32 Replies Latest reply: Sep 27, 2017 8:26 AM by Christof Schwarz RSS

    Reverse Proxy and Authentication port redirect

    Torben Seebach

      Hi,

       

      I need to setup a reverse proxy, in front of a Qlik Sense server. This reverse proxy handles that different domains, provide different services. Such as qs.domain.com proxied to qs.domain.local while sharepoint.domain.com goes to sharepoint.domain.local.

       

      The reverse proxy runs fine, and does what it should .But I have a problem when I need to authenticate, and the reverse proxy jums to the 4248 for authentication. I've not been able to figure out how to fall back to the right port after auth.

       

      Any ideas?

       

      I'm running reverse proxy on IIS with Application Request Routing and URL rewrite.

        • Re: Reverse Proxy and Authentication port redirect
          Stephane Jacques

          Hi Torben,

           

          I have the same problem...

           

          I didn't not find a solution yet.

          • Re: Reverse Proxy and Authentication port redirect
            Christian Sellei

            Hi,

             

            I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting  after the loggin page and ends by time out.

             

            Does anybody knows if there is somethig We have to be aware regarding Qlik Sense Hub requirements? The only I can get from documentation is that clients must support websockets.

            Does anyone solve this kind of issues?

             

            Best regards.

              • Re: Reverse Proxy and Authentication port redirect
                Torben Seebach

                Hi Christian,

                 

                I'm a bit further than you. Have you opened port 4248? And then try manually changing the url to http://server/form/?qlikTicket=fjIquFKJf0IYSEUf

                 

                The procedure for login is: Go to /hub which identifies that you're not logged in, which then forwards you to :4248/form/target? where you are being authenticated and send back to /hub/my/work/

                 

                 

                This hop to and from 4248 is what you need to handle.

                  • Re: Reverse Proxy and Authentication port redirect
                    Johannes Sunden

                    Hi guys,

                     

                    Here's one way (if I understand your situation(s) correctly):

                     

                    I used NGINX as a proxy since it supports web sockets and wrapped up both ports 80 & 4248 behind port 80.

                    So, a client only connects via port 80 and the proxy then reroutes the authentication part to 4248 when talking to the qlik sense proxy.

                     

                    I filmed a short video of demonstrating this when working on an implementation scenario so take a look at the attachment and hopefully it's relevant to you as well.

                     

                    Cheers,

                    Johannes

                      • Re: Reverse Proxy and Authentication port redirect
                        Torben Seebach

                        Interessting, I've not thought of doing just that. We are using IIS and ARR but the principle should be the same.

                          • Re: Reverse Proxy and Authentication port redirect
                            Johannes Sunden

                            It came up as a requirement as the organization I was working with refused any additional ports besides 80/443 when accessing from outside.

                              • Re: Reverse Proxy and Authentication port redirect
                                Stephane Jacques

                                Hi Johannes,

                                 

                                Could you please share your nginx.conf file?

                                I am trying to duplicate your configuration, but I am getting some errors.

                                 

                                Thanks,

                                 

                                Stephane

                                  • Re: Reverse Proxy and Authentication port redirect
                                    Johannes Sunden

                                    Hi Stephane,

                                     

                                    Absolutely. Here's the configuration I'm using:

                                     

                                    worker_processes  1;

                                     

                                    events {

                                        worker_connections  1024;

                                    }

                                     

                                    http {

                                        include       mime.types;

                                        default_type  application/octet-stream;

                                        sendfile        on;

                                        keepalive_timeout  65;

                                        gzip  on;

                                     

                                        map $http_upgrade $connection_upgrade {

                                            default upgrade;

                                            ''      close;

                                        }

                                     

                                    server {

                                      location / {

                                      proxy_pass http://sense-pn.sense.local;

                                      proxy_http_version 1.1;

                                      proxy_set_header Upgrade $http_upgrade;

                                      proxy_set_header Connection "upgrade";

                                      proxy_set_header Host $http_host;

                                      proxy_redirect $scheme://$host:4248/form $scheme://$http_host/form/;

                                      proxy_read_timeout 60m;

                                      }

                                      location /form/ {

                                      proxy_set_header Host $http_host;

                                      proxy_pass http://sense-pn.sense.local:4248;

                                      proxy_http_version 1.1;

                                      proxy_set_header Upgrade $http_upgrade;

                                      proxy_set_header Connection "upgrade";

                                      proxy_read_timeout 60m;

                                      }

                                    }

                                    }

                                      • Re: Reverse Proxy and Authentication port redirect
                                        Stephane Jacques

                                        Thank you Johannes,

                                         

                                        I got it to work. I am also using an external domain name to reach the Qlik Sense server. That's just works fine for me.

                                         

                                        I still have a problem and I hope you could help me.

