Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Showing results for 
Search instead for 
Did you mean: 
erikkorme
Contributor III
Contributor III

Are there any performance considerations when using HTTP or HTTPS?

Hi,

We are in the early phase of deploying a Sense server and are trying to fix correct the SSL/HTTPS-access. And now our network/server-department tells me that we should not use HTTPS/SSL-encryption in the Sense-server, because it will impact the performance of the server. We should rather use our Netscaler-appliance and use regular HTTP internally in Qlik.

Is it possible to disable SSL entirely within Sense? Is it really true for Sense that using SSL will require more of the hardware, than running without SSL?

6 Replies
korsikov
Partner - Specialist III
Partner - Specialist III

The whole world is changed to use only a secure http connection, why keep up with global trends?

In manufacture using  so powerful Qlik server that there is no difference between http and https.

In any case, you enable access to the server via http check option "Allow http" in  proxy settings https:Yourhost/qmc/proxies

erikkorme
Contributor III
Contributor III
Author

Thanks for your reply. Although I personally agree with you, it seems that our internal policy makers disagree and prefer to use HTTP when on our intranet. I did already enable HTTP, but I was looking for a way to disable HTTPS.

Not applicable

Did you figure out a way to disable SSL? Setting the app to "use both" also required opening ports 4848, 4244, and 4248 in addition to 80 in the network appliance.

FYI, It's common for SSL/TLS to be managed by more robust network appliances which do load balancing and firewall tasks. Can you imagine managing every single server's firewall configuration individually? Especially if you have 100 machines in your VPC. Yuk. Centralizing TLS and Firewall greatly simplifies key management and scaling as well as interconnectivity inside the intranet (VPC).

Not applicable

Hi Erik,

This is called SSL offloading and is actually a pretty neat feature of the NetScaler. Basically, you shift all of the processing required for SSL encryption off of your application/web server and onto the NetScaler, which has dedicated resources for this task. It's pretty slick.

The amount of resources that your system requires to handle SSL transactions ultimately depends on the volume of traffic you're processing. So yes, it's really true that it requires more hardware/processing power.....but how much is dependent upon your environment.

On the Quick Installation Guide - page 8 - it lists deactivating HTTPS as a post-installation step in the management console proxy settings interface. It refers to the following topic on the help site for more info: Administering Qlik Sense > Managing a Qlik Sense site > Configuring Qlik Sense > Configuring security > Changing proxy certificate

Unfortunately I don't see where in the screenshots it has anything about 'deactivating' HTTPS; it only shows the option to allow HTTP. So I'm not entirely sure where this is done.

erikkorme
Contributor III
Contributor III
Author

Hi Josh and Joe,

You are of course both correct. We do also have a NetScaler appliance and our networks and server team strongly advise the BI-team to use NetScaler for HTTPS security.

I have not found any way to disable HTTPS, but I assume I could just block the HTTPS traffic in the firewall or something.

Did any of you successfully set up NetScaler together with QlikView Server or Qlik Sense server?

Our idea is to force all traffic to Sense Server to go through the NetScaler-appliance and use Header authentication, but we haven't gotten around to complete the setup yet.

Thanks for sharing any experiences and tips and tricks!

Alexander_Thor
Employee
Employee

Depending on your NetScaler setup you might have to enable websocket support otherwise it will drop your requests.

You most likely also want to add the NetScaler domain/primary hostname to the white list in QMC, just in case they alter the origin header in the request. We check every incoming websocket request against the whitelist to ensure that no unauthorized inbound traffic occurs.

I'm not sure if you can turn off SSL support, then again just block it in the firewall. If you have no incoming connections the server won't use resources to de-code/encode SSL traffic.

All Qlik Sense Client files is set up to respect your domain and protocol, so serving up the client and hub over http and it will never request a resource over https.