From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Placing Splunk behind a Web proxy

This topic is valid for all versions of Splunk starting with 2.2. However, they are not valid for 4.x. (See update below.)


You want to place the Splunk web server behind a proxy server to:

  1. enforce access restrictions via existing resources
  2. put multiple Splunk instances on the same host and port, but under separate subdirectories
  3. add Splunk as a subdirectory on an existing Web server

The only scenario supported by Splunk v2.2 is (1). Scenarios (2) and (3) are not feasible under Splunk 2.2. Splunk 3.0 and above will not have these restrictions, and support all traditional proxy configurations.

Splunk can be successfully placed behind a Web proxy only if it's the sole resource available at a specific host/port combination. The ideal solution is to use an external proxy server, like Apache, to handle the proxying. For instance, if you have a public server PROXYMACHINE that you want to be the front end to SPLUNKSERVER:

OK. Redirect all requests to PROXYMACHINE over to SPLUNKSERVER:

http://PROXYMACHINE/ => http://SPLUNKSERVER:8000

OK. Redirect all requests to PROXYMACHINE on port 81 over to SPLUNKSERVER:

http://PROXYMACHINE:81/ => http://SPLUNKSERVER:8000

OK. Redirect all requests to SP1 subdomain of PROXYMACHINE over to SPLUNKSERVER-1, and SP2 subdomain to SPLUNKSERVER-2:

http://SP1.PROXYMACHINE/ => http://SPLUNKSERVER-1:8000

http://SP2.PROXYMACHINE/ => http://SPLUNKSERVER-2:8000

Not supported. Redirect all requests to mysplunk directory of PROXYMACHINE over to SPLUNKSERVER:

http://PROXYMACHINE/mysplunk => http://SPLUNKSERVER:8000

Not supported. Redirect all requests to splunk1 directory of PROXYMACHINE over to SPLUNKSERVER-1 and splunk2 directory to SPLUNKSERVER-2:

http://PROXYMACHINE/splunk1 => http://SPLUNKSERVER-1:8000

http://PROXYMACHINE/splunk2 => http://SPLUNKSERVER-2:8000

Not supported. Redirect all requests to mysplunk directory of PROXYMACHINE over to SPLUNKSERVER while allowing original content of PROXYMACHINE to continue working:

http://PROXYMACHINE/mysplunk => http://SPLUNKSERVER:8000

http://PROXYMACHINE/intranet => (not proxied)


The following example Apache configuration snippet allows you to proxy a Splunk Web server via another server.

<VirtualHost *:80>
	# do proxied Splunk
	ProxyPass / http://SPLUNKSERVER:8000/
	ProxyPassReverse / http://SPLUNKSERVER:8000/

It it technically possible to place Splunk under a subdirectory of a proxy server, but there will be issues during login where the user is not redirected to the proper resource. The following partial configuration allows you to place a proxied Splunk instance under the '/mysplunk' folder.

<VirtualHost *:80>
	# do proxied splunk
	ProxyPass /mysplunk http://SPLUNKSERVER:8000
	ProxyPassReverse /mysplunk http://SPLUNKSERVER:8000
	# do URL rewriting
	# NOTE: mod_rewrite *must* be active
	# turn on rewriting
	RewriteEngine on
	# catch all relevant root level requests
	# the [P] flag allows the rewrite to recognize the previous ProxyPass directive
	RewriteRule ^/(feed|images|rss|admin|login|logout|typeahead|republish|help|testing)(.*) /mysplunk/$1$2 [P]
	# catch all static asset requests
	RewriteRule ^/(static.*) /mysplunk/$1 [P]

A more efficient method to achieve the above can be done in Splunk 4.x, as follows.

Apache configuration:

<VirtualHost *:80>
    # do proxied splunk
    ProxyPass /mysplunk http://SPLUNKSERVER:8000/mysplunk
    ProxyPassReverse /mysplunk http://SPLUNKSERVER:8000/mysplunk

Splunk web.conf configuration:

    root_endpoint = /mysplunk
    tools.proxy.on = True

Note that tools.proxy.on appears to force SSO in 6.x, so it should be left set to False.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk