Communicating Splunk Deployment Server through Nginx Reverse Proxy
A quick example / proof / show-this-to-your-boss-ism that Splunk Deployment Server traffic can be sent through an Nginx Reverse Proxy
In the event some of your Universal Forwarders, or Heavy Forwarders sit within a segmented environment, or where direct access to your Splunk Deployment Server is behind a secure enclave / virtual diode, it's absolutely possible to proxy traffic through an Nginx Reverse Proxy.
⚠️ Important
There is one gotcha, ensure your proxy_pass stanza does NOT include a trailing slash, or the Splunk Deployment Server will not take it. This is literally the only reason this blog post exists, is to save someone else's time on this topic.server {
listen *:8089 ssl;
server_name _;
ssl_certificate /etc/pki/tls/certs/splunk_deployment_server.pem;
ssl_certificate_key /etc/pki/tls/private/splunk_deployment_server.key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_password_file /etc/pki/tls/private/splunk_deployment_server.key.password;
access_log /var/log/nginx/ssl-splunk_deployment_server.access.log combined;
error_log /var/log/nginx/ssl-splunk_deployment_server.error.log;
location / {
proxy_pass https://splunk-ds-ip:8089;
proxy_read_timeout 90s;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_pass_request_headers on;
proxy_ssl_verify off;
}
}
After you use the above Nginx config as your Splunk Deployment Server configuration, you'll note that all of your Splunk Deployment Clients seems to come from your reverse proxy. This seems to be unavoidable, and I've observed no adverse affects of doing this.
