Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
markginqo
Partner - Contributor III
Partner - Contributor III
‎2016-07-20 01:42 PM

Header authentication & whitelisting

Hello,

I am working to configure a Qlik Sense 3.0 installation to use Header Authentication with a reverse proxy.  Per the documentation it is required that:

"For this solution to be secure, the end-user must not be able to communicate directly with the QPS but instead be forced to go through the reverse proxy/filter."

Our setup requires that some internal users be able to access the Hub directly (using Windows authentication and a different virtual proxy) so I can't lock down access to the server completely.  I am having trouble finding documentation regarding how to use the virtual proxy configuration (host white list?) to block access to all machines but the reverse proxy... is this possible from the QMC or do I have to block access at a network level?

Thanks,
Mark

4,732 Views
1 Solution

Accepted Solutions
Alexander_Thor
Employee
Employee
‎2016-07-22 07:46 AM

You would block access on a network level via a firewall such as the inbuilt one in windows.
The white list of origin hosts control which hosts are able to open a websocket socket connection, so for example if your reverse proxy is available on host.com then you would need host.com as a whitelist entry to allow websocket connections from that hosts.

I would not rely on that as a security defense however as the origin host is very easy to spoof.
Instead lock it down on network level as the docs suggest. Since we don't have server licensing you can spin up a separate node that is allowed communication from inside the network.

View solution in original post

2,597 Views
0 Likes
2 Replies
Alexander_Thor
Employee
Employee
‎2016-07-22 07:46 AM

You would block access on a network level via a firewall such as the inbuilt one in windows.
The white list of origin hosts control which hosts are able to open a websocket socket connection, so for example if your reverse proxy is available on host.com then you would need host.com as a whitelist entry to allow websocket connections from that hosts.

I would not rely on that as a security defense however as the origin host is very easy to spoof.
Instead lock it down on network level as the docs suggest. Since we don't have server licensing you can spin up a separate node that is allowed communication from inside the network.

2,598 Views
0 Likes
markginqo
Partner - Contributor III
Partner - Contributor III
‎2016-07-22 01:34 PM
Author

In response to Alexander_Thor

Thanks Alexander, I wanted to make sure I wasn't missing something in the Sense QMC.

Regards,

Mark

2,597 Views
0 Likes