Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Not applicable

Re: Reverse Proxy and Authentication port redirect

Hi Johannes,

Could you please share your nginx.conf file?

I am trying to duplicate your configuration, but I am getting some errors.

Thanks,

Stephane

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Hi Stephane,

Absolutely. Here's the configuration I'm using:

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    gzip  on;

    map $http_upgrade $connection_upgrade {

        default upgrade;

        ''      close;

    }

server {

  location / {

  proxy_pass http://sense-pn.sense.local;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_set_header Host $http_host;

  proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

  proxy_read_timeout 60m;

  }

  location /form/ {

  proxy_set_header Host $http_host;

  proxy_pass http://sense-pn.sense.local:4248;

  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;

  proxy_set_header Connection "upgrade";

  proxy_read_timeout 60m;

  }

}

}

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Thanks to Sunden, I'm getting closer to a working setup. Right now I'm actually able to get around the 4248 problem. But after the auth redirect I'm stuck. Here is my config:

<rewrite>

            <outboundRules>

                <clear />

                <rule name="4248 form">

                    <match filterByTags="A, Form, Img" pattern="^http(s)?://wssdsqs01.itellidemo.local:4248l/form(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                    <action type="Rewrite" value="http{R:1}://qs.itellidemo.dk/form{R:2}" />

                </rule>

                <rule name="all">

                    <match filterByTags="A, Form, Img" pattern="^http(s)?://wssdsqs01.itellidemo.local/(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                    <action type="Rewrite" value="http{R:1}://qs.itellidemo.dk/{R:2}" />

                </rule>

            </outboundRules>

            <rules>

                <clear />

                <rule name="4248 form" stopProcessing="true">

                    <match url="^form(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local:4248/form{R:1}" logRewrittenUrl="true" />

                </rule>

                <rule name="qlikTicket" stopProcessing="true">

                    <match url="qlikTicket=(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />

                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local/hub?{R:0}" logRewrittenUrl="true" />

                </rule>

                <rule name="hub" stopProcessing="true">

                    <match url="(.*)" />

                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />

                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local/{R:0}" logRewrittenUrl="true" />

                </rule>

            </rules>

        </rewrite>

Not applicable

Re: Reverse Proxy and Authentication port redirect

Thank you Johannes,

I got it to work. I am also using an external domain name to reach the Qlik Sense server. That's just works fine for me.

I still have a problem and I hope you could help me.

I have a client with un High Security Corporate network and using the Browser on their network, we are able to reach the login Qlik Form page, enter the credentials but after pressing "Log In". We get and error from Qlik Sense.

The error seem to be related to the "Virtual Proxies" - "Central Proxy (Default)" - "Websocket origin white list". The Proxy IP address and the external domain name are both present in the list.

Do you think the Client's Proxy is changing the "Origin" of the client hitting my Proxy server?

Any recommendations or observations will be appreciated.

Thanks

Stephane

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Hi Stephane,

Great that you got it working.

With regards to the client from the high security corporate network.. could it be that they have a proxy filtering the outgoing web traffic that blocks WebSocket traffic? If possible, you could have them check the traffic with a tool like Fiddler to see if the connection upgrade from HTTP to WS fails after login.

What is the error message that they're getting?

Cheers,

Johannes

Partner
Partner

Re: Reverse Proxy and Authentication port redirect

Hi Johannes,

Do you know in which part of the process Sense switch from HTTP to WS?

I'm asking because in my case I can see the session active into Qlik Sense for the user, but Qlik Sense Hub never shows up at client machine, it just get freezed at the Login Page until client time put occurs (I already tryed it with Qlik Sense Login Form).

By other and, Juniper is establishing a SLL Tunnel between client and Sense. Do you know if there is some known restriction whit this?

Thanks and best regards.

Christian.

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Hi Christian,

After the authentication and ticket issue the protocol will be upgraded to websocket. If you use a web debugger to look at the traffic you'll see a switching protocol call that upgrades https to wss or http to ws, followed by a web socket protocol handshake call.

With regards to the connection over Juniper it should be fine as it supports web sockets.Not sure about required configuration though.

Try checking with a debugger and see where it fails. My guess is at the point of upgrading to the websocket protocol, and in that case, check configuration on the Juniper side.

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

So I've tested everything I could think of. But IIS with ARR does somethings that I cannot control. It also does not log the actual url that is being generated behind the scene. So I have removed IIS, and installed nginx, and with Sunden's configuration it works nicely. You will however have to a the external address to a websocket whitelist.

This is a package for free download that runs on windows, so from there it was pretty easy.

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Glad that you got it working Torben!

Not sure what was wrong on the IIS ARR side but I do appreciate the flexibility and lightweight approach of NGINX.

scottsmp
New Contributor II

Re: Reverse Proxy and Authentication port redirect

Torben, what is the document you are quoting from?  I'm looking for information on using a reverse proxy with Qlik Sense.