Solved: Re: Reverse Proxy and Authentication port redirect - Page 2 - Qlik Community

tseebach · ‎2016-02-08

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

Report Inappropriate Content · ‎2016-02-17

Hi Johannes,

Could you please share your nginx.conf file?

I am trying to duplicate your configuration, but I am getting some errors.

Thanks,

Stephane

Anonymous · ‎2016-02-17

Hi Stephane,

Absolutely. Here's the configuration I'm using:

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

gzip on;

map $http_upgrade $connection_upgrade {

default upgrade;

'' close;

}

server {

location / {

proxy_pass http://sense-pn.sense.local;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $http_host;

proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

proxy_read_timeout 60m;

}

location /form/ {

proxy_set_header Host $http_host;

proxy_pass http://sense-pn.sense.local:4248;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_read_timeout 60m;

}

tseebach · ‎2016-02-18

Thanks to Sunden, I'm getting closer to a working setup. Right now I'm actually able to get around the 4248 problem. But after the auth redirect I'm stuck. Here is my config:

</rule>

</rule>

</outboundRules>

<rules>

</rule>

</rule>

</rule>

</rules>

</rewrite>

Report Inappropriate Content · ‎2016-02-18

Thank you Johannes,

I got it to work. I am also using an external domain name to reach the Qlik Sense server. That's just works fine for me.

I still have a problem and I hope you could help me.

I have a client with un High Security Corporate network and using the Browser on their network, we are able to reach the login Qlik Form page, enter the credentials but after pressing "Log In". We get and error from Qlik Sense.

The error seem to be related to the "Virtual Proxies" - "Central Proxy (Default)" - "Websocket origin white list". The Proxy IP address and the external domain name are both present in the list.

Do you think the Client's Proxy is changing the "Origin" of the client hitting my Proxy server?

Any recommendations or observations will be appreciated.

Thanks

Stephane

Anonymous · ‎2016-02-19

Hi Stephane,

Great that you got it working.

With regards to the client from the high security corporate network.. could it be that they have a proxy filtering the outgoing web traffic that blocks WebSocket traffic? If possible, you could have them check the traffic with a tool like Fiddler to see if the connection upgrade from HTTP to WS fails after login.

What is the error message that they're getting?

Cheers,

Johannes

csellei · ‎2016-02-19

Hi Johannes,

Do you know in which part of the process Sense switch from HTTP to WS?

I'm asking because in my case I can see the session active into Qlik Sense for the user, but Qlik Sense Hub never shows up at client machine, it just get freezed at the Login Page until client time put occurs (I already tryed it with Qlik Sense Login Form).

By other and, Juniper is establishing a SLL Tunnel between client and Sense. Do you know if there is some known restriction whit this?

Thanks and best regards.

Christian.

Anonymous · ‎2016-02-21

Hi Christian,

After the authentication and ticket issue the protocol will be upgraded to websocket. If you use a web debugger to look at the traffic you'll see a switching protocol call that upgrades https to wss or http to ws, followed by a web socket protocol handshake call.

With regards to the connection over Juniper it should be fine as it supports web sockets.Not sure about required configuration though.

Try checking with a debugger and see where it fails. My guess is at the point of upgrading to the websocket protocol, and in that case, check configuration on the Juniper side.

tseebach · ‎2016-02-24

So I've tested everything I could think of. But IIS with ARR does somethings that I cannot control. It also does not log the actual url that is being generated behind the scene. So I have removed IIS, and installed nginx, and with Sunden's configuration it works nicely. You will however have to a the external address to a websocket whitelist.

This is a package for free download that runs on windows, so from there it was pretty easy.

Anonymous · ‎2016-02-27

Glad that you got it working Torben!

Not sure what was wrong on the IIS ARR side but I do appreciate the flexibility and lightweight approach of NGINX.

scottsmp · ‎2016-04-11

Torben, what is the document you are quoting from? I'm looking for information on using a reverse proxy with Qlik Sense.