2 Replies Latest reply: Jul 22, 2016 1:34 PM by Mark Messcu RSS

    Header authentication & whitelisting

    Mark Messcu

      Hello,

       

      I am working to configure a Qlik Sense 3.0 installation to use Header Authentication with a reverse proxy.  Per the documentation it is required that:

      "For this solution to be secure, the end-user must not be able to communicate directly with the QPS but instead be forced to go through the reverse proxy/filter."

       

      Our setup requires that some internal users be able to access the Hub directly (using Windows authentication and a different virtual proxy) so I can't lock down access to the server completely.  I am having trouble finding documentation regarding how to use the virtual proxy configuration (host white list?) to block access to all machines but the reverse proxy... is this possible from the QMC or do I have to block access at a network level?

       

       

      Thanks,
      Mark

        • Re: Header authentication & whitelisting
          Alexander Karlsson

          You would block access on a network level via a firewall such as the inbuilt one in windows.
          The white list of origin hosts control which hosts are able to open a websocket socket connection, so for example if your reverse proxy is available on host.com then you would need host.com as a whitelist entry to allow websocket connections from that hosts.

           

          I would not rely on that as a security defense however as the origin host is very easy to spoof.
          Instead lock it down on network level as the docs suggest. Since we don't have server licensing you can spin up a separate node that is allowed communication from inside the network.