Security

Reverse Proxy not working configuration even with expected config

guilmxm
SplunkTrust
SplunkTrust

Hi all,

I finally decided to post and get help from here to deal with Splunk configuration behind a reverse Proxy.
I've read and searched for many posts all over the Internet and this forum, found various solutions expected to solve this but still i have some issues.

I have an internal Reverse Proxy, Nginx running SSL requesting directly Splunk web server, also running SSL.

This almost works, i can get access to Splunk, login and so on, i can open any application and dashboards with no issue.

BUT under a few cases, it does not work as expected, some examples:

  • "Browse" under Manager / Add Input / Files or Directory, the browser windows starts to open with the time clock, and then noting, it keeps running with no end
  • "Save" button under any Manager function works as the action behind is done (like saving a new file and so on), but the button keeps being reported to "Saving" instead of returning back to previous page in normal time

My Splunk configuration is:


local/web.conf

root_endpoint = /splunk
enableSplunkWebSSL = 1
tools.proxy.on = True (--> I tried with and whitout)

under nginx:


location /splunk/ {
proxy_pass https://splunkserver:8000;
access_log /var/log/nginx/splunk.access.log;
error_log /var/log/nginx/splunk.error.log;
}

Off course, when requesting directly internally to the Splunk web server, everything works as expected.

I also tested with Apache running as reverse proxy, and got exactly the same issue.
Tried with the reverse proxy running SSL and the Splunk backend running http, same thing.
Tried "SSOMode = permissive", no change.

I searched for any interesting error in nginx logs, and splunk web logs, nothing... all i get is related GET and POST operations with code 200 for GET, so normal...

I'm suspecting problems with cookie session or something abnormal in http header, or perhaps something related to SSO splunk config, or SSL negociation and cyphers...
Getting out of idea!

Does anyone can help me getting my reverse proxy configuration to work 🙂

Tnanks!

Guilhem

Tags (1)
0 Karma

guilmxm
SplunkTrust
SplunkTrust

Corrected with Splunk 6 version, working with Splunk behind Nginx reverse proxy works perfectly with the configuration above.

0 Karma

bshuler_splunk
Splunk Employee
Splunk Employee

Good News: What you are trying should work.

Bad News: What you are trying should work.

The documentation here may help: http://wiki.splunk.com/Community:SplunkBehindAProxy

The issue is the url re-writing. It looks like some of the urls are not being re-written correctly.

If you analyze the source of your hung pages, you will likely see references to:
http://server:8000/
or http://server/
or https://server:8000/
or http://server/splunk
instead of the one thing that will work, https://nginxserver/splunk

Once you determine what isn't being re-written correctly, you next step is to write a nginx rewire rule to fix the issue. This is documented here: http://nginx.org/en/docs/http/ngx_http_rewrite_module.html

Once you have it all working, post back here. I would love to see what you come up with!

guilmxm
SplunkTrust
SplunkTrust

Hi,

Thank you for answering this quite old post...

I have no doubt your analysis is right, and probably looking at nginx logs to find hung pages and generate rewrite rules would have corrected the situation.

But anyway and fortunately, what was not working using Splunk 5 version became to suddenly work with 6th version.

I guess a few things have been corrected, working with Splunk behind an nginx reverse proxy works like a charm now with the expected configuration.

0 Karma

lukejadamec
Super Champion

Yup. Reverse https proxy with SSO definitely works. Have you tried with IIS? I've not tried with apache or nginx.

guilmxm
SplunkTrust
SplunkTrust

Hi,

Anyone with a full working reverse proxy configuration ?

Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...