topic Re: Reverse Proxy and Authentication port redirect in Integration, Extension & APIs

Reverse Proxy and Authentication port redirect

tseebach — Mon, 08 Feb 2016 07:31:31 GMT

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

Re: Reverse Proxy and Authentication port redirect

Tue, 09 Feb 2016 03:07:57 GMT

Hi Torben,

I have the same problem...

I didn't not find a solution yet.

Re: Reverse Proxy and Authentication port redirect

tseebach — Tue, 09 Feb 2016 07:18:43 GMT

Qlik has a paper saying its possible. Its just does not contain any details about how its actually done.

Re: Reverse Proxy and Authentication port redirect

konrad_mattheis — Wed, 10 Feb 2016 12:53:53 GMT

Hi Torben,

I think you have to write complex rewrite rules. Did you already tried to solve it just via header authentication in a first step?

bye

Konrad

Re: Reverse Proxy and Authentication port redirect

csellei — Tue, 16 Feb 2016 21:06:42 GMT

Hi,

I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting after the loggin page and ends by time out.

Does anybody knows if there is somethig We have to be aware regarding Qlik Sense Hub requirements? The only I can get from documentation is that clients must support websockets.

Does anyone solve this kind of issues?

Best regards.

Re: Reverse Proxy and Authentication port redirect

tseebach — Wed, 17 Feb 2016 07:23:24 GMT

Hi Christian,

I'm a bit further than you. Have you opened port 4248? And then try manually changing the url to http://server/form/?qlikTicket=fjIquFKJf0IYSEUf

The procedure for login is: Go to /hub which identifies that you're not logged in, which then forwards you to :4248/form/target? where you are being authenticated and send back to /hub/my/work/

This hop to and from 4248 is what you need to handle.

Re: Reverse Proxy and Authentication port redirect

tseebach — Wed, 17 Feb 2016 07:26:16 GMT

Hi Konrad,

The thing is that I'm unsure what exactly is the problem. In the last setup I've tested, I have it working internally but not externally. Which makes me believe that I'm missing a crucial rewrite part (header/cookie).

But what I'm doing now is forwarding everything on 2 ports 80/4248 based on a dns rule.

Re: Reverse Proxy and Authentication port redirect

Anonymous — Wed, 17 Feb 2016 07:54:02 GMT

Hi guys,

Here's one way (if I understand your situation(s) correctly):

I used NGINX as a proxy since it supports web sockets and wrapped up both ports 80 & 4248 behind port 80.

So, a client only connects via port 80 and the proxy then reroutes the authentication part to 4248 when talking to the qlik sense proxy.

I filmed a short video of demonstrating this when working on an implementation scenario so take a look at the attachment and hopefully it's relevant to you as well.

Cheers,

Johannes

Re: Reverse Proxy and Authentication port redirect

tseebach — Wed, 17 Feb 2016 08:20:41 GMT

Interessting, I've not thought of doing just that. We are using IIS and ARR but the principle should be the same.

Re: Reverse Proxy and Authentication port redirect

Anonymous — Wed, 17 Feb 2016 09:58:08 GMT

It came up as a requirement as the organization I was working with refused any additional ports besides 80/443 when accessing from outside.

Re: Reverse Proxy and Authentication port redirect

Wed, 17 Feb 2016 17:09:56 GMT

Hi Johannes,

Could you please share your nginx.conf file?

I am trying to duplicate your configuration, but I am getting some errors.

Thanks,

Stephane

Re: Reverse Proxy and Authentication port redirect

Anonymous — Thu, 18 Feb 2016 03:44:10 GMT

Hi Stephane,

Absolutely. Here's the configuration I'm using:

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

gzip on;

map $http_upgrade $connection_upgrade {

default upgrade;

'' close;

}

server {

location / {

proxy_pass http://sense-pn.sense.local;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $http_host;

proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

proxy_read_timeout 60m;

}

location /form/ {

proxy_set_header Host $http_host;

proxy_pass http://sense-pn.sense.local:4248;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_read_timeout 60m;

}

Re: Reverse Proxy and Authentication port redirect

tseebach — Thu, 18 Feb 2016 15:20:30 GMT

Thanks to Sunden, I'm getting closer to a working setup. Right now I'm actually able to get around the 4248 problem. But after the auth redirect I'm stuck. Here is my config:

</rule>

</rule>

</outboundRules>

<rules>

</rule>

</rule>

</rule>

</rules>

</rewrite>

Re: Reverse Proxy and Authentication port redirect

Thu, 18 Feb 2016 16:51:46 GMT

Thank you Johannes,

I got it to work. I am also using an external domain name to reach the Qlik Sense server. That's just works fine for me.

I still have a problem and I hope you could help me.

I have a client with un High Security Corporate network and using the Browser on their network, we are able to reach the login Qlik Form page, enter the credentials but after pressing "Log In". We get and error from Qlik Sense.

The error seem to be related to the "Virtual Proxies" - "Central Proxy (Default)" - "Websocket origin white list". The Proxy IP address and the external domain name are both present in the list.

Do you think the Client's Proxy is changing the "Origin" of the client hitting my Proxy server?

Any recommendations or observations will be appreciated.

Thanks

Stephane

Re: Reverse Proxy and Authentication port redirect

Anonymous — Fri, 19 Feb 2016 08:16:04 GMT

Hi Stephane,

Great that you got it working.

With regards to the client from the high security corporate network.. could it be that they have a proxy filtering the outgoing web traffic that blocks WebSocket traffic? If possible, you could have them check the traffic with a tool like Fiddler to see if the connection upgrade from HTTP to WS fails after login.

What is the error message that they're getting?

Cheers,

Johannes

Re: Reverse Proxy and Authentication port redirect

csellei — Fri, 19 Feb 2016 12:48:57 GMT

Hi Johannes,

Do you know in which part of the process Sense switch from HTTP to WS?

I'm asking because in my case I can see the session active into Qlik Sense for the user, but Qlik Sense Hub never shows up at client machine, it just get freezed at the Login Page until client time put occurs (I already tryed it with Qlik Sense Login Form).

By other and, Juniper is establishing a SLL Tunnel between client and Sense. Do you know if there is some known restriction whit this?

Thanks and best regards.

Christian.

Re: Reverse Proxy and Authentication port redirect

Anonymous — Mon, 22 Feb 2016 04:47:07 GMT

Hi Christian,

After the authentication and ticket issue the protocol will be upgraded to websocket. If you use a web debugger to look at the traffic you'll see a switching protocol call that upgrades https to wss or http to ws, followed by a web socket protocol handshake call.

With regards to the connection over Juniper it should be fine as it supports web sockets.Not sure about required configuration though.

Try checking with a debugger and see where it fails. My guess is at the point of upgrading to the websocket protocol, and in that case, check configuration on the Juniper side.

Re: Reverse Proxy and Authentication port redirect

tseebach — Wed, 24 Feb 2016 07:41:43 GMT

So I've tested everything I could think of. But IIS with ARR does somethings that I cannot control. It also does not log the actual url that is being generated behind the scene. So I have removed IIS, and installed nginx, and with Sunden's configuration it works nicely. You will however have to a the external address to a websocket whitelist.

This is a package for free download that runs on windows, so from there it was pretty easy.

Re: Reverse Proxy and Authentication port redirect

Anonymous — Sat, 27 Feb 2016 06:34:02 GMT

Glad that you got it working Torben!

Not sure what was wrong on the IIS ARR side but I do appreciate the flexibility and lightweight approach of NGINX.

Re: Reverse Proxy and Authentication port redirect

scottsmp — Mon, 11 Apr 2016 21:39:32 GMT

Torben, what is the document you are quoting from? I'm looking for information on using a reverse proxy with Qlik Sense.