Configure NGINX Reverse Proxy with Lets Encrypt
This guide describes how NGINX can be setup to forward requests to Splunk and act as a Reverse Proxy for enhanced security.
Endpoints for receiving data
Data can be send directly to the Splunk Endpoints.
We recommend for increased security that you setup HTTPs certificates. (Web agent also requires that valid HTTPs certificate is configured, because data is send directly from the users browser using the same HTTP/HTTPs security that monitored website has)
An Reverse Proxy is also recommended if data has to be received from outside the company network.
Used for | Splunk endpoint | Reverse Proxy endpoint |
Splunk Web | ||
Desktop/Robot agent data receiving |
bin\task_mq_consumer_pcagent.py reads from RabbitMQ queue. |
NGINX / uWSGI adds to RabbitMQ queue |
Web agent data receiving | bin\task_mq_consumer_web.py reads from RabbitMQ queue. |
NGINX / uWSGI adds to RabbitMQ queue
|
Optional: Splunk HTTP Event Collector (Has to be enabled first) |
||
Optional: Splunk Teams webhook |
http://localhost:12031/webhook/teams |
NGINX setup
Ubuntu:
sudo apt-get update sudo apt-get -y install nginx-light
sudo vi /etc/nginx/nginx.conf
# Add after SSL settings to increase HTTPs performance. ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
sudo vi /etc/nginx/sites-available/site_fqdn
# Disable access logging for /data/ receiving or setup rotating/deleting of log files, they can become very big. map $request $loggable { ~*/data/* 0; default 1; } server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name fqdn; server_tokens off; # Disable access logging for /data/ receiving or setup rotating/deleting of log files, they can become very big. access_log /var/log/nginx/access.log combined if=$loggable; # set client body size to 800 MB to allow Splunk POST's to REST API and upload of apps. client_max_body_size 800M; # Fix 414 Request-URI Too Large when splunk deep links into search from table. client_header_buffer_size 64k; large_client_header_buffers 4 64k; # Reverse proxy splunk from port 8000 to HTTPs port 443. # Note that splunk has to be running HTTPs as vel, or No cookies detected error could occur and login in Splunk fail. location / { proxy_pass_request_headers on; proxy_set_header x-real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header host $host; proxy_pass https://localhost:8000/; } # Reverse proxy the Splunk REST API for Robot/Desktop Protobuf endpoint. location /data/pcagent { # Disable access logging or setup rotating/deleting of log files, they can become very big. access_log off; # Disable keepalive to free thread/socket for next user (to support 20.000 users per server) keepalive_timeout 0; include uwsgi_params; uwsgi_pass unix:/run/uwsgi/wsgi-uxm.sock; limit_except GET POST { deny all; } } # Reverse proxy the Splunk REST API for Web data endpoint. location /data/browser { # Disable access logging or setup rotating/deleting of log files, they can become very big. access_log off; # Disable keepalive to free thread/socket for next user (to support 20.000 users per server) keepalive_timeout 0; include uwsgi_params; uwsgi_param HTTP_X-Forwarded-For $proxy_add_x_forwarded_for; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'origin, content-type, accept, LoginRequestCorrelationId, content-encoding'; add_header 'Content-Type' 'text/plain'; uwsgi_pass unix:/run/uwsgi/wsgi-uxm.sock; limit_except GET POST OPTIONS { deny all; } } # Reverse proxy for Splunk HTTP Event Collector if needed. location /services/collector { # Disable access logging or setup rotating/deleting of log files, they can become very big. access_log off; proxy_pass_request_headers on; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header host $host; proxy_pass https://localhost:8088/services/collector; limit_except POST { deny all; } } # SSL Certificates if Lets Encrypt isn't used. #ssl_certificate /mnt/disks/data/certs/fqdn.crt; #ssl_certificate_key /mnt/disks/data/certs/fqdn.key; #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot using own TLS/Ciphers ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot # See https://gist.github.com/gavinhungry/7a67174c18085f4a23eb ssl_protocols TLSv1.3 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp521r1:secp384r1; ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:TLS:2m; ssl_buffer_size 4k; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare # Set HSTS to 2 year add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload' always; }
sudo ln -s /etc/nginx/sites-available/site_fqdn /etc/nginx/sites-enabled/ sudo rm /etc/nginx/sites-enabled/default nginx -t nginx -s reload
Lets Encrypt setup
Let's Encrypt can auto generate HTTPs certificates if the domain is public available, the FQDN has to be accessible from the internet or Lets Encrypt will fail.
It generates certificates that lasts for 90 days and auto renews them every 30 days via job on the server.
See https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal for how to setup Certbot
sudo certbot --nginx -d fqdn --email name@domain.dk --agree-tos (Use support@uxmapp.com for UXM SaaS servers)
certbot will ask if HTTP traffic should be redirected to HTTPs, you can choose to let it do it (Option 2).
You can view the certificates with
certbot certificates
Certbot generates a redirection code in the /etc/nginx/sites-available/site_fqdn file, it's recommended to turn access_log off if hugh amounts of HTTP measurements is received from the Web agent. (Log files will grow large as data is received via GET requests)