Open Source Soulutions Secure Email Server Solutions Linux IT Support Services

Technology Blog

January 3rd, 2010

Splunk HTTP Authentication with the Nginx Proxy Module

Splunk is probably one of the greatest IT tools of all time. It is a robust monitoring and reporting tool that can index just about any type of data from several types of data inputs.

There is a free license version of the Splunk software that has a few limitations in comparison to the enterprise licensed version; one of the limitations is the inability to perform a basic method of user and password authentication (or even the full scope of PAM authentication methods). We can fix this easily with a small and lightweight installation of the freely available Nginx web server software.


For this guide, I will demonstrate the process using methods using Linux for the Splunk deployment. I will not go into the details of how to install Splunk, and will presume a prexisting installation exists.


How it Works

Below is a diagram showing the communication between the client connecting to Splunk, running on the host "splunkbox":

Nginx Splunk Proxy

Nginx will proxy all requests on port SSL 443 for https://splunkbox/splunk to the Splunk instance (running on the same server), listening only on 127.0.0.1:8000. Any attempts to bypass the authentication mechanism we configure (by making direct requests to splunkbox:8000) will be denied.


Step #1: Getting the Required Software

We will begin by grabbing the latest Nginx stable source and instaling on our Splunk server:


        For the latest software available, go to the Nginx download page

        * Make sure you have the Openssl devleopment libraries installed
        before compiling the Nginx source, if you want the layer of SSL.


        cd /usr/src
        wget http://nginx.org/download/nginx-0.9.3.tar.gz
        tar zxf nginx-0.9.3.tar.gz && cd nginx-0.7.64
        ./configre --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx \
		--with-http_ssl_module
        make
        sudo make install


        * Full compile options can be found on the Nginx wiki

If everything succeded, you should have a fresh installation located in /etc/nginx.


Step #2: Configuring Splunk

We start this process by editing the Splunk web.conf, to add the settings we need for it to run on locahost and for proxy configuration:


	File: $SPLUNK_HOME/etc/system/local/web.conf

	(Replace $SPLUNK_HOME with your Splunk root installation path)


	[settings]
	enableSplunkWebSSL = 0
	server.socket_host = 127.0.0.1
	tools.proxy.on = True
	root_endpoint = /splunk

Once the web.conf file looks like the above, restart Splunk with the following command:



	$SPLUNK_HOME/bin/splunk restart

Splunk should now bind to localhost only and be set for accepting proxy requests (it's a good idea to confirm that it is listening only on localhost with the netstat command).


Step #3: Nginx Configuration

This step will presume that you with to use SSL for the configuration and have properly generated the needed SSL certificates (if you do not have certificates already, refer to the Openssl documentation on how to generate a self-signed certificate). In this section we will edit the nginx.conf directly, and not cover how to setup seperate virtual host configuration files for the sake of simplicity:


       File: /etc/nginx/nginx.conf

       (Add this within the http {  } stanza)

       server {
		listen   443; # Change to another port is 443 is taken
		server_name  splunkbox splunkbox.domain.tld;

		### Our SSL directives
		ssl  on;
		ssl_certificate  /path/to/server.crt;
		ssl_certificate_key  /path/to/server.key;

		ssl_session_timeout  5m;

		# Tweak to your needs
		ssl_protocols  SSLv3 TLSv1;
		ssl_ciphers  HIGH:MEDIUM;
		ssl_prefer_server_ciphers   on;

		access_log  /var/log/nginx/splunk-access.log;
		error_log  /var/log/nginx/splunk-error.log;


		location /splunk {

		### Proxy directive
        	  proxy_pass        http://127.0.0.1:8000/splunk/;

        	  ### Basic authentication directive
        	  auth_basic            "Restricted";
        	  auth_basic_user_file  /etc/nginx/nginx.passwd;
		}
          }

Next we create our password file for the authentication:


        From the Nginx documentation:

        "Passwords must be encoded by function crypt(3). You
        can create the password file with the htpasswd program
        from Apache."

        If you do not have apache2-utils installed, see man 3 crypt on
        how to generate this.


        htpasswd -c /etc/nginx/nginx.passwd <username>

        (prompted to enter password twice)

Now we can start Nginx with the command "nginx" from a terminal (and now would be a good time to read the Nginx man page).


Step #4: Testing the Proxy

Assuming that the nginx binary is running, and listening on the correct port, open up a browser and navigate to http://splunkbox/splunk. You should be prompted for the username and password as set in the above configuration. Once you are authenticated, you should see the Splunk interface.




  • Component Disabled