Security

Why does my configuration not work for Splunk 5 proxy behind nginx, but does work behind apache?

splunk0
Path Finder

I'm trying to implement this for oauth:
https://github.com/bitly/google_auth_proxy

Before using that, I tried simple proxying with nginx.
Here is my nginx config which does not work:

server {
    listen 443 default ssl;
    server_name splunk.mydomain.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/wild.mydomain.com.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    add_header Strict-Transport-Security max-age=1209600;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
       proxy_pass  http://10.13.5.29:8000/;
    }

That doesn't work and seem to direct back to http://splunk.mydomain.com

This is my apache config which works:

<VirtualHost *:80>
    ServerName splunk.mydomain.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ProxyPreserveHost On
    ProxyPass /cgi-bin !
    ProxyPass / http://10.13.5.29:8000/ retry=0
    ProxyPassReverse / http://10.13.5.29:8000/ retry=0

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

This is my web.conf file:

[settings]
enableSplunkWebSSL = 0
tools.sessions.timeout = 4320
enable_autocomplete_login = True
tools.proxy.on = True
SSOMode = permissive
tools.proxy.base = http://10.13.5.29:8000

Using splunk 5

Anything I'm doing wrong?

Tags (2)
0 Karma

alkamiadmin
New Member

I spent a few hours on this and got this working. I wanted to share as I'm both a fan of NGINX and Splunk. I am using NGINX v1.6.2 and Splunk (on Windows) v6.2.2

Your Site .conf file referenced in nginx.conf

server {
        listen <IP-Address-of-NGINX-For-Splunk>:80;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
        location / {
        # Redirect to HTTPS
        return 301 https://$server_name$request_uri;
        }
}

server {
        listen <IP-Address-of-NGINX-For-Splunk>:443 ssl;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
     #Resolve HTTP Error 414 Request-URI-Too-Large
        large_client_header_buffers 6 16k;
     #Certificate & Key .PEM Format
        ssl_certificate /etc/ssl/<name-of-cert>.crt;
        ssl_certificate_key /etc/ssl/<name-of-key>.key;
     #PFS
        ssl_dhparam /etc/ssl/<name-of-DH-key>.dh;
     #HSTS
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
     #OSCP
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/alk-splunk02.oscp;
     #CIPHERS
        include sites.common;
        location / {
            proxy_pass_request_headers on;
            proxy_set_header x-real-IP $remote_addr;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header host $host;
            proxy_pass https://<IP-Address-of-Your-Splunk-Server>:8000;
        }
}

A+ Rating on SSL Labs provided you have a SHA256 Cert from trusted CA and intermediates provided inside .crt file
This is sites.common:

     #OSCP Stapling
        resolver <DNS-Server-IP-1-You-Want> <DNS-Server-IP-2-You-Want> valid=300s;
        resolver_timeout 5s;

     #Cipher Specification and Session Cache
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL';
        proxy_ssl_session_reuse off;
0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...