Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Hi Sunden,

In regards to your NGINX conf, you need also to address if windows authentication occurs:

server {

    listen      80;

    rewrite_log on;

    server_name     gnqs1.itellidemo.dk;

        location / {

            proxy_pass  http://wssdsqs101.itellidemo.local;

            proxy_http_version  1.1;

            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Connection "upgrade";

            proxy_set_header Host $http_host;

            proxy_redirect $scheme://$host:4248/form/ $scheme://$http_host/form/;

            proxy_redirect $scheme://$host:4248/windows_authentication/ $scheme://$http_host/windows_authentication/;

            proxy_read_timeout  60m;

        }

        location /form {

            proxy_set_header Host $http_host;

            proxy_pass http://wssdsqs101.itellidemo.local:4248;

            proxy_http_version 1.1;

            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Connection "upgrade";

            proxy_read_timeout 60m;

    }

        location /windows_authentication {

            proxy_set_header Host $http_host;

            proxy_pass http://wssdsqs101.itellidemo.local:4248;

            proxy_http_version 1.1;

            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Connection "upgrade";

            proxy_read_timeout 60m;

    }

}

jsn
Honored Contributor

Re: Reverse Proxy and Authentication port redirect

Hi Torben,

Yes - you're correct. I omitted that part before.

Also, I played around a bit with IIS ARR and URL Rewrite and put together a small guide for how to set it up that seems to work on my end (see attached).

Cheers,

Johannes

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

adding that line to handle the window_authentication url seems not to work at all.

On windows machines the request just gets stuck at windows_authentication?targetId=0f7b7a36-3b94-4297-957e-583466af3f5b

And I cannot figure out where to redirect it to, any ideas?

undergrinder
Valued Contributor II

Re: Reverse Proxy and Authentication port redirect

Hi Torben,

Thank you the example, it works.

The problem is the loading the hub is very slow (several minutes).

Do you have any suggestion?

Thank you very much!

G.

Not applicable

Re: Reverse Proxy and Authentication port redirect

Hi Cristian,

Christian Sellei <span class="icon-status-icon icon-partner" title="Partner"></span> schrieb:

I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting  after the loggin page and ends by time out.

Did you ever find a solution for this issue? These particular Juniper devices are now branded Pulse and we're having exactly the same issue here, today. qlickTicket is issued, i see as much in the logs, but the gateway never continues after that.

Best regards,

     Bernd

Luminary
Luminary

Re: Reverse Proxy and Authentication port redirect

Hi Bernd,

Try the following, use Forms instead of Windows Authentication. I've had issues with the fact that the windows auth didn't work with my proxies, because of NTLM passthrough issues.

So if the URL contains windows_authtication, then make a rewrite to forms and remember to keep the port and ?qlikticket parameters.

My redirect rule in nginx looks like this:

$scheme://$host:4248/windows_authentication $scheme://$http_host:4248/form;

Partner
Partner

Re: Reverse Proxy and Authentication port redirect

Unfortunately no.

Issue resides at url dinamic redirection. Juniper support says that they can't mannage the redirection between the Hub URL and authentication URL, they need static url. I can't tell if this is a final statement or if it's just out of support scope, since I'm not a juniper expert. they didin't provide an alternative solution.

Finally, customer made available a VPN access for the users.

If you have a resolution for Juniper, I'll appreciate any comment.


Best regards.

Christian.

Not applicable

Re: Reverse Proxy and Authentication port redirect

I do think that the whole redirection loop actually works, as i see in all my traces that a qlickTicket is generated together with a 302 to the old destination, then the Pulse gateway issues a GET request with the qlickTicket code appended and gets a 200 OK with a Set-Cookie header and a X-Qlik-Session cookie. But the qlik server stops after sending the headers and never finishes the http response 😞 When doing the same request with a browser and not via the Pulse gateway, the whole thing looks almost the same, just that the server continues sending data.

Not applicable

Re: Reverse Proxy and Authentication port redirect

there is a solution, you need an proxy authentication server because Qlik uses a non-standard port which is usually incompatible with corporate firewalls.

Not applicable

Re: Reverse Proxy and Authentication port redirect

Hello, I'm trying to set up a Nginx reverse proxy on a qlik sense server. The reverse proxy redirects to the authentication page (form) and after authentication to the hub but I have an error in Qlik Sense following the failed WebSocket handshake.

I use the same config that was posted by Johannes Sunden in this topic and my reverse proxy listen on the port 3000.