The dojo of Splunk. Learn, share, teach, mentor.

Configuring Apache as a reverse proxy to Splunk

My company has a demo VM running WebSphere Portal, and I also put Splunk on that server to help me troubleshoot it remotely much more efficiently. However, the only public traffic allowed into that VM is over ports 80 and 443.

That VM already has an instance of Apache (IBM HTTP Server actually) running, and the WebSphere plugin makes it function as a reverse proxy to WebSphere Application Server. It's configuration handles it's own set of URIs, so I needed to make Apache handle the ones for Splunk.

As far as I've been able to tell, Splunk URIs all start with en-US, static, or manager. So, this has worked perfectly for me so far:

ProxyRequests Off
ProxyPass /en-US http://127.0.0.1:8000/en-US
ProxyPassReverse /en-US http://127.0.0.1:8000/en-US
ProxyPass /static http://127.0.0.1:8000/static
ProxyPassReverse /static http://127.0.0.1:8000/static
ProxyPass /manager http://127.0.0.1:8000/manager
ProxyPassReverse /manager http://127.0.0.1:8000/manager

Of course you'll need the Apache proxy modules enabled:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Tags: proxy, reverse

< Previous Post

Comment

You need to be a member of splunkninja to add comments!

Join splunkninja

Comment by Keith Lawson on February 1, 2010 at 11:37am: I am still having problems getting Splunk 4 to recognize a Reverse Proxy with .htpasswd file authentication. Can you see if you can get it working your system. With Splunk 3 this worked fine with the following httpd.conf

ServerAdmin root@localhost
ServerName server.company.com
ServerAlias server
ProxyPass / http://server:8000/
ProxyPassReverse / http://server:8000/
ErrorLog logs/splunk-error_log
CustomLog logs/splunk-access_log common

Order deny,allow
Deny from all
Allow from all
AuthName "server"
AuthType Basic
AuthUserFile /var/www/.htpasswd.splunk
Require valid-user

I have tried multiple configurations with changes to httpd.conf, web.conf, splunk-launch.conf. Like I said it worked before version 4 and now it will not. All we want the web site to be redirected via an https/ssl proxy authentication to provide some sort of security to the free splunk. Any suggestions would be appreciated. Thanks!

Comment by Dave Jones on November 16, 2009 at 3:20pm: I'd completely overlooked root_endpoint. I should've looked for that option knowing that the Splunk devs have thought of far more obscure settings. Thanks!

Comment by Sasha on November 16, 2009 at 3:15pm: Additionally, thanks for your comment on serverfault!

Comment by Sasha on November 16, 2009 at 3:14pm: True.

In that case, you might as well isolate Splunk in its own 'directory' via the following configuration directives:

Apache configuration:

ProxyPass /splunk http://127.0.0.1:8000/splunk
ProxyPassReverse /splunk http://127.0.0.1:8000/splunk

Splunk web.conf configuration:

root_endpoint = /splunk
tools.proxy.on = True

Comment by Dave Jones on November 16, 2009 at 3:02pm: Sasha,

That is more compact if you want to forward ALL requests to Splunk. However, I have other apps running behind that same instance of Apache, so I had to selectively proxy.

But thanks for pointing out that it can be made simpler if you only need to proxy to Splunk.

Dave

Comment by Sasha on November 16, 2009 at 2:56pm: A more compact version of the Apache2 directives would be:

ProxyRequests off
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/

Additionally, the following must be set in the Splunk 4.x web.conf:

tools.proxy.on = True

(Glad to get it finally working.)