                                         

                                        I have a client with un High Security Corporate network and using the Browser on their network, we are able to reach the login Qlik Form page, enter the credentials but after pressing "Log In". We get and error from Qlik Sense.

                                         

                                        The error seem to be related to the "Virtual Proxies" - "Central Proxy (Default)" - "Websocket origin white list". The Proxy IP address and the external domain name are both present in the list.

                                         

                                        Do you think the Client's Proxy is changing the "Origin" of the client hitting my Proxy server?

                                         

                                        Any recommendations or observations will be appreciated.

                                         

                                        Thanks

                                         

                                        Stephane

                                          • Re: Reverse Proxy and Authentication port redirect
                                            Johannes Sunden

                                            Hi Stephane,

                                             

                                            Great that you got it working.

                                             

                                            With regards to the client from the high security corporate network.. could it be that they have a proxy filtering the outgoing web traffic that blocks WebSocket traffic? If possible, you could have them check the traffic with a tool like Fiddler to see if the connection upgrade from HTTP to WS fails after login.

                                             

                                            What is the error message that they're getting?

                                             

                                            Cheers,

                                            Johannes

                                              • Re: Reverse Proxy and Authentication port redirect
                                                Christian Sellei

                                                Hi Johannes,

                                                 

                                                Do you know in which part of the process Sense switch from HTTP to WS?

                                                I'm asking because in my case I can see the session active into Qlik Sense for the user, but Qlik Sense Hub never shows up at client machine, it just get freezed at the Login Page until client time put occurs (I already tryed it with Qlik Sense Login Form).

                                                By other and, Juniper is establishing a SLL Tunnel between client and Sense. Do you know if there is some known restriction whit this?

                                                 

                                                Thanks and best regards.

                                                Christian.

                                                  • Re: Reverse Proxy and Authentication port redirect
                                                    Johannes Sunden

                                                    Hi Christian,

                                                     

                                                    After the authentication and ticket issue the protocol will be upgraded to websocket. If you use a web debugger to look at the traffic you'll see a switching protocol call that upgrades https to wss or http to ws, followed by a web socket protocol handshake call.

                                                     

                                                    With regards to the connection over Juniper it should be fine as it supports web sockets.Not sure about required configuration though.

                                                     

                                                    Try checking with a debugger and see where it fails. My guess is at the point of upgrading to the websocket protocol, and in that case, check configuration on the Juniper side.

                                              • Re: Reverse Proxy and Authentication port redirect
                                                Torben Seebach

                                                Hi Sunden,

                                                 

                                                In regards to your NGINX conf, you need also to address if windows authentication occurs:

                                                 

                                                 

                                                server {

                                                    listen      80;

                                                 

                                                 

                                                    rewrite_log on;

                                                 

                                                 

                                                    server_name     gnqs1.itellidemo.dk;

                                                        location / {

                                                            proxy_pass  http://wssdsqs101.itellidemo.local;

                                                            proxy_http_version  1.1;

                                                            proxy_set_header Upgrade $http_upgrade;

                                                            proxy_set_header Connection "upgrade";

                                                            proxy_set_header Host $http_host;

                                                            proxy_redirect $scheme://$host:4248/form/ $scheme://$http_host/form/;

                                                            proxy_redirect $scheme://$host:4248/windows_authentication/ $scheme://$http_host/windows_authentication/;

                                                 

                                                 

                                                            proxy_read_timeout  60m;

                                                        }

                                                        location /form {

                                                            proxy_set_header Host $http_host;

                                                            proxy_pass http://wssdsqs101.itellidemo.local:4248;

                                                            proxy_http_version 1.1;

                                                            proxy_set_header Upgrade $http_upgrade;

                                                            proxy_set_header Connection "upgrade";

                                                            proxy_read_timeout 60m;

                                                    }

                                                        location /windows_authentication {

                                                            proxy_set_header Host $http_host;

                                                            proxy_pass http://wssdsqs101.itellidemo.local:4248;

                                                            proxy_http_version 1.1;

                                                            proxy_set_header Upgrade $http_upgrade;

                                                            proxy_set_header Connection "upgrade";

                                                            proxy_read_timeout 60m;

                                                    }

                                                 

                                                 

                                                }

                                                • Re: Reverse Proxy and Authentication port redirect
                                                  Christof Schwarz

                                                  Hi Johannes. Thanks for sharing this straight-forward config file for nginx. I use it with success, only thing that does NOT work is the importing (uploading) of files in the QMC Apps page. uploading a .txt file into a Content Library works fine. It is NOT the app itself, the same file can be uploaded if I bypass nginx and access the Sense Server QMC directly. So I suspect, this could be a config entry around mime-types which is missing in your above config example? Do you have any idea? Thank you.

