Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Luminary
Luminary

Reverse Proxy and Authentication port redirect

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

1 Solution

Accepted Solutions
jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Hi Stephane,

Absolutely. Here's the configuration I'm using:

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    gzip  on;

    map $http_upgrade $connection_upgrade {

        default upgrade;

        ''      close;

    }

server {

  location / {

  proxy_pass http://sense-pn.sense.local;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_set_header Host $http_host;

  proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

  proxy_read_timeout 60m;

  }

  location /form/ {

  proxy_set_header Host $http_host;

  proxy_pass http://sense-pn.sense.local:4248;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_read_timeout 60m;

  }

}

}

33 Replies
Highlighted
Not applicable

Re: Reverse Proxy and Authentication port redirect

Hi Torben,

I have the same problem...

I didn't not find a solution yet.

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Qlik has a paper saying its possible. Its just does not contain any details about how its actually done.Untitled.png

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Hi Torben,

I think you have to write complex rewrite rules. Did you already tried to solve it just via header authentication in a first step?

bye

Konrad

Partner
Partner

Re: Reverse Proxy and Authentication port redirect

Hi,

I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting  after the loggin page and ends by time out.

Does anybody knows if there is somethig We have to be aware regarding Qlik Sense Hub requirements? The only I can get from documentation is that clients must support websockets.

Does anyone solve this kind of issues?

Best regards.

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Hi Christian,

I'm a bit further than you. Have you opened port 4248? And then try manually changing the url to http://server/form/?qlikTicket=fjIquFKJf0IYSEUf

The procedure for login is: Go to /hub which identifies that you're not logged in, which then forwards you to :4248/form/target? where you are being authenticated and send back to /hub/my/work/

This hop to and from 4248 is what you need to handle.

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Hi Konrad,

The thing is that I'm unsure what exactly is the problem. In the last setup I've tested, I have it working internally but not externally. Which makes me believe that I'm missing a crucial rewrite part (header/cookie).

But what I'm doing now is forwarding everything on 2 ports 80/4248 based on a dns rule.

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Hi guys,

Here's one way (if I understand your situation(s) correctly):

I used NGINX as a proxy since it supports web sockets and wrapped up both ports 80 & 4248 behind port 80.

So, a client only connects via port 80 and the proxy then reroutes the authentication part to 4248 when talking to the qlik sense proxy.

I filmed a short video of demonstrating this when working on an implementation scenario so take a look at the attachment and hopefully it's relevant to you as well.

Cheers,

Johannes

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Interessting, I've not thought of doing just that. We are using IIS and ARR but the principle should be the same.

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

It came up as a requirement as the organization I was working with refused any additional ports besides 80/443 when accessing from outside.