Security

Why does my configuration not work for Splunk 5 proxy behind nginx, but does work behind apache?

Path Finder

I'm trying to implement this for oauth:
https://github.com/bitly/googleauthproxy

Before using that, I tried simple proxying with nginx.
Here is my nginx config which does not work:

server {
    listen 443 default ssl;
    server_name splunk.mydomain.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/wild.mydomain.com.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    add_header Strict-Transport-Security max-age=1209600;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
       proxy_pass  http://10.13.5.29:8000/;
    }

That doesn't work and seem to direct back to http://splunk.mydomain.com

This is my apache config which works:

<VirtualHost *:80>
    ServerName splunk.mydomain.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ProxyPreserveHost On
    ProxyPass /cgi-bin !
    ProxyPass / http://10.13.5.29:8000/ retry=0
    ProxyPassReverse / http://10.13.5.29:8000/ retry=0

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

This is my web.conf file:

[settings]
enableSplunkWebSSL = 0
tools.sessions.timeout = 4320
enable_autocomplete_login = True
tools.proxy.on = True
SSOMode = permissive
tools.proxy.base = http://10.13.5.29:8000

Using splunk 5

Anything I'm doing wrong?

Tags (2)
0 Karma

New Member

I spent a few hours on this and got this working. I wanted to share as I'm both a fan of NGINX and Splunk. I am using NGINX v1.6.2 and Splunk (on Windows) v6.2.2

Your Site .conf file referenced in nginx.conf

server {
        listen <IP-Address-of-NGINX-For-Splunk>:80;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
        location / {
        # Redirect to HTTPS
        return 301 https://$server_name$request_uri;
        }
}

server {
        listen <IP-Address-of-NGINX-For-Splunk>:443 ssl;
        server_name <URL-You-Set-In-DNS-For-Splunk>;
     #Resolve HTTP Error 414 Request-URI-Too-Large
        large_client_header_buffers 6 16k;
     #Certificate & Key .PEM Format
        ssl_certificate /etc/ssl/<name-of-cert>.crt;
        ssl_certificate_key /etc/ssl/<name-of-key>.key;
     #PFS
        ssl_dhparam /etc/ssl/<name-of-DH-key>.dh;
     #HSTS
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
     #OSCP
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/alk-splunk02.oscp;
     #CIPHERS
        include sites.common;
        location / {
            proxy_pass_request_headers on;
            proxy_set_header x-real-IP $remote_addr;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
            proxy_set_header host $host;
            proxy_pass https://<IP-Address-of-Your-Splunk-Server>:8000;
        }
}

A+ Rating on SSL Labs provided you have a SHA256 Cert from trusted CA and intermediates provided inside .crt file
This is sites.common:

     #OSCP Stapling
        resolver <DNS-Server-IP-1-You-Want> <DNS-Server-IP-2-You-Want> valid=300s;
        resolver_timeout 5s;

     #Cipher Specification and Session Cache
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL';
        proxy_ssl_session_reuse off;
0 Karma