                                      • Re: Reverse Proxy and Authentication port redirect
                                        Bernd Raschke

                                        Hi Cristian,

                                         

                                        Christian Sellei <span class="icon-status-icon icon-partner" title="Partner"></span> schrieb:

                                         

                                        I'm facing a similar issue with Juniper as reverse proxy. In our case, autentication is done and session and ticket is issued for the user and the url with the ticket is received by Juniper (http://server/hub/?qlikTicket=fjIquFKJf0IYSEUf), but nothing happens. Juniper just keep waiting  after the loggin page and ends by time out.

                                         

                                         

                                        Did you ever find a solution for this issue? These particular Juniper devices are now branded Pulse and we're having exactly the same issue here, today. qlickTicket is issued, i see as much in the logs, but the gateway never continues after that.

                                         

                                        Best regards,

                                             Bernd

                                          • Re: Reverse Proxy and Authentication port redirect
                                            Torben Seebach

                                            Hi Bernd,

                                             

                                            Try the following, use Forms instead of Windows Authentication. I've had issues with the fact that the windows auth didn't work with my proxies, because of NTLM passthrough issues.

                                             

                                            So if the URL contains windows_authtication, then make a rewrite to forms and remember to keep the port and ?qlikticket parameters.

                                             

                                            My redirect rule in nginx looks like this:

                                            $scheme://$host:4248/windows_authentication $scheme://$http_host:4248/form;

                                            • Re: Reverse Proxy and Authentication port redirect
                                              Christian Sellei

                                              Unfortunately no.

                                              Issue resides at url dinamic redirection. Juniper support says that they can't mannage the redirection between the Hub URL and authentication URL, they need static url. I can't tell if this is a final statement or if it's just out of support scope, since I'm not a juniper expert. they didin't provide an alternative solution.

                                              Finally, customer made available a VPN access for the users.

                                              If you have a resolution for Juniper, I'll appreciate any comment.


                                              Best regards.

                                              Christian.

                                                • Re: Reverse Proxy and Authentication port redirect
                                                  Bernd Raschke

                                                  I do think that the whole redirection loop actually works, as i see in all my traces that a qlickTicket is generated together with a 302 to the old destination, then the Pulse gateway issues a GET request with the qlickTicket code appended and gets a 200 OK with a Set-Cookie header and a X-Qlik-Session cookie. But the qlik server stops after sending the headers and never finishes the http response :-( When doing the same request with a browser and not via the Pulse gateway, the whole thing looks almost the same, just that the server continues sending data.

                                                • Re: Reverse Proxy and Authentication port redirect
                                                  Brionne Naish

                                                  there is a solution, you need an proxy authentication server because Qlik uses a non-standard port which is usually incompatible with corporate firewalls.

                                              • Re: Reverse Proxy and Authentication port redirect
                                                Torben Seebach

                                                Thanks to Sunden, I'm getting closer to a working setup. Right now I'm actually able to get around the 4248 problem. But after the auth redirect I'm stuck. Here is my config:

                                                <rewrite>

                                                            <outboundRules>

                                                                <clear />

                                                                <rule name="4248 form">

                                                                    <match filterByTags="A, Form, Img" pattern="^http(s)?://wssdsqs01.itellidemo.local:4248l/form(.*)" />

                                                                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                                                                    <action type="Rewrite" value="http{R:1}://qs.itellidemo.dk/form{R:2}" />

                                                                </rule>

                                                                <rule name="all">

                                                                    <match filterByTags="A, Form, Img" pattern="^http(s)?://wssdsqs01.itellidemo.local/(.*)" />

                                                                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                                                                    <action type="Rewrite" value="http{R:1}://qs.itellidemo.dk/{R:2}" />

                                                                </rule>

                                                            </outboundRules>

                                                            <rules>

                                                                <clear />

                                                                <rule name="4248 form" stopProcessing="true">

                                                                    <match url="^form(.*)" />

                                                                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />

                                                                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local:4248/form{R:1}" logRewrittenUrl="true" />

                                                                </rule>

                                                                <rule name="qlikTicket" stopProcessing="true">

                                                                    <match url="qlikTicket=(.*)" />

                                                                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />

                                                                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local/hub?{R:0}" logRewrittenUrl="true" />

                                                                </rule>

                                                                <rule name="hub" stopProcessing="true">

                                                                    <match url="(.*)" />

                                                                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />

                                                                    <action type="Rewrite" url="http://wssdsqs01.itellidemo.local/{R:0}" logRewrittenUrl="true" />

                                                                </rule>

                                                            </rules>

                                                        </rewrite>

                                                • Re: Reverse Proxy and Authentication port redirect
                                                  Thibaut Schueller

                                                  Hello, I'm trying to set up a Nginx reverse proxy on a qlik sense server. The reverse proxy redirects to the authentication page (form) and after authentication to the hub but I have an error in Qlik Sense following the failed WebSocket handshake.

                                                  I use the same config that was posted by Johannes Sunden in this topic and my reverse proxy listen on the port 3000.