I've never set up SSL offloading with Qlik. The way I understand it is that the load balancer handles all HTTPS traffic, and it proxies that traffic unsecured to the application server (hence the "offloading" aspect of it). So I don't understand why you say it proxies traffic to Qlik proxy on port 443, because that would require the Qlik proxy to continue to encrypt and decrypt HTTPS traffic.
IIS is not used at all with Qlik Sense. It has its own "proxy" service which is essential an HTTP/wen sockets server.
If you need to set up SSL certs for Qlik Sense proxy, that should be covered in the installation and configuration PDFs.
Thank you for the reply and I apologize for any confusion. In a reference architecture for load balancing with SSL offloading to a Qlik Sense installation:
- Traffic connects to qliksense.mycompany.com on port 443 which resolved to the load balancer.
- The load balancer should be setup to proxy traffic to the Qlik Sense server (proxy node?) on port 80 (or another custom port ?)
- Communication between the load balancer and the Qlik Sense server (proxy node?) is unsecured, hence the SSL offloading.
A few questions:
- Is the above conceptually correct?
- Return traffic moves from the Qlik Sense server to the load balancer unsecured. However, is the return traffic from the load balancer to the client secured?
- Qlik Sense QMC central node should be configured to Allow HTTP which will override the default service listen port HTTPS?
- Qlik Sense QMC central node does not need to be configured with an SSL browser certificate thumbprint?
- Is traffic between Qlik Sense central, data, and proxy nodes secured internally by Qlik Sense or do they require separate setup and a certificate?
From what I know of the QlikSense Proxy Service, it is a load-balancer itself and can be connected to on either 80 or 443. You can add an SSL thumbprint directly to the Proxy which then allows for direct HTTPS access (the easy bit is adding it to QlikSense, the less easy bit is adding it to the windows server, but this tool is really helpful - "DigiCert Certificate Utility for Windows": https://www.digi.com/util/ ).
So, in answer to your questions:
- Conceptually, I would not use an external load-balancer, I would use a QS node set up to run the QPS.
- I would connect qliksense.mycompany.com directly to the node running the QPS (there may be just one windows server in your deployment, running all the services, or you may have a node which is dedicated to running the QPS).
- It doesn't have to be unsecured, you could apply the certificate to the windows server and have the Proxy use it.
- You only apply the thumbprint within the Proxy (that you want to use over HTTPS).
Regarding the internal traffic, as I understand it, it creates a self-signed certificate and uses that to manage traffic securely over TLS:
I hope that helps. I'm not a security expert, however, I've done a few installs for clients. I've not been asked to use a third party load balancer, is there a security reason for it?
Thank you David.
I have found the early version of Qlik Sense server 2.0.x to have a possible TLS Re-negotiation Denial of Service vulnerability. Because there is no web server running in front of QPS I cannot address this issue unless there is a setting in QPS itself. One solution would be to use a load balancer that would disable client-initiated renegotiation.
Also, at this particular company, they tend to place a load balancer in front of most servers and use it for automatic DR failover. That said, Qlik Sense is going to force a change in thinking about DR.
So far I have configured the load balancer with SSL offloading, configured QPS for HTTP access but cannot get the qliksense.mycompany.com:443 (SSL offloading) to work. I get a ERR_CONNECTION_RESET each time.
Interesting to know about the DoS vulnerability in 2.0.x. Do you know if they fixed it in the feature track, 2.1?
Yea, QS is a distributed architecture in it's own right - definitely a good thing.
Just a thought, but have you checked all the ports you would need? 4248, 8080 and 80 definitely, for HTTP. Websockets generally have proven to be problematic for some clients (I do OEM installations) over HTTP and that's without the added complexity of an external load balancer.
Hi Mike (milton.forte)
Were you able to resolve the issue with ERR_CONNECTION_RESET?
I'm doing something similar and trying to setup a external load balancer in front of Qlik Proxy nodes and I get the same error. Wondering if you were able to resolve this error.