Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
tseebach
Luminary Alumni
Luminary Alumni

Reverse Proxy and Authentication port redirect

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

1 Solution

Accepted Solutions
Anonymous
Not applicable

Hi Stephane,

Absolutely. Here's the configuration I'm using:

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    gzip  on;

    map $http_upgrade $connection_upgrade {

        default upgrade;

        ''      close;

    }

server {

  location / {

  proxy_pass http://sense-pn.sense.local;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_set_header Host $http_host;

  proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

  proxy_read_timeout 60m;

  }

  location /form/ {

  proxy_set_header Host $http_host;

  proxy_pass http://sense-pn.sense.local:4248;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_read_timeout 60m;

  }

}

}

View solution in original post

37 Replies
Not applicable

Hi Torben,

I have the same problem...

I didn't not find a solution yet.

tseebach
Luminary Alumni
Luminary Alumni
Author

Qlik has a paper saying its possible. Its just does not contain any details about how its actually done.Untitled.png

konrad_mattheis
Luminary Alumni
Luminary Alumni

Hi Torben,

I think you have to write complex rewrite rules. Did you already tried to solve it just via header authentication in a first step?

bye

Konrad

csellei
Partner - Creator
Partner - Creator

Hi,

I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting  after the loggin page and ends by time out.

Does anybody knows if there is somethig We have to be aware regarding Qlik Sense Hub requirements? The only I can get from documentation is that clients must support websockets.

Does anyone solve this kind of issues?

Best regards.

tseebach
Luminary Alumni
Luminary Alumni
Author

Hi Christian,

I'm a bit further than you. Have you opened port 4248? And then try manually changing the url to http://server/form/?qlikTicket=fjIquFKJf0IYSEUf

The procedure for login is: Go to /hub which identifies that you're not logged in, which then forwards you to :4248/form/target? where you are being authenticated and send back to /hub/my/work/

This hop to and from 4248 is what you need to handle.

tseebach
Luminary Alumni
Luminary Alumni
Author

Hi Konrad,

The thing is that I'm unsure what exactly is the problem. In the last setup I've tested, I have it working internally but not externally. Which makes me believe that I'm missing a crucial rewrite part (header/cookie).

But what I'm doing now is forwarding everything on 2 ports 80/4248 based on a dns rule.

Anonymous
Not applicable

Hi guys,

Here's one way (if I understand your situation(s) correctly):

I used NGINX as a proxy since it supports web sockets and wrapped up both ports 80 & 4248 behind port 80.

So, a client only connects via port 80 and the proxy then reroutes the authentication part to 4248 when talking to the qlik sense proxy.

I filmed a short video of demonstrating this when working on an implementation scenario so take a look at the attachment and hopefully it's relevant to you as well.

Cheers,

Johannes

tseebach
Luminary Alumni
Luminary Alumni
Author

Interessting, I've not thought of doing just that. We are using IIS and ARR but the principle should be the same.

Anonymous
Not applicable

It came up as a requirement as the organization I was working with refused any additional ports besides 80/443 when accessing from outside.