Security

Can I run SplunkWeb on port 80 on Linux without running as root?

jradkowskiAAMC
Explorer

I've seen the other questions regarding this topic and only the Solaris question & answer get close.

I am looking to change the default port Splunkweb runs on from 8000 to 80 for obvious usability reasons. I start Splunk as user "splunk" so naturally the user can't start processes on port 80.

Is there a work around for this outside of using a server/device to translate 8000 to 80 (ie> Apache)?

Note: Having the server start up as root is out of the question due to security concerns.

1 Solution

Johnvey
Contributor

Binding privileged ports as a non-root user involves different solutions depending on your platform. A decent writeup can be found here:

http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege...

Many customers elect to use a web proxy like Apache, the most commonly available service, to proxy port 80 through to Splunk on port 8000. This passes on the binding responsibility to Apache so one does not have to configure the splunk user. A template for doing this can be found in the Splunk documentation for configuring SSO.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

You could also use some sort of port redirection method to connect incoming connections on 80 to the nonpriveledged port, but this forgoes some of the security advantages of using a low port (it's hard for local users to spoof your service if they don't have the capability.)

Personally I'd rather use either of the two options outlined by Johnvey.

0 Karma

Johnvey
Contributor

Binding privileged ports as a non-root user involves different solutions depending on your platform. A decent writeup can be found here:

http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege...

Many customers elect to use a web proxy like Apache, the most commonly available service, to proxy port 80 through to Splunk on port 8000. This passes on the binding responsibility to Apache so one does not have to configure the splunk user. A template for doing this can be found in the Splunk documentation for configuring SSO.

jradkowskiAAMC
Explorer

Yeah I've already implemented a proxy in the past so I'm well aware that it's a viable solution but I am trying to minimize dependencies for Splunkweb being accessible.

I definitely need to check into setcap as that is new to me and from that thread it appears that's the solution I am looking for.

0 Karma

BunnyHop
Contributor

You should be able to modify the web.conf with the following setting:

[settings]
httpport = 80

Mick
Splunk Employee
Splunk Employee

The question isn't about how to configure Splunk to run on port 80, it's about how to configure the OS so that the Splunk user is allowed to bind to that port.

By default, port 80 is in the 'restricted' list of ports, so only the root user, and possibly other privileged users are allowed access it. The restricted ports are 1024 and lower

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...