Security
Highlighted

Why am I getting errors with my Apache proxy and Splunk configuration running on the same server?

New Member

I have an Apache proxy running on the same server (CentOS 6) as Splunk (v 6.1.4).

My proxy config looks like:

ProxyPass /splunk http://127.0.0.1:8001/splunk 
ProxyPassReverse /splunk http://127.0.0.1:8001/splunk

Splunk is running on port 8001 because something else is already running on port 8000.

In my /opt/splunk/etc/system/local/web.conf I have:

httpport = 8001
root_endpoint = /splunk
enableSplunkWebSSL = True
tools.proxy.on = True (I have tried both True and False here)
trustedIP=127.0.0.1

After I restart both Apache and Splunk, I get the following in my browser:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /splunk.

Reason: Error reading from remote server

In my logs I am getting the following:

(104)Connection reset by peer: proxy: error reading status line from remote server 127.0.0.1
proxy: Error reading from remote server returned by /splunk

I have port 8001 open through IP tables. I have been following the documentation from the Splunk but nothing seems to be working. Any help will be greatly appreciated.

0 Karma
Highlighted

Re: Why am I getting errors with my Apache proxy and Splunk configuration running on the same server?

New Member

You have a mismatch in protocols there. You have told splunk to use SSL (enableSplunkWebSSL = True) but your proxy is set to just do http.

So either update the splunk web.conf to have
enableSplunkWebSSL = False

Or in your Apache update the config to be:

SSLProxyEngine On
ProxyPass /splunk https://127.0.0.1:8001/splunk
ProxyPassReverse /splunk https://127.0.0.1:8001/splunk

0 Karma