I am using RHEL 8.5 with Apache proxy and trying to get the proxy to do DOD CAC authentication. I am very new to Splunk and Apache.
I am able to get the proxy to point to the Splunk server but I am not getting the regular prompt for the CAC authentication.
I am using a reserve.conf for this as the main setup file as seen below:
====web.conf
SSOMode = strict
remoteUser = Remote_User
enableSplunkWebSSL = True
trustedIP = 192.168.110.10
===server.conf
trustedIP = 192.168.110.10
===Reserve.conf
ServerName www.mcscapache.com
ProxyRequests Off
ProxyPreserveHost Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
#SSLVerifyClient require
SSLVerifyDepth 10
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"
RequestHeader add X-Forwarded-Proto https
RequestHeader add X-Forwarded-Port 443
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set Client-Cert-Subject "%{SSL_CLIENT_S_DN}s"
RequestHeader set Remote_User %{Remote_User}s
ProxyPass / https://www.mcscsplunk.com:8000/en-US/app/launcher/home
ProxyPassReverse / https://www.mcscsplunk.com:8000/en-US/app/launcher/home
#SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/tls/private/dodserver.crt
#SSLCACertificateFile /etc/pki/tls/private/DoD_CAs.pem
SSLCertificateKeyFile /etc/pki/tls/private/dodserverkey.key
<Proxy *>
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)
RewriteRule (.*) - [E=USER:%1]
#RequestHeader set cacuser %{USER}e@mil
RequestHeader set Remote_User %{Remote_User}e
# SSL conf file to force users to a warning cookie before they are able to access Splunk
RewriteCond %{HTTP_COOKIE} !accepted_warning=true [NC]
RewriteRule ^/(de-DE|en-US|en-GB|it-IT|ja-JP|ko-KO|zh-CN|zh-TW)/.*$ warning/ [NC,L,R=302]
</Proxy>
<Location />
Require all granted
allow from all AuthType Kerberos
require valid-user
Options +SymLinksIfOwnerMatch
# AllowOverride All
Order deny,allow
Allow from 192.168.190.0/24
Deny from all
</Location>
Thank you
We have a working apache SSO proxy service for Splunk CAC logins 🙂
I will share with you our setup (this is our httpd conf file)
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule dumpio_module modules/mod_dumpio.so
<VirtualHost *:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
#Uncomment below lines for Debbugging
#DumpIOInput On
#DumpIOOutput On
#LogLevel debug
LogLevel warn
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNull:!MD5:!DSS:!EXP
SSLCertificateFile /etc/pki/tls/certs/MYCERT.crt
SSLCertificateKeyFile /etc/pki/tls/private/MYPRIVATEKEY.key
SSLCertificateChainFile /etc/pki/tls/certs/DoD_CAs.pem
SSLCACertificateFile /etc/pki/tls/certs/DoD_CAs.pem
SSLVerifyclient require
SSLVerifyDepth 5
CustomLog logs/splunk_sslrequest_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ServerAdmin myadminemailaddress@mail.mil
ServerName SplunkSH.myserver.com
Errorlog logs/splunk_error_log
CustomLog logs/splunk_access_log common
SSLProxyEngine on
KeepAlive On
<Proxy *>
RequestHeader set cacuser %{SSL_CLIENT_SAN_OTHER_msUPN_0}s
</Proxy>
ProxyPass / https://SPLUNKSH.myserver.com:8000
ProxyPassReverse / https://SPLUNKSH.myserver.com:8000
</VirtualHost>
web.conf
[settings]
httpport = 8000
SSOMode = permissive
remoteUser = cacuser
enableSplunkWebSSL = 1
trustedIP = X.X.X.X
server.conf
[general]
serverName = SPLUNKSH
pass4SymmKey = XXXXXX
trustedIP = 127.0.0.1
sessionTimeout = 15m
PS. if anyone has tips on how to set up a consent banner before accessing Splunk I would greatly appreciate it!!
Thank you for your help but unfortunately, the same configurations you provided are not working for my system.
You will need to provide more information on why it's not working. Any logs?
Your best bet would be to reach out to Splunk Support if you are struggling to find out why it's not working.