Skip to main content
Announcements
NEW: Seamless Public Data Sharing with Qlik's New Anonymous Access Capability: TELL ME MORE!
cancel
Showing results for 
Search instead for 
Did you mean: 
tseebach
Luminary Alumni
Luminary Alumni

Reverse Proxy and Authentication port redirect

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

37 Replies
Not applicable

Hi Johannes,

Could you please share your nginx.conf file?

I am trying to duplicate your configuration, but I am getting some errors.

Thanks,

Stephane

Anonymous
Not applicable

Hi Stephane,

Absolutely. Here's the configuration I'm using:

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    gzip  on;

    map $http_upgrade $connection_upgrade {

        default upgrade;

        ''      close;

    }

server {

  location / {

  proxy_pass http://sense-pn.sense.local;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_set_header Host $http_host;

  proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

  proxy_read_timeout 60m;

  }

  location /form/ {

  proxy_set_header Host $http_host;

  proxy_pass http://sense-pn.sense.local:4248;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_read_timeout 60m;

  }

}

}

tseebach
Luminary Alumni
Luminary Alumni
Author

Thanks to Sunden, I'm getting closer to a working setup. Right now I'm actually able to get around the 4248 problem. But after the auth redirect I'm stuck. Here is my config:

<rewrite>

            <outboundRules>

                <clear />

                <rule name="4248 form">

                    <match filterByTags="A, Form, Img" pattern="^http(s)?://wssdsqs01.itellidemo.local:4248l/form(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                    <action type="Rewrite" value="http{R:1}://qs.itellidemo.dk/form{R:2}" />

                </rule>

                <rule name="all">

                    <match filterByTags="A, Form, Img" pattern="^http(s)?://wssdsqs01.itellidemo.local/(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                    <action type="Rewrite" value="http{R:1}://qs.itellidemo.dk/{R:2}" />

                </rule>

            </outboundRules>

            <rules>

                <clear />

                <rule name="4248 form" stopProcessing="true">

                    <match url="^form(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local:4248/form{R:1}" logRewrittenUrl="true" />

                </rule>

                <rule name="qlikTicket" stopProcessing="true">

                    <match url="qlikTicket=(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />

                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local/hub?{R:0}" logRewrittenUrl="true" />

                </rule>

                <rule name="hub" stopProcessing="true">

                    <match url="(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />

                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local/{R:0}" logRewrittenUrl="true" />

                </rule>

            </rules>

        </rewrite>

Not applicable

Thank you Johannes,

I got it to work. I am also using an external domain name to reach the Qlik Sense server. That's just works fine for me.

I still have a problem and I hope you could help me.

I have a client with un High Security Corporate network and using the Browser on their network, we are able to reach the login Qlik Form page, enter the credentials but after pressing "Log In". We get and error from Qlik Sense.

The error seem to be related to the "Virtual Proxies" - "Central Proxy (Default)" - "Websocket origin white list". The Proxy IP address and the external domain name are both present in the list.

Do you think the Client's Proxy is changing the "Origin" of the client hitting my Proxy server?

Any recommendations or observations will be appreciated.

Thanks

Stephane

Anonymous
Not applicable

Hi Stephane,

Great that you got it working.

With regards to the client from the high security corporate network.. could it be that they have a proxy filtering the outgoing web traffic that blocks WebSocket traffic? If possible, you could have them check the traffic with a tool like Fiddler to see if the connection upgrade from HTTP to WS fails after login.

What is the error message that they're getting?

Cheers,

Johannes

csellei
Partner - Creator
Partner - Creator

Hi Johannes,

Do you know in which part of the process Sense switch from HTTP to WS?

I'm asking because in my case I can see the session active into Qlik Sense for the user, but Qlik Sense Hub never shows up at client machine, it just get freezed at the Login Page until client time put occurs (I already tryed it with Qlik Sense Login Form).

By other and, Juniper is establishing a SLL Tunnel between client and Sense. Do you know if there is some known restriction whit this?

Thanks and best regards.

Christian.

Anonymous
Not applicable

Hi Christian,

After the authentication and ticket issue the protocol will be upgraded to websocket. If you use a web debugger to look at the traffic you'll see a switching protocol call that upgrades https to wss or http to ws, followed by a web socket protocol handshake call.

With regards to the connection over Juniper it should be fine as it supports web sockets.Not sure about required configuration though.

Try checking with a debugger and see where it fails. My guess is at the point of upgrading to the websocket protocol, and in that case, check configuration on the Juniper side.

tseebach
Luminary Alumni
Luminary Alumni
Author

So I've tested everything I could think of. But IIS with ARR does somethings that I cannot control. It also does not log the actual url that is being generated behind the scene. So I have removed IIS, and installed nginx, and with Sunden's configuration it works nicely. You will however have to a the external address to a websocket whitelist.

This is a package for free download that runs on windows, so from there it was pretty easy.

Anonymous
Not applicable

Glad that you got it working Torben!

Not sure what was wrong on the IIS ARR side but I do appreciate the flexibility and lightweight approach of NGINX.

scottsmp
Partner - Contributor II
Partner - Contributor II

Torben, what is the document you are quoting from?  I'm looking for information on using a reverse proxy with Qlik Sense.