From Splunk Wiki
Placing Splunk behind a Web proxy
This topic is valid for all versions of Splunk starting with 2.2.
However, they are not valid for 4.x. (See update below.)
You want to place the Splunk web server behind a proxy server to:
- enforce access restrictions via existing resources
- put multiple Splunk instances on the same host and port, but under separate subdirectories
- add Splunk as a subdirectory on an existing Web server
The only scenario supported by Splunk v2.2 is (1). Scenarios (2) and (3) are not feasible under Splunk 2.2. Splunk 3.0 and above will not have these restrictions, and support all traditional proxy configurations.
Splunk can be successfully placed behind a Web proxy only if it's the sole resource available at a specific host/port combination. The ideal solution is to use an external proxy server, like Apache, to handle the proxying. For instance, if you have a public server PROXYMACHINE that you want to be the front end to SPLUNKSERVER:
OK. Redirect all requests to PROXYMACHINE over to SPLUNKSERVER:
OK. Redirect all requests to PROXYMACHINE on port 81 over to SPLUNKSERVER:
OK. Redirect all requests to SP1 subdomain of PROXYMACHINE over to SPLUNKSERVER-1, and SP2 subdomain to SPLUNKSERVER-2:
Not supported. Redirect all requests to mysplunk directory of PROXYMACHINE over to SPLUNKSERVER:
Not supported. Redirect all requests to splunk1 directory of PROXYMACHINE over to SPLUNKSERVER-1 and splunk2 directory to SPLUNKSERVER-2:
Not supported. Redirect all requests to mysplunk directory of PROXYMACHINE over to SPLUNKSERVER while allowing original content of PROXYMACHINE to continue working:
http://PROXYMACHINE/intranet => (not proxied)
The following example Apache configuration snippet allows you to proxy a Splunk Web server via another server.
<VirtualHost *:80> # do proxied Splunk ProxyPass / http://SPLUNKSERVER:8000/ ProxyPassReverse / http://SPLUNKSERVER:8000/ </VirtualHost>
It it technically possible to place Splunk under a subdirectory of a proxy server, but there will be issues during login where the user is not redirected to the proper resource. The following partial configuration allows you to place a proxied Splunk instance under the '/mysplunk' folder.
<VirtualHost *:80> # do proxied splunk ProxyPass /mysplunk http://SPLUNKSERVER:8000 ProxyPassReverse /mysplunk http://SPLUNKSERVER:8000 # do URL rewriting # NOTE: mod_rewrite *must* be active # turn on rewriting RewriteEngine on # catch all relevant root level requests # the [P] flag allows the rewrite to recognize the previous ProxyPass directive RewriteRule ^/(feed|images|rss|admin|login|logout|typeahead|republish|help|testing)(.*) /mysplunk/$1$2 [P] # catch all static asset requests RewriteRule ^/(static.*) /mysplunk/$1 [P] </VirtualHost>
A more efficient method to achieve the above can be done in Splunk 4.x, as follows.
<VirtualHost *:80> # do proxied splunk ProxyPass /mysplunk http://SPLUNKSERVER:8000/mysplunk ProxyPassReverse /mysplunk http://SPLUNKSERVER:8000/mysplunk </VirtualHost>
Splunk web.conf configuration:
root_endpoint = /mysplunk tools.proxy.on = True
Note that tools.proxy.on appears to force SSO in 6.x, so it should be left set to False.