Skip to main content
Announcements
NEW: Seamless Public Data Sharing with Qlik's New Anonymous Access Capability: TELL ME MORE!
cancel
Showing results for 
Search instead for 
Did you mean: 
tseebach
Luminary Alumni
Luminary Alumni

Reverse Proxy and Authentication port redirect

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

37 Replies
tseebach
Luminary Alumni
Luminary Alumni
Author

Thibaut,

You should make sure that you keep the qlikticket or targetId parameters in the url. If you have an error, and you are hanging on the auth page. Then the proxy cannot figure out what to do. If that occours point it back to the hub with a clean url.

If thats not the problem, then try to post your config.

Not applicable

Torben,

Thanks for answering, the problem wasn't the config and I keep the qlikticket parameter in the URL.

I found that a proxy blocks websockets for port 3000.

Now it works fine.

ChristofSchwarz
Partner Ambassador
Partner Ambassador

Hi Johannes. Thanks for sharing this straight-forward config file for nginx. I use it with success, only thing that does NOT work is the importing (uploading) of files in the QMC Apps page. uploading a .txt file into a Content Library works fine. It is NOT the app itself, the same file can be uploaded if I bypass nginx and access the Sense Server QMC directly. So I suspect, this could be a config entry around mime-types which is missing in your above config example? Do you have any idea? Thank you.

markginqo
Partner - Contributor III
Partner - Contributor III

Thanks for posting your nginx config, seebach‌, it was a great help.  One of our clients prepared a modified version intended for use with LetsEncrypt & Certbot that I wanted to post back here in case it is useful for others:

https://git.saxx.tech/snippets/6

server {

    listen 443 ssl;

    server_name qlik.example.com;

    root /var/www/qlik.example.com;

    index index.html;

    charset utf-8;

    location / {

        proxy_pass              https://192.168.0.1:443;

        proxy_redirect          https://192.168.0.1:443 https://qlik.example.com;

        # Headers

        proxy_set_header        Host $host;

        proxy_set_header        X-Real-IP $remote_addr;

        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;

        # To support websockets

        proxy_set_header        Upgrade $http_upgrade;

        proxy_set_header        Connection "upgrade";

        # Qlik requires the HTTP/1.1 protocol for the backend connection

        proxy_http_version      1.1;

    }

    location = /favicon.ico { access_log off; log_not_found off; }

    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;

    error_log  /var/log/nginx/qlik.example.com-error.log error;

    sendfile off;

    client_max_body_size 100m;

    location ~ /\.ht {

        deny all;

    }

    # Used for CertBot to automatically create challenges for re-issuing SSL certs

    location /.well-known {

      root /var/www/letsencrypt;

    }

    ssl_certificate     /etc/letsencrypt/live/qlik.example.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/qlik.example.com/privkey.pem;

}

Regards,

Mark

BuTbka_RP
Contributor
Contributor

Does anyone have actual config for fresh versions of Qlik Sense?

I use that config, but I have some issues with it

 

 

server {
    listen      443 ssl;

    server_name dc.main.local;
    root /usr/share/nginx/html/tmp;
    index index.html index.htm;

    access_log /var/log/nginx/Bi.log;
    error_log  /var/log/nginx/Bi.log;

    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_connect_timeout 5400s;
    proxy_send_timeout 600s;
    proxy_read_timeout 5400s;
    send_timeout 600s;

    ssl_certificate      /etc/nginx/ssl/dc.crt;
    ssl_certificate_key  /etc/nginx/ssl/dc.key;

    location = / {
        }
    location /internal_forms_authentication/ {
        proxy_set_header Host $http_host;
        proxy_pass https://d01dc-qliksense.main.local:4244;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 60m;
    }

    location /internal_windows_authentication/ {
        proxy_set_header Host $http_host;
        proxy_pass https://d01dc-qliksense.main.local:4244/internal_forms_authentication/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 60m;
    }

    location /qlik/ {
        proxy_set_header Host $http_host;
       # proxy_redirect $scheme://$host:4244/internal_forms_authentication/ $scheme://$http_host/qlik/internal_forms_authentication/;
        proxy_pass https://d01dc-qliksense.main.local:443/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 60m;
     }

    location ~* ^/(qmc|hub|sense|/)/(.*)$ {
        rewrite ^/(qmc|hub|sense|/)/(.*)$ /qlik/$1/ permanent;
    }
}

 

 

1. I can not log out - button does not react on click.

2. When I try to click login again button(after logout by timeout) - I receive error 404 with that link
https://dc.main.local/qlik/qps/?targetUri=ENCODED%3Ahttps%253a%252f%252fdc.main.local%252fqlik%252fq...

3. And the most important thing - I need to use several locations in one server section like 

/qlik-dev/ {
proxy_pass https://qlik-dev.main.local:443/;
}
/qlik-test/ {
proxy_pass https://qlik-test.main.local:443/;
}
/qlik-prod/ {
proxy_pass https://qlik-prod.main.local:443/;
}

Can somebody help with proper config?

DavideDG
Contributor
Contributor

Hi BuTbka,

as far as I understood from various sources, recent versions of QlikSense (afaik, post April 2018) no longer need port 4244 for the authentication.

So, my (seemingly working) configuration for QSense Sep.2020 is based on https://support.qlik.com/articles/000105057  + some tweaks to cope with NTLM auth.

In a default configuration, QlinkSense has Windows Internal Auth (aka: "NTLM") turned on for all "Windows" clients (more on this in a moment).

NTLM protocol is not easily proxied and Nginx free does not feature a module for it (Nginx Plus does, though).

QlikSense offers NTLM auth if the "User-Agent" HTTP header (sent by the browser) contains the string "Windows".

In this case, the url path is "/internal_windows_authentication/"

If the User-Agent contains something else (eg: Macintosh, Linux, etc.), then Forms Authentication is used ("/internal_forms_authentication").

So I came up with 2 alternative tweaks:

A) Modify User-Agent via nginx maps:

 

 

 

map $http_user_agent $ua {
  default    $http_user_agent;
  "~(?<ua_prod>.*) (?<ua_os>\(Windows .*\)) (?<ua_browser>.*)" "$ua_prod (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) $ua_browser";
}

 

and then use the modified user agent variable ( $ua )

 

 

proxy_set_header User-Agent $ua;

 

 

 

B) Proxy "/internal_windows_auth" to "/internal_forms_auth":

 

 

location /internal_windows_authentication/ {
  proxy_pass https://backend-server/internal_forms_authentication/;
# ...
}

 

 

 

Of the 2 solutions, I prefer B.

Although both seem to work (this is still under test, tbh), a *better* approach would be to change the configuration straight on QlikSense Virtual Proxy, either by changing the default one or adding a custom one (ofc with a new prefix).

(Please see https://community.qlik.com/t5/Support-Knowledge-Base/Logging-out-of-Qlik-Sense-Using-Forms-authentic... - solution 3)

 

HTH.

Davide

Orbis
Contributor II
Contributor II

Привет, Витька! Did u find a solution?

Orbis
Contributor II
Contributor II

Hello!
May I ask u to share u nginx.config?
Please)