2

So, I have previously installed Splunk 3.x behind a reverse proxy and downloaded the latest version (4.0.6 at time of typing) expecting it to be as easy to use as before. Sadly this was not the case. There appears to be some elements which are not being translated correctly through the reverse proxy, causing Splunk to fail.

I have used the following configuration in Apache2 to no avail:

<VirtualHost *>
    ServerName monitoringbox.com
    DocumentRoot /path/to/nowhere

    ProxyRequests off
    ProxyPass /splunk http://127.0.0.1:8000/splunk
    ProxyPassReverse /splunk http://127.0.0.1:8000/splunk
    <Proxy /splunk/*>
        Order  allow,deny
        Allow  from all
    </Proxy>

Has anyone else had more luck than me in setting up Splunk 4.x behind a reverse proxy?

chmeee
  • 7,270
  • 3
  • 29
  • 43
sgerrand
  • 141
  • 3

4 Answers4

2

The key element that needs to be changed in the Splunk web.conf is:


tools.proxy.on = True

All good now.

sgerrand
  • 141
  • 3
0

I see you are mapping /splunk into /splunk of backend instance, port 8000. I don't know what is the behavior of your version, but ours (4.2) answers directly on /.

Can you try removing the /splunk part of the backend url? Like this:

ProxyPass          /splunk   http://127.0.0.1:8000/
ProxyPassReverse   /splunk   http://127.0.0.1:8000/
user842313
  • 831
  • 4
  • 5
-1

One of my Splunk installs is behind a reverse proxy. Instructions are over at splunkninja.com: http://splunkninja.com/profiles/blogs/configuring-apache-as-a

  • Thanks for the reply - I think there is something more fundamental breaking the proxy behaviour, as you shouldn't need to have three separate rules for {en-US,static,manager}. I think it's more likely to be either the differing root for the Splunk instance or a more complex proxy config is required to ensure that the cookie elements are translated correctly. Off to tcpdump I go. – sgerrand Nov 16 '09 at 22:41
-1

I can't comment yet... replying to @sgerrand

I solved the issue creating two different rewrite rules. One for static and another for the rest of the content. Please keep in mind that my configuration is for two Splunk search heads with different contexts.

    < VirtualHost blablabla:443>

.... .... All the stuff related to servername, directory, documentroot and SSL configuration .... ....

    AllowEncodedSlashes On

    SSLProxyEngine On

    RequestHeader set Front-End-Https "On"

Disable certificate checks on SSLProxy because using self-signed certs on Splunk search heads

    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

rewrite rule to forward the request for each of the search heads

    ProxyPassReverse /one https://10.0.1.1:8000/one
    ProxyPassReverse /two https://10.0.1.2:8000/two

    RewriteEngine on

rewrite rule for the context nonstatic

    RewriteRule /one(.*) balancer://splunkbalancer_one$1 [P]
    RewriteRule /two(.*) balancer://splunkbalancer_two$1 [P]

rewrite for static requests

    RewriteRule ^/(.+) balancer://splunkbalancer/$1 [P]

setting for sticky session on the balancers

    Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

Balacer for static requests

    <Proxy balancer://splunkbalancer>
            BalancerMember https://10.0.1.1:8000/one route=1
            BalancerMember https://10.0.3.2:8000/two route=2
            ProxySet stickysession=ROUTEID
    </Proxy>

Balacer for nonstatic for each Splunk context this is to prepare for the future and have more than one search head in each context

    <Proxy balancer://splunkbalancer_one>
            BalancerMember https://10.0.1.1:8000/one route=1
            ProxySet stickysession=ROUTEID
    </Proxy>

    <Proxy balancer://splunkbalancer_two>
            BalancerMember https://10.0.1.2:8000/two route=2
            ProxySet stickysession=ROUTEID
    </Proxy>

    </VirtualHost>
BANJOSA
  • 350
  • 1
  • 3
  • 15