current at the time)
  • Installs apache and configures the reverse proxy (workaround for SPL-79993)
  • Fronts splunk with 2 classic LBs, One for web interface, one for HEC interface
  • Creates hosted zone with domain you provide (while running the TF code you must login to the aws console to get your Nameserver address for you new R53 hosted zone and update your domain provider with these (ie freenom). if the code timeouts just run it again after you have updated your domain registrar with the route53 name servers provided for you new zone)
  • Provides valid SSL certs for both loadbalancers (HEC requires a valid cert)
  • Current Security Group for the HEC LB endpoint is from US-East-1 firehose delivery service. please alter to your specifications

You will need to provide the following

  • Terraform Profile
  • domain (I used a free temp domain from freenom)
  • ssh public key (used to ssh into your splunk instance)
  • your public ip (used to update Security groups for sshing into your instance as well as connecting to the splunk web interface)

Terrafrom Code:
https://github.com/ChiefRiver/AWSSplunkInstance

,Going off the current most voted answer i have created terraform code to automate setting up a test splunk instance...

  • Uses splunk enterprise AMI (current at the time)
  • Installs apache and configures the reverse proxy (workaround for SPL-79993)
  • Fronts splunk with 2 classic LBs, One for web interface, one for HEC interface
  • Creates hosted zone with domain you provide (while running the TF code you must login to the aws console to get your Nameserver address for you new R53 hosted zone and update your domain provider with these (ie freenom). if the code timeouts just run it again after you have updated your domain registrar with the route53 name servers provided for you new zone)
  • Provides valid SSL certs for both loadbalancers (HEC requires a valid cert)

Terrafrom Code:
https://github.com/ChiefRiver/AWSSplunkInstance

0 Karma

Lowell
Super Champion

These are all Amazon Web Service terms. See the AWS Glossary for more details.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Until SPL-79993 is corrected in a newer release, here's how we did it:

https request on port 443 <-> AWS ELB Front End Port 443 (ssl terminates) <-> AWS ELB Back End Port 8000 <-> Apache Reverse Proxy (new ssl request created) <-> SplunkWeb (new ssl request terminated).

Below are the configurations that made this work for us:

/etc/httpd/conf/httpd.conf #redirect 80 to 443

Listen 80
<VirtualHost *:80>
ServerName website.com
Redirect permanent / https://website.com/
</VirtualHost>

/etc/httpd/conf.d/ssl.conf # load ssl module, proxypass web_root "/" to https://localhost:8000, and define ssl cert

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName website.com
ProxyPass / https://127.0.0.1:8000/
ProxyPassReverse / https://127.0.0.1:8000/
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/website.crt
SSLCertificateKeyFile /etc/httpd/ssl/website.key
SSLProxyEngine on
SSLProxyVerify none
</VirtualHost>

/opt/splunk/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = /etc/httpd/ssl/website.key
caCertPath = /etc/httpd/ssl/website.crt

We also enabled shibboleth.sso but that isnt shown above. Just mentioning in case someone else wants to message me for those details as well.

MichaelDZapanta
New Member

Hi All,

Has there been any updates if SPL-79993 has been fixed already? Trying to google around but can't find any article regarding the status.

Tnx...

0 Karma

bsanch25
Explorer

I am facing the same issue, and it has been several years since this was originally posted. Does anyone know if Splunk has fixed this issue or what the best practice is for setting up a Load-Balancer in AWS using SSL? I would like to avoid using the Apache workaround if possible.

0 Karma

ssozonoff
New Member

So it seems we are over 2 years down the line since the last comment on this subject and its still not working or then I have missed something ?

Its such a basic thing however.

0 Karma

ssozonoff
New Member

The problem relates to how Splunk deals with redirects and my requirement is SSL termination at the load balancer (ELB).

Thanks,
Serge

0 Karma

jkat54
SplunkTrust
SplunkTrust

According to this it appears it can be done.

https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/

Looks like you can specify the front end and backend ports, etc.

0 Karma

freaklin
Path Finder

Hi

I'm using Splunk 6.4.1 and I would like to put my splunkweb behind an AWS ELB to make the https/ssl stuff easier and I would use this question/answer as a how to, but I'm stuck in the first step... I can't even find "https.conf" and "ssl.conf" in my splunkweb server.
This is the most viewed post about it, but It doesn't receive comments since "Feb 27, 2014 at 02:42 AM" when "sylim [Splunk]" told It would receive a fix in a later version.
Well, two years after... Is there a how to? an explained way to do this?

0 Karma

jkat54
SplunkTrust
SplunkTrust

those are Apache config files and we were using that strategy to integrate sso. I suggest you start a new question and add your version and the architecture you're going for to your question

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

It is a known issue related to HTTP redirection, SPL-79993 open for the case - the fix will be included in later version. Contact Splunk Support for details.

0 Karma

vguptadevops
New Member

Hello , Just asking if there was any fix available to do this properly ? I am trying to establish exactly the same functionality and it just doesn't work with any AWS Load Balancer (ALB or ELB).

User Browser using HTTPs on 443 --> Hits Load Balancer --->Forward the traffic to backend nodes on HTTP port 8000 .

Note I have got no issues if I just remove the SSL and simply use HTTP it just works well.

I wold appreciate something to work in 2018 for this solution?

0 Karma

shervinfernando
Explorer

I know following will work as we use it

User Browser <- SSL -> AWS ELB <- HTTPS -> Splunk Web

for this to happen edit your <splunk home>/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
httpport=8000
0 Karma

vguptadevops
New Member

I am sorry but this is not the right solution and It doesn't work, I exactly tried the same and at the load balancer it just doesn't reach to the instance at all , Although https on port 8000 listens at the instance as I could reach to web UI using that.

But when you configure the Elastic Load Balancer to use SSL and Instance protocol to use HTTPS and port 8000 it just doesn't go beyond the ELB and times out after some time.

0 Karma

lukejadamec
Super Champion

Generally speaking, Splunk on port 8000 is the target of a reverse proxy that listens for Splunk on port 443, and it does work. What errors are you getting?
What do the AWS, ELB, EC2, and VPC acronyms stand for?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...