Splunk® Enterprise

Admin Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Install and configure your HTTP Proxy Server for splunkd

You can set up an HTTP proxy server for splunkd so that all HTTP/S traffic originating from splunkd flows through the proxy server, making your traffic easier to manage.

Splunk Software officially supports the following HTTP proxy servers:

  • Apache Server 2.4
  • Apache Server 2.2
  • Squid Server 3.5

Note: Splunk Enterprise supports the HTTP CONNECT method for HTTPS requests. TLS proxying is not supported, and the proxy server cannot listen on an SSL port.

Configure Apache Server 2.4

1. Download the latest version of Apache server 2.4 at http://httpd.apache.org/download.cgi.

2. Extract and install it on the machine that will run the proxy server. The following example compiles the server from source.

gzip -d httpd-2.4.25.tar.gz
tar xvf httpd-2.4.25.tar
cd httpd-NN
./configure --prefix=$PROXY_HOME
make install

3. Customize the the Apache server httpd.conf file.

Listen = 8000 <IP addresses and ports that the server listens to>
ProxyRequests = On < Enables forward (standard) proxy requests>
SSLProxyEngine = On <This directive toggles the usage of the SSL/TLS Protocol Engine for proxy>
AllowCONNECT = 443 <Ports that are allowed to CONNECT through the proxy>

Additional configuration (optional)

Before you configure or disable these values, please read the Apache documentation for additional information.

SSLProxyVerify = optional <When a proxy is configured to forward requests to a remote SSL server, this setting can configure certificate verification of the remote server>
SSLProxyCheckPeerCN = on <determines whether the remote server certificate's CN field is compared against the hostname of the request URL>
SSLProxyCheckPeerName = on <turns on host name checking for server certificates when mod_ssl is acting as an SSL client>
SSLProxyCheckPeerExpire = on <enables certificate expiration checking>

Configure Apache Server 2.2

1. Download the latest version of Apache server 2.2 at http://httpd.apache.org/download.cgi.

2. Extract and install it on the machine that will run the proxy server. The following example compiles the server from source.

$ gzip -d httpd-2.2.32.tar.gz
$ tar xvf httpd-2.2.32.tar
$ cd httpd-NN
$ ./configure --prefix="PROXY_HOME" --enable-ssl --enable-proxy --enable-proxy-connect --enable-proxy-http
$ make install

3. Customize the Apache server's httpd.conf file:

Listen 8000 <This is the list of IP addresses and ports that the server listens to>
ProxyRequests = On <Enables forward (standard) proxy requests>
SSLProxyEngine = On <This directive toggles the usage of the SSL/TLS Protocol Engine for proxy>
AllowCONNECT 443 <Ports that are allowed to CONNECT through the proxy>

Additional configuration (optional)

Before you modify or disable these settings in your environment, please read the Apache documentation for additional information.

SSLProxyVerify = optional <When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification for the remote server.>
SSLProxyCheckPeerCN = on <Determines whether the remote server certificate's Common Name field is compared against the hostname of the request URL>
SSLProxyCheckPeerName = on <Configures host name checking for server certificates when mod_ssl is acting as an SSL client>
SSLProxyCheckPeerExpire = on <when turned on, the systems checks whether if the remote server certificate is expired or not>

Configure Squid 3.5

1. Download the latest version of Squid server 3.5 at http://www.squid-cache.org/Download/.

2. Extract and install the download on the machine that will run the proxy server. The following example compiles Squid server 3.5 from source.

$ tar xzf squid-3.5.23.tar.gz
$ cd squid-3.5.23
$ ./configure --with-openssl
$ make
$ make install

3. Configure the Squid server's squid.conf file

acl localnet src = <configure all possible internal network ports, a new line for each port>
acl SSL_ports = <configure all acl SSL_ports, a new line for each port>
acl CONNECT method CONNECT <ACL for CONNECT method>
http_port 8000 <Port on which the Squid server will listen for requests>

Additional configuration (optional)

Before you configure or disable these settings in your environment, please read the Squid documentation for additional information.

sslproxy_cert_error deny all <Use this ACL to bypass server certificate validation errors>
sslproxy_flags DONT_VERIFY_PEER <Various flags modifying the use of SSL while proxying https URLs>
hosts_file PROXY_HOME/hosts <Location of the host-local IP name-address associations database>
Last modified on 21 April, 2017
Use a forward Proxy Server for splunkd   Configure splunkd to use your HTTP Proxy Server

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters