Home / server / Questions / 85095
In Process
sgerrand
Asked: 2009-11-17 01:08:49 +0800 CST

Running a reverse proxy in front of Splunk 4.x

  • 772

So, I have previously installed Splunk 3.x behind a reverse proxy and downloaded the latest version (4.0.6 at time of typing) expecting it to be as easy to use as before. Sadly this was not the case. There appears to be some elements which are not being translated correctly through the reverse proxy, causing Splunk to fail.

I have used the following configuration in Apache2 to no avail:

<VirtualHost *>
    ServerName monitoringbox.com
    DocumentRoot /path/to/nowhere

    ProxyRequests off
    ProxyPass /splunk http://127.0.0.1:8000/splunk
    ProxyPassReverse /splunk http://127.0.0.1:8000/splunk
    <Proxy /splunk/*>
        Order  allow,deny
        Allow  from all
    </Proxy>

Has anyone else had more luck than me in setting up Splunk 4.x behind a reverse proxy?

monitoring

4 Answers

  1. The key element that needs to be changed in the Splunk web.conf is:

    
tools.proxy.on = True

    All good now.

    • 2

  2. I see you are mapping /splunk into /splunk of backend instance, port 8000. I don't know what is the behavior of your version, but ours (4.2) answers directly on /.

    Can you try removing the /splunk part of the backend url? Like this:

    ProxyPass          /splunk   http://127.0.0.1:8000/
ProxyPassReverse   /splunk   http://127.0.0.1:8000/
    • 0

  3. One of my Splunk installs is behind a reverse proxy. Instructions are over at splunkninja.com: http://splunkninja.com/profiles/blogs/configuring-apache-as-a

    • -1

  4. I can't comment yet... replying to @sgerrand

    I solved the issue creating two different rewrite rules. One for static and another for the rest of the content. Please keep in mind that my configuration is for two Splunk search heads with different contexts.

        < VirtualHost blablabla:443>

    .... .... All the stuff related to servername, directory, documentroot and SSL configuration .... ....

        AllowEncodedSlashes On

    SSLProxyEngine On

    RequestHeader set Front-End-Https "On"

    Disable certificate checks on SSLProxy because using self-signed certs on Splunk search heads

        SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    rewrite rule to forward the request for each of the search heads

        ProxyPassReverse /one https://10.0.1.1:8000/one
    ProxyPassReverse /two https://10.0.1.2:8000/two

    RewriteEngine on

    rewrite rule for the context nonstatic

        RewriteRule /one(.*) balancer://splunkbalancer_one$1 [P]
    RewriteRule /two(.*) balancer://splunkbalancer_two$1 [P]

    rewrite for static requests

        RewriteRule ^/(.+) balancer://splunkbalancer/$1 [P]

    setting for sticky session on the balancers

        Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

    Balacer for static requests

        <Proxy balancer://splunkbalancer>
            BalancerMember https://10.0.1.1:8000/one route=1
            BalancerMember https://10.0.3.2:8000/two route=2
            ProxySet stickysession=ROUTEID
    </Proxy>

    Balacer for nonstatic for each Splunk context this is to prepare for the future and have more than one search head in each context

        <Proxy balancer://splunkbalancer_one>
            BalancerMember https://10.0.1.1:8000/one route=1
            ProxySet stickysession=ROUTEID
    </Proxy>

    <Proxy balancer://splunkbalancer_two>
            BalancerMember https://10.0.1.2:8000/two route=2
            ProxySet stickysession=ROUTEID
    </Proxy>

    </VirtualHost>
    • -1