- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Splunk behind reverse proxy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk behind reverse proxy
I have tried to configure a reverse proxy (using nginx) to Splunk but not work correctly. Splunk and proxy server are in the same machine. When accessing to Splunk by proxy the browser is redirectet to localhost:8000 and not work. Using the same proxy server to access other web services work fine. I have also setting the parameter tools.proxy.on to True but behavior not change. The problem was found on Linux and also Windows.
My Splunk version is the latest (4.1.3).
This is my web.conf (in etc/system/local)
[settings]
root_endpoint = /splunk
tools.proxy.on = True
server.socket_host = 127.0.0.1
What's wrong? Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did just figure out how to use the Juniper Device as a reverse proxy. In addition to configuring the reverse proxy, I also had to create a custom headers rewriting policy that allowed custom headers to be written. If anyone else needs help with this configuration, give me a shout.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried using a Juniper SA device or a MAG as the reverse proxy? I am having a similar issue. Could someone assist with using the Juniper devices as the reverse proxy?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
We're using Splunk 4 (4.1.6 build 89596) and wanted to setup forward proxy, where the proxy is on a separate machine. Most of the other examples I found assumed the proxy and splunk run on the same server.
The main issue with doing this is that Splunk really wants to redirect the user directly to itself. The worst bit is that does the redirect using HTML, not any HTTP headers. (If it used HTTP headers, then Apache's mod_proxy could do the rewrite (Possibly the module mod_proxy_html can rewrite the HTML for you, but I haven't tried this). Dear splunk developers, it would be cool if you could fix the redirection method 🙂 ).
I found that when you set 'tools.proxy.on = True' then Splunk assumes that the Web/Proxy server is running locally on the same server as the Splunk. In this case, it keeps redirecting to 127.0.0.1. Therefore, if you are running a separate Web/Proxy server, then you do NOT want to set this (leave it blank, or set 'tools.proxy.on = false').
Our solution was to set /opt/splunk/etc/system/local/web.conf like this:
[settings]
root_endpoint = /splunk
httpport = 80
Then on the separate machine running Apache (we actually are using Apache with SSL) the lines we added to the existing mod_proxy configuration were:
ProxyPass /splunk http://10.0.0.10/splunk
ProxyPassReverse /splunk http://10.0.0.10/splunk
Enjoy!
Kind regards,
Dave Seddon
dave at seddon ca
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suspect that you want tools.proxy.on = False
Also, the root_endpoint says that splunk will be served from :8000/splunk. Exclude that parameter if that's not what you want.
I'd try hitting the URL http://myserver:8000/splunk
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
