Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Configuring Apache as a reverse proxy to Splunk
My company has a demo VM running WebSphere Portal, and I also put Splunk on that server to help me troubleshoot it remotely much more efficiently. However, the only public traffic allowed into that VM is over ports 80 and 443.
That VM already has an instance of Apache (IBM HTTP Server actually) running, and the WebSphere plugin makes it function as a reverse proxy to WebSphere Application Server. It's configuration handles it's own set of URIs, so I needed to make Apache handle the ones for Splunk.
As far as I've been able to tell, Splunk URIs all start with en-US, static, or manager. So, this has worked perfectly for me so far:
ProxyRequests Off
ProxyPass /en-US http://127.0.0.1:8000/en-US
ProxyPassReverse /en-US http://127.0.0.1:8000/en-US
ProxyPass /static http://127.0.0.1:8000/static
ProxyPassReverse /static http://127.0.0.1:8000/static
ProxyPass /manager http://127.0.0.1:8000/manager
ProxyPassReverse /manager http://127.0.0.1:8000/manager
Of course you'll need the Apache proxy modules enabled:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
That VM already has an instance of Apache (IBM HTTP Server actually) running, and the WebSphere plugin makes it function as a reverse proxy to WebSphere Application Server. It's configuration handles it's own set of URIs, so I needed to make Apache handle the ones for Splunk.
As far as I've been able to tell, Splunk URIs all start with en-US, static, or manager. So, this has worked perfectly for me so far:
ProxyRequests Off
ProxyPass /en-US http://127.0.0.1:8000/en-US
ProxyPassReverse /en-US http://127.0.0.1:8000/en-US
ProxyPass /static http://127.0.0.1:8000/static
ProxyPassReverse /static http://127.0.0.1:8000/static
ProxyPass /manager http://127.0.0.1:8000/manager
ProxyPassReverse /manager http://127.0.0.1:8000/manager
Of course you'll need the Apache proxy modules enabled:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
-
Comment by Sasha on November 16, 2009 at 2:56pm -
A more compact version of the Apache2 directives would be:
ProxyRequests off
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
Additionally, the following must be set in the Splunk 4.x web.conf:
tools.proxy.on = True
(Glad to get it finally working.)
-
Comment by Dave Jones on November 16, 2009 at 3:02pm -
Sasha,
That is more compact if you want to forward ALL requests to Splunk. However, I have other apps running behind that same instance of Apache, so I had to selectively proxy.
But thanks for pointing out that it can be made simpler if you only need to proxy to Splunk.
Dave
-
Comment by Sasha on November 16, 2009 at 3:14pm
-
True.
In that case, you might as well isolate Splunk in its own 'directory' via the following configuration directives:
Apache configuration:
ProxyPass /splunk http://127.0.0.1:8000/splunk
ProxyPassReverse /splunk http://127.0.0.1:8000/splunk
Splunk web.conf configuration:
root_endpoint = /splunk
tools.proxy.on = True
-
Comment by Sasha on November 16, 2009 at 3:15pm
-
Additionally, thanks for your comment on serverfault!
-
Comment by Dave Jones on November 16, 2009 at 3:20pm
-
I'd completely overlooked root_endpoint. I should've looked for that option knowing that the Splunk devs have thought of far more obscure settings. Thanks!
-
Comment by Keith Lawson on February 1, 2010 at 11:37am
-
I am still having problems getting Splunk 4 to recognize a Reverse Proxy with .htpasswd file authentication. Can you see if you can get it working your system. With Splunk 3 this worked fine with the following httpd.conf
ServerAdmin root@localhost
ServerName server.company.com
ServerAlias server
ProxyPass / http://server:8000/
ProxyPassReverse / http://server:8000/
ErrorLog logs/splunk-error_log
CustomLog logs/splunk-access_log common
Order deny,allow
Deny from all
Allow from all
AuthName "server"
AuthType Basic
AuthUserFile /var/www/.htpasswd.splunk
Require valid-user
I have tried multiple configurations with changes to httpd.conf, web.conf, splunk-launch.conf. Like I said it worked before version 4 and now it will not. All we want the web site to be redirected via an https/ssl proxy authentication to provide some sort of security to the free splunk. Any suggestions would be appreciated. Thanks!
Comment
© 2012 Created by Michael Wilde.
You need to be a member of splunkninja to add comments!
Join splunkninja