Quick guide to configure Apache as a Reverse Proxy with HTTPS, ADFS SAML and Qlik Sense

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Prerequisites:

• Valid 3rd Party SSL certificates will be trusted by the Apache Web Server/Qlik Sense Server/ADFS server and are configured 
  • Note: Tested with all the certificates being created by the same Certificate Authority (CA - Tinycert.org) accompanied by the same Trusted Root across all servers.
  • Note 2: Tested Qlik Sense with a valid SSL certificate bound to the Proxy Service - How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate / Editing proxies
  • Note 3: Tested using SHA256 certificates for SAML and verify that all certificates are configured correctly with the proper Cryptographic Providers - Error 500 - Internal server error in the Hub/QMC when connecting through SAML authentication
  • Note 4: For HTTPS/SSL for Apache needs the certificate to be split into two files (.crt and .key) - Same process is used for NPrinting and is described in the article: How to convert a certificate for NPrinting to the .key and .crt files for HTTPS/SSL in the Web Conso...
• Access to Sense installed on a server that is configured to use SAML ADFS - Configuration of ADFS can be found in the article: Quick Guide to installing ADFS for testing SAML
• Access to a server to install and configure Apache Web Server

Example Environment:

• Qlik Sense: QlikServer1.domain.local - IP: 172.16.16.100
• Apache Web Server: QlikServer3.domain.local  - IP: 172.16.16.102
  • Other Active Servers:AD FS: DC1.domain.local
• Qlik Sense February 2018 GA
• Windows 2016
• ADFS 4.0 
• Apache 2.4 (httpd-2.4.33-o110h-x64-vc14-r2)
• HTTPS / SSL - SHA256 with "Microsoft Enhanced RSA and AES Cryptographic Provider" added Enabled / Active on Sense, ADFS and Apache. 

Note: This documentation is only to used to validate and test ADFS SAML while using Apache as a Reverse Web Server and HTTPS/SSL is enabled. This example is under the assumption there's an understanding of the environment and having the proper permissions to perform the actions shown. Accounts used are all Local Administrators and the servers are open, with nothing blocked and no other programs installed on them.​Read the entire documentation to verify access and understanding of all actions stated within prior to starting the install and configuration. Any other versions or configurations of any software may need other steps/options/settings/etc ... that are not documented here. ​Use this at your own discretion as Qlik does NOT support Apache/OpenSSL/ADFS in their installation/configuration or use.

Setup

Step 1:

Download (​Recommended to verify the zip file is not Blocked: Right click on the zip file -> Properties -> General -> Click Unblock -> Apply), Extract the Zip file and Read the "readme_first.html" then use the instructions to Install Apache Web Server as Service on a separate machine from Sense and ADFS - https://httpd.apache.org/docs/2.4/platform/windows.html. Verify Apache is running under HTTP/HTTPS.
Location Installed: C:\Apache24\

Note: Tested with http://www.apachehaus.com version Apache 2.4.33 x64 Distribution File: httpd-2.4.33-o110h-x64-vc14-r2.zip

Step 2:

Place a valid certificates .crt and .key files on the Apache Web Server.
Location used: C:\Apache24\conf\ssl

Note: Process used: How to convert a certificate for NPrinting to the .key and .crt files for HTTPS/SSL in the Web Conso...

Step 3:

Navigate to the location and Edit the "httpd.conf" file (Location used: C:\Apache24\conf\). Then uncomment certain modules used in this example and save the file.

Search for and then uncomment the following modules:

• LoadModule proxy_module modules/mod_proxy.so
• LoadModule proxy_http_module modules/mod_proxy_http.so
• LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
• LoadModule rewrite_module modules/mod_rewrite.so
• LoadModule vhost_alias_module modules/mod_vhost_alias.so

Find and uncomment the following line so that the reverse proxy will use the configuration that will be written later:

Include conf/extra/httpd-vhosts.conf

Note: To uncomment the option/module remove the pound ( # ) symbol in front of the line and save the file.

Step 4:

Navigate to and Edit the file "httpd-vhosts.conf" under the directory (Location used: C:\Apache24\conf\extra) to add the virtual host that will used for Qlik Sense and save the file. 

Example "httpd-vhosts.conf":

# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Qlik Sense configuration needed:
#
# - Create a new virtual proxy with SAML called adfsapache
# - Add reverse proxy name and IP address to whitelist of virtual proxy
#Put IP address of reverse proxy as LOCAL_ADDR
#Put IP address of Qlik Sense server as REMOTE_ADDR
#Put your virtual proxy prefix as VIRTUAL_PROXY

Define LOCAL_ADDR 172.16.16.102
Define REMOTE_ADDR 172.16.16.100
Define VIRTUAL_PROXY adfsapache
 
<VirtualHost *:443>
    ServerAdmin name@qlik.com
    DocumentRoot "${SRVROOT}/htdocs"
    ServerName ${LOCAL_ADDR}:443
    ServerAlias qlikserver3.domain.local
    
    SSLProxyEngine on
    SSLEngine on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    
   #Location of the SSL certificate used for this virtual host in their .crt and .key file format
    SSLCertificateFile  "${SRVROOT}/conf/ssl/QlikServer3Certificate.crt"
    SSLCertificateKeyFile   "${SRVROOT}/conf/ssl/QlikServer3Certificate.key"
 
    ProxyRequests Off
    ProxyPreserveHost On
    KeepAlive On

    RewriteEngine On

    # If it is a websocket request forward as websocket traffic
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RewriteRule ^/(.*) wss://${REMOTE_ADDR}%{REQUEST_URI} [P]
    <Proxy *>
         Require all granted
    </Proxy>
    <Location /${VIRTUAL_PROXY}>
        ProxyPass https://${REMOTE_ADDR}/${VIRTUAL_PROXY} connectiontimeout=5 timeout=300
        ProxyPassReverse https://${REMOTE_ADDR}/${VIRTUAL_PROXY}
    </Location>
</Virtualhost>

Note: Some parameters/options may need to be turned off or on depending on your certificates and other configuration items.

Step 5 & 6:

For Steps 5 & 6, refer to Article Quick Guide to installing ADFS for testing SAML starting from Step 5 until Step 11  and apply where needed

Step 7:

Configure a Virtual Proxy in Qlik Sense called "adfsapache"

Note: Verify the Host allow list has the correct IPs/DNS (FQDN/Servername/Alias) added to it,

Step 8:

Create the Relaying Party Trust for the "adfsapache" Virtual Proxy in ADFS

Step 9:

Restart the Apache Web Server service and attempt to log into a URL from a machine that's NOT the Apache Server. Example URL: https://qlikserver3.domain.local/adfsapache 

Note: Reason for attempting it outside the Apache Web Server is that certain OS level settings may not allow access to the FQDN/Servername locally to the machine. Review this article if you're able to connect to it locally with IP/Localhost: Authentication failed repeatedly when using external DNS alias locally on the server

Environment:

Qlik Sense Enterprise on Windows