Related Answers
Download topic as PDF
Turn on encryption (https) with Splunk Web
This topic explains how to use Splunk Web to enable HTTPS for browser to Splunk Web communication. Splunk software can listen on HTTPS or HTTP, but not both.
The simple encryption that can be turned on in Splunk Web uses the default certificate that is provided in the "out of box" installation. Since every installation provides the same default certificate, this method is not highly secure. If security is a priority, change the default certificate and configure authentication for better security. See Secure Splunk Web with your own certificate for information about replacing the default certificates.
To enable HTTPS with Splunk Web:
1. In Splunk Web, select Settings > System > Server settings, and then click General Settings.
2. Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button.
By default, Splunk deployments point to the default certificates when encryption is turned on, so no further action is needed.
3. Restart Splunk Web.
You must now prepend "https://" to the URL you use to access Splunk Web.
|
PREVIOUS About securing Splunk Web |
NEXT Turn on encryption (https) using web.conf |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2
Comments
Making changes to /system/default .. That's a paddlin' !
Directory for web.conf is incorrect.
Should be $SPLUNK_HOME/etc/system/default/web.conf
In Version 6.3.0 of Splunk, settings in $SPLUNK_HOME/etc/system/local/web.conf override the settings of $SPLUNK_HOME/etc/system/default/web.conf.
Settings not listed in (aka overridden by) $SPLUNK_HOME/etc/system/local/web.conf are still from read from $SPLUNK_HOME/etc/system/default/web.conf.
Hence, not all the settings as shown below (and in point 2. above) may be visible in $SPLUNK_HOME/etc/system/local/web.conf. For me, privKeyPath and caCertKeyPath are being read from $SPLUNK_HOME/etc/system/default/web.conf when enabling HTTPS in splunk web while still using self-signed certs. The default enableSplunkWebSSL of False in $SPLUNK_HOME/etc/system/default/web.conf is being overwritten by $SPLUNK_HOME/etc/system/local/web.conf.
[settings]
enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/privkey.pem
caCertPath = etc/auth/splunkweb/cert.pem
You can not bind to a port < 1024 as a non-root user in GNU Linux. If you're not using a proxy or load balancer and don't want to specify a port number in the URL (i.e. you would prefer to use port 80 or in this case 443), this can cause some problems. To resolve, simply bind to 8443 (or something else above 1024) and then NAT to 443 to work around this issue.
In $SPLUNK_HOME/etc/system/local/web.conf
[settings]
httpport=8443
As root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables save
Step 2 -Splunk is already set to point to the default certificates when encryption is turned on. The following default configuration can be found in $SPLUNK_HOME/etc/auth/web.conf . The path to web.conf is wrong. Please refer to correct path as specified in this 5.0.7 link:<br />http://docs.splunk.com/Documentation/Splunk/5.0.7/Security/Turnonbasicencryptionusingweb.conf
Hi Rfrey,<br /><br />Thanks for your input! If you are interested in learning more about working as a non-root user, we have some additional documentation about it here: http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser<br /><br />Hope that helps,<br />Jen
You can not bind to < 1024 as a non-root user in GNU Linux. Since most people want don't want to specify a port number in the URL and would prefer to use port 443, this can cause some problems. From what I understand most people bind to 8443 (or something else above 1024) and then NAT to 443 to work around this issue.<br /><br />In $SPLUNK_HOME/etc/system/local/web.conf<br /><br />[settings]<br />httpport=8443<br /><br /><br />As root:<br /><br />iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443<br />iptables-save
Hi all, I've removed the code sample from this topic. I agree the code sample is very confusing (and the path is wrong) and it is not the same for every configuration. It is also simply informational and not meant to be edited, so I don't really think it adds much value to the topic, especially considering how much confusion it causes. If you would like to review the web.conf default configurations, you can look here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf