Solved: Re: Reverse Proxy and Authentication port redirect - Page 3 - Qlik Community

tseebach · ‎2016-02-08

Hi,

I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

Any ideas?

I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

tseebach · ‎2016-05-12

Hi Sunden,

In regards to your NGINX conf, you need also to address if windows authentication occurs:

server {

listen 80;

rewrite_log on;

server_name gnqs1.itellidemo.dk;

location / {

proxy_pass http://wssdsqs101.itellidemo.local;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $http_host;

proxy_redirect $scheme://$host:4248/form/ $scheme://$http_host/form/;

proxy_redirect $scheme://$host:4248/windows_authentication/ $scheme://$http_host/windows_authentication/;

proxy_read_timeout 60m;

}

location /form {

proxy_set_header Host $http_host;

proxy_pass http://wssdsqs101.itellidemo.local:4248;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_read_timeout 60m;

}

location /windows_authentication {

proxy_set_header Host $http_host;

proxy_pass http://wssdsqs101.itellidemo.local:4248;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_read_timeout 60m;

}

Anonymous · ‎2016-05-15

Hi Torben,

Yes - you're correct. I omitted that part before.

Also, I played around a bit with IIS ARR and URL Rewrite and put together a small guide for how to set it up that seems to work on my end (see attached).

Cheers,

Johannes

tseebach · ‎2016-05-25

adding that line to handle the window_authentication url seems not to work at all.

On windows machines the request just gets stuck at windows_authentication?targetId=0f7b7a36-3b94-4297-957e-583466af3f5b

And I cannot figure out where to redirect it to, any ideas?

undergrinder · ‎2016-07-12

Hi Torben,

Thank you the example, it works.

The problem is the loading the hub is very slow (several minutes).

Do you have any suggestion?

Thank you very much!

G.

Report Inappropriate Content · ‎2016-11-22

Hi Cristian,

Christian Sellei <span class="icon-status-icon icon-partner" title="Partner"></span> schrieb:

I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting after the loggin page and ends by time out.

Did you ever find a solution for this issue? These particular Juniper devices are now branded Pulse and we're having exactly the same issue here, today. qlickTicket is issued, i see as much in the logs, but the gateway never continues after that.

Best regards,

Bernd

tseebach · ‎2016-11-22

Hi Bernd,

Try the following, use Forms instead of Windows Authentication. I've had issues with the fact that the windows auth didn't work with my proxies, because of NTLM passthrough issues.

So if the URL contains windows_authtication, then make a rewrite to forms and remember to keep the port and ?qlikticket parameters.

My redirect rule in nginx looks like this:

$scheme://$host:4248/windows_authentication $scheme://$http_host:4248/form;

csellei · ‎2016-11-22

Unfortunately no.

Issue resides at url dinamic redirection. Juniper support says that they can't mannage the redirection between the Hub URL and authentication URL, they need static url. I can't tell if this is a final statement or if it's just out of support scope, since I'm not a juniper expert. they didin't provide an alternative solution.

Finally, customer made available a VPN access for the users.

If you have a resolution for Juniper, I'll appreciate any comment.

Best regards.

Christian.

Report Inappropriate Content · ‎2016-11-22

I do think that the whole redirection loop actually works, as i see in all my traces that a qlickTicket is generated together with a 302 to the old destination, then the Pulse gateway issues a GET request with the qlickTicket code appended and gets a 200 OK with a Set-Cookie header and a X-Qlik-Session cookie. But the qlik server stops after sending the headers and never finishes the http response 😞 When doing the same request with a browser and not via the Pulse gateway, the whole thing looks almost the same, just that the server continues sending data.

Report Inappropriate Content · ‎2016-11-23

there is a solution, you need an proxy authentication server because Qlik uses a non-standard port which is usually incompatible with corporate firewalls.

Report Inappropriate Content · ‎2016-12-19

Hello, I'm trying to set up a Nginx reverse proxy on a qlik sense server. The reverse proxy redirects to the authentication page (form) and after authentication to the hub but I have an error in Qlik Sense following the failed WebSocket handshake.

I use the same config that was posted by Johannes Sunden in this topic and my reverse proxy listen on the port 3000.