Hi
I have a problem when accessing Splunk over a reverse proxy. It seems that the required HTTP Header
X-Splunk-Form-Key
is not being set by the browser. This is despite the fact that the browser has the cookie
splunkweb_csrf_token_8443
from where (I guess) it copies the CSRF token. This results in error messages of the form
ERROR UiAuth - Request from 10.0.0.1 to "/splunk/en-GB/splunkd/__raw/servicesNS/userName/appName/search/jobs" failed CSRF validation -- expected "8617041906791058522", but instead cookie had "8617041906791058522" and header had ""
When accessing Splunk directly the HTTP header is set correctly and no errors occur.
There would be two ways to fix this: 1) find out why the header is not set, or 2) disable CSRF (as a workaround). But I have had no success with either.
Disabling CSRF should be possible using web.conf, but I have tried all combinations I can think of. For example, stanzas like this that try to cover all endpoints:
[expose:all]
methods = GET,POST
pattern = **
skipCSRFProtection = 1
or, more for more specific endpoints:
[expose:search]
methods = GET,POST
pattern = search/**
skipCSRFProtection = 1
But I continue to get the CSRF validation errors.
Any clues as to how to fix the header setting problem, or how to disable CSRF?
Thanks
... View more