Splunk Enterprise

Any clues as to how to fix the header setting problem, or how to disable CSRF?

plaxosi
Explorer

Hi

I have a problem when accessing Splunk over a reverse proxy. It seems that the required HTTP Header

X-Splunk-Form-Key

is not being set by the browser. This is despite the fact that the browser has the cookie

splunkweb_csrf_token_8443

from where (I guess) it copies the CSRF token. This results in error messages of the form

ERROR UiAuth - Request from 10.0.0.1 to "/splunk/en-GB/splunkd/__raw/servicesNS/userName/appName/search/jobs" failed CSRF validation -- expected "8617041906791058522", but instead cookie had "8617041906791058522" and header had ""

When accessing Splunk directly the HTTP header is set correctly and no errors occur.

There would be two ways to fix this: 1) find out why the header is not set, or 2) disable CSRF (as a workaround). But I have had no success with either.

Disabling CSRF should be possible using web.conf, but I have tried all combinations I can think of. For example, stanzas like this that try to cover all endpoints:

[expose:all]
methods = GET,POST
pattern = **
skipCSRFProtection = 1

or, more for more specific endpoints:

[expose:search]
methods = GET,POST
pattern = search/**
skipCSRFProtection = 1

But I continue to get the CSRF validation errors.

Any clues as to how to fix the header setting problem, or how to disable CSRF?

Thanks

Labels (1)
1 Solution

plaxosi
Explorer

I have the answer to my own question. It turned out that a reverse proxy before the searchhead was changing the flags on the cookies, specifically in this case it was setting the HTTPOnly flag. Once that security feature on the reverse proxy was disable it all worked fine.

View solution in original post

spunk_enthusias
Path Finder
[expose:all]
methods = GET,POST
pattern = **
skipCSRFProtection = 1

I'm trying to disable CSRF protection for other reasons and can confirm that this approach doesn't work for me.

0 Karma

plaxosi
Explorer

I have the answer to my own question. It turned out that a reverse proxy before the searchhead was changing the flags on the cookies, specifically in this case it was setting the HTTPOnly flag. Once that security feature on the reverse proxy was disable it all worked fine.

davietch
Path Finder

Thank you, it worked. I commented this line and the issue got away:

# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Although it worked, it'd be great to let this security feature enabled and make it work with Splunk....

0 Karma

sarvesh_11
Communicator

Hey, can you please guide, where is this code?
Where have you commented?

0 Karma

davietch
Path Finder

Hi,

Were you able to fix this?
I've got the exact same issue :

failed CSRF validation -- expected "123456", but instead cookie had "123456" and header had ""

I've got Splunk 7.2.7 behind a Reverse proxy.

0 Karma

jawaharas
Motivator

@davietch
Did you try to increase server.socket_timeout parameter value as mentioned in the answer?

0 Karma

davietch
Path Finder

Hi,

Yes, it does not work.

0 Karma

jawaharas
Motivator

Try increasing connection timeout between the browser and Splunk web as below:

server.socket_timeout = <integer>
* The timeout, in seconds, for accepted connections between the browser and  Splunk Web
* Default: 10

Can you get the timeout increased to 60 in web.conf and restart the Splunk instance?

server.socket_timeout = 60
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...