Solved: Qlik sense Apache reverse proxy for ADFS authentic... - Qlik Community

sootlaj · ‎2020-11-12

Hi!

I'm trying to set up a Apache reverse proxy in front of QS adfs virtual proxy and I am using the setup suggested here. But it wont work for me. Everything is fine until I enter my credentials in the ADFS login page, then I get automatically redirected to the internal URL of the QS virtual proxy. I also found this handy hint, but it's a bit vague for a dim person like me.

Apache VHost configuration:

Spoiler

Define LOCAL_ADDR qs.proxyaddress.com

Define REMOTE_ADDR qs.internal.com

Define VIRTUAL_PROXY adfs

# ServerAdmin name@qlik.com

# DocumentRoot "${SRVROOT}/htdocs"

ServerName ${LOCAL_ADDR}:443

ServerAlias qs.proxyaddress.com

SSLProxyEngine on

SSLEngine on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

#Location of the SSL certificate used for this virtual host in their .crt and .key file format

SSLCertificateFile ssl/cert/star_proxyaddress.crt

SSLCertificateKeyFile ssl/key/star_proxyaddress.key

SSLCertificateChainFile ssl/CA/DigiCertCA.crt

ErrorLog /var/log/httpd/qs.error.log

TransferLog /var/log/httpd/qs.access.log

ProxyRequests Off

ProxyPreserveHost On

KeepAlive On

RewriteEngine On

# If it is a websocket request forward as websocket traffic

RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]

RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]

RewriteRule ^/(.*) wss://${REMOTE_ADDR}%{REQUEST_URI} [P]

Require all granted

</Proxy>

ProxyPass https://${REMOTE_ADDR}/${VIRTUAL_PROXY} connectiontimeout=5 timeout=300

ProxyPassReverse https://${REMOTE_ADDR}/${VIRTUAL_PROXY}

</Location>

</Virtualhost>

Define LOCAL_ADDR qs.proxyaddress.com Define REMOTE_ADDR qs.internal.com Define VIRTUAL_PROXY adfs<VirtualHost 10.1.x.x:443> # ServerAdmin name@qlik.com# DocumentRoot "${SRVROOT}/htdocs" ServerName ${LOCAL_ADDR}:443 ServerAlias qs.proxyaddress.com SSLProxyEngine on SSLEngine on SSLProxyCheckPeerCN off SSLProxyCheckPeerName off #Location of the SSL certificate used for this virtual host in their .crt and .key file format SSLCertificateFile ssl/cert/star_proxyaddress.crt SSLCertificateKeyFile ssl/key/star_proxyaddress.key SSLCertificateChainFile ssl/CA/DigiCertCA.crt ErrorLog /var/log/httpd/qs.error.log TransferLog /var/log/httpd/qs.access.log ProxyRequests Off ProxyPreserveHost On KeepAlive On RewriteEngine On # If it is a websocket request forward as websocket traffic RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] RewriteRule ^/(.*) wss://${REMOTE_ADDR}%{REQUEST_URI} [P] <Proxy *> Require all granted </Proxy> <Location /${VIRTUAL_PROXY}> ProxyPass https://${REMOTE_ADDR}/${VIRTUAL_PROXY} connectiontimeout=5 timeout=300 ProxyPassReverse https://${REMOTE_ADDR}/${VIRTUAL_PROXY} </Location> </Virtualhost>

So when I access qs.proxyaddress.com I get redirected to the ADFS host login page, where I enter my credentials and then I get redirected to qs.internal.com/adfs/hub which is only accessible from our internal network.

sootlaj · ‎2020-11-13

So I post the solution here if any other lost soul stumbles onto this problem. Since ADFS is doing the redirection part it's a really good idea to check if ADFS relying party trust endpoint is configured correctly, it should have the reverse proxy url there.

View solution in original post

sootlaj · ‎2020-11-13

So I post the solution here if any other lost soul stumbles onto this problem. Since ADFS is doing the redirection part it's a really good idea to check if ADFS relying party trust endpoint is configured correctly, it should have the reverse proxy url there.

Qlik sense Apache reverse proxy for ADFS authentication

Apache

proxy

Qlik Sense

SAML