logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



Apache Rev-Proxy for QlikSense - Problem with port-change

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
jraute



Joined: 13 Sep 2013
Posts: 186
Location: Rheinland, Germany

PostPosted: Fri 27 Mar '15 10:00    Post subject: Apache Rev-Proxy for QlikSense - Problem with port-change Reply with quote

Hello everybody!

We have a 2.4.12 apache (from apachelounge) on a windows 2008 R2 server running. It "proxies" several internal server sites at different locations on the same ip (internet <> apache reverse proxy <> internal servers).
Everything runs fine except our new qliksense application.

We have made good experience with qlikview servers and it was no problem to connect it via rev-proxy to the internet. But the qliksense-application use a windows authentication and websockets. The problem is that the ports change when the authentication scheme is loaded.

Right now we connect from internet via 443 to the rev-proxy which is working as a ssl-wrapper and connects on port 80 to the internal servers.
We need something like a redirect or a rewriting for the windows authentication on port 4244. And we would like to have that in the tunnel - if possible.

There is a script for nginx, but honestly spoken i am not familiar with converting this things.

Can someone share his thoughts about that?
I can show the nginx-code.

Quote:
According to the Nginx documentation this is how you create a reverse proxy for websocket. The nice thing about an upstream configuration like this is that you can easily add multiple servers here for load balancing, just make sure to enable sticky session (as you would with QlikView).
Reverse Proxy example

Code:
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}
 
upstream websocket {
  server 192.168.100.10:8010;
}
 
server {
  listen 8020;
  location / {
    proxy_pass http://websocket;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}


This example is fairly straight forward and easy to understand, let's create a simple location which takes everything from the root and proxies our Qlik Sense server. Note that we're not using the upstream example from above and also that we have enabled and use HTTP for Qlik Sense to make things a bit easier. The origin white list must be updated to match our local server name, for this example I used nginx.localtest.me as server_name in Nginx.

Code:
location / {
  proxy_pass http://sesth-rfn1.qliktech.com;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}


However with Qlik Sense we're facing some challenges. A quite common way of using a reverse proxy is to use header authentication and the above configuration will work for that, except that it doesn't provide the HTTP header. We can add a header for testing to make sure it works, this is not how to do it for production use though, and this is not the article about that.

Code:
proxy_set_header QVUSER bbr;


While we're at it, we also add another other configuration option to make it work a bit better. The proxy_read_timeout is important and should probably have been in the official example, otherwise Nginx will close our websocket connection after 30 seconds which is not a desired behavior.

Code:
proxy_read_timeout 60m;


So this example works for headers, but if we don't want to use a header, what if we want to use the default authentication method? The problem is that it is using it's own port, so Qlik Sense will redirect the user away from our reverse proxy. To prevent this from happening, we need to add some tweaks...

Code:
proxy_set_header Host $http_host;
proxy_redirect $scheme://$host:4248/form/ $scheme://$http_host/form/;


And above the root location, we add another location...

Code:
location /form/ {
  proxy_set_header Host $http_host;
  proxy_pass http://sesth-rfn1.qliktech.com:4248;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_read_timeout 60m;
}


What we just did was to first add the host header so that Qlik Sense understands that it's being proxied, it's also important to add any custom ports here if using one of those (like in the example), the variable $http_host includes both the hostname and the port, whereas the $host variable only contains the hostname. With this header in place Qlik Sense will redirect us properly, with only one problem, it will try to use port 4248 instead of 8020.
So, here we could add another server instance and listen to this port also, but we choose to add another location and redirect to there. The proxy_redirect transform the port to the right one and the redirects to our new /form location. The new location passes the right port for Qlik Sense, meaning that our /form location is now equal to using port 4248, but en-capsuled in our reveres proxy, only requiring one port. Quite neat.
Now we have a working reverse proxy in place, but let's say a OEM customer is really ancient to remove that "sense" out of the url for applications. We can solve that in a similar way. Let's add a rewrite condition to our primary location that transforms "sense" into "awesome".

Code:
rewrite ^/sense/(.*)$ /awesome/$1 permanent;


Then we add another location, almost exactly like the /form example above, but we call it /awesome.

Code:
location /awesome/ {
  proxy_set_header Host $http_host;
  proxy_pass http://sesth-rfn1.qliktech.com/sense/;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_read_timeout 60m;
}


Now, whenever Qlik Sense open an application with a sense url, it will be transformed into awesome and Nginx will listen to that awesome and pass sense. Awesome? Yes!
At another company the IT guys might give you trouble and not allowing you to take the root path, they tell you that you have to live in a container called /qlik. So if we take our original location and just make a small change, we call it /qlik and we add a trailing slash to the proxy_pass method.

Code:
location /qlik/ {
  proxy_set_header Host $http_host;
  proxy_redirect $scheme://$host:4248/form/ $scheme://$http_host/qlik/form/;
  proxy_pass http://sesth-rfn1.qliktech.com/;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_read_timeout 60m;
}


Note that we also need to update our /form location and proxy_redirect with the new /qlik prefix. And again, our little redirection problem from above needs to be resolved once again, this time we add another location using regular expressions like this.

Code:
location ~* ^/(qmc|hub|sense)/(.*)$ {
  rewrite ^/(qmc|hub|sense)/(.*)$ /qlik/$1/ permanent;
}


This will capture both the hub, qmc and applications and make sure we're using our /qlik prefix.


Thanks for help
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6153
Location: Germany, Next to Hamburg

PostPosted: Fri 27 Mar '15 11:16    Post subject: Reply with quote

Hi jraute,

as far as I can see ( not an nginx guy either) the port 4244 is for a special location. It might be something like the following.

Code:

<VirtualHost _default_:443>

   <Location "/form/">
      AddHeader Host SOMEHOSTNAME
      ProxyPass http://sesth-rfn1.qliktech.com:4248
      ProxyPassReverse http://sesth-rfn1.qliktech.com:4248
   </Location>
</VirtualHost>
Back to top
jraute



Joined: 13 Sep 2013
Posts: 186
Location: Rheinland, Germany

PostPosted: Wed 01 Apr '15 17:33    Post subject: Reply with quote

Yup, but the problem is not the ProxyPass Entries for "/form/", but the redirect to that "created" location.
On the apache-side what would be the equivalent for this nginx-code?
Code:
proxy_set_header Host $http_host;
 proxy_redirect $scheme://$host:4248/form/ $scheme://$http_host/form/;

How is the correct syntax for that?

greetings
JR
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6153
Location: Germany, Next to Hamburg

PostPosted: Wed 01 Apr '15 17:52    Post subject: Reply with quote

In my mind that is the following

Code:

<VirtualHost _default_:4248 >

   <Location "/form/">
      AddHeader Host SOMEHOSTNAME
      ProxyPass https://localhost/form/
      ProxyPassReverse https://localhost/form/
   </Location>
</VirtualHost>
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1