Qlik Sense Behind HA proxy

VRaducan — Tue, 14 Jun 2022 09:02:36 GMT

Hi,

we got a customer which is trying to user haproxy and Qlik Sense.

The login works correctly on the QMC but looks like when going into the Hub, we get Connection Lost immediately after logging in.

The configuration done by the customer is with 2 HA proxy Balanced by a Load Balancer.

The config file for both of the Haproxy environments is at follows.

1 QSense Cluster with Central and FailOver Candiate

Host allow whitelist inserted both the HAproxy servers IPs on Virtual Proxies and the LoadBalancer FQDN

Send KeepAlive Check configured on both the Proxie services of the nodes with 5 seconds of timespan.

QlikSense has got the http port 80 enabled.

I've tried to read the documentation of HA proxy and other links here regarding this kind of configuration but it's still not working. Could it be that the parameters to switch from http to wss are incorrect?

Thanks in advance if someone knows something.

#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
#log 127.0.0.1 local2
log /dev/log local0

chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults

log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor
option redispatch
retries 3
timeout connect 5s
timeout client 300s
timeout server 300s
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 60s
timeout queue 60s
timeout tarpit 120s

# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
acl host_n_printing hdr(host) -i fqdnofserverNPRINTING
acl host_alert hdr(host) -i fqdnofserverALERTING
acl host_sense hdr(host) -i fqdnofserverQSENSE
use_backend printing if host_n_printing
use_backend alert if host_alert

## routing based on websocket protocol header
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
use_backend sense if host_sense hdr_connection_upgrade hdr_upgrade_websocket

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
#backend static
# balance roundrobin
# server static 127.0.0.1:4331 check

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend sense
mode http
balance roundrobin
stick-table type ip size 1m expire 30m
stick match src
stick store-request src
acl match_windows_form_authentication path_beg -i /internal_windows_authentication
http-request set-path /internal_forms_authentication if match_windows_form_authentication
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server bi IPofCentralNode 00.000.00.00:80 maxconn 2000 check verify none
server bi1 IPofFailoverNode00.000.00.00:80 maxconn 2000 check verify none

backend printing
balance roundrobin
server bi3 ipofNPRINTINGSERVER00.000.00.00:4993 check port 4993

backend alert
balance roundrobin
server bi4 ipofALERTINGSERVER00.000.00.00:4551 check port 4551

Re: Qlik Sense Behind HA proxy

Eugene_Sleator — Tue, 14 Jun 2022 10:49:57 GMT

Hi @VRaducan make sure that the timeout settings for the default Qlik Sense proxy and your reverse proxy are aligned

Increase-session-timeout-in-Qlik-Sense

Re: Qlik Sense Behind HA proxy

VRaducan — Tue, 14 Jun 2022 12:44:47 GMT

Hi Eugene, thanks for the answer.

Just the timeouts of the proxy?

What about all these other timeouts?

timeout connect 5s
timeout client 300s
timeout server 300s
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 60s
timeout queue 60s
timeout tarpit 120s

Re: Qlik Sense Behind HA proxy

Eugene_Sleator — Tue, 14 Jun 2022 14:37:27 GMT

Hi @VRaducan from the Qlik side of things these are the timeouts you need to consider. As for the exact Haproxy configuration you would need to refer to the Haproxy documentation.

Re: Qlik Sense Behind HA proxy

VRaducan — Fri, 17 Jun 2022 09:51:25 GMT

Hi all, Thank you Eugene, the problem was not related to the timeouts since these latter ones can be corrected after the http will do the upgrade properly.

The problem was due to the fact that the HA proxy endpoint was waiting for the qrsData call from an external Hardware Balancer, which was used to authenticate the Users and unload the ssl after the authentication, since HA proxy used mode http.

So the problem was that this Hardware Network Balancer was not sending the WSS call to the HA proxy, thus truncating the connection.

Once the load balancer had been configured the system was able to work correctly.

Thank You all for you answers.

P.S. also for a peace of mind and after some confrontation, we decided to not use on HA proxy the sticky sesssion IP Based:

stick-table type ip size 1m expire 30m
stick match src
stick store-request src

these sticky session have been changed with a cookie based ones. Unfortunately it was not a configuration we were able to retrieve as for an example here on the community. Maybe We'll get that soon so anyone could at least have an idea 🙂

topic Re: Qlik Sense Behind HA proxy in Management & Governance

Qlik Sense Behind HA proxy

Re: Qlik Sense Behind HA proxy

Re: Qlik Sense Behind HA proxy

Re: Qlik Sense Behind HA proxy

Re: Qlik Sense Behind HA proxy