Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Quick guide to configure Apache as a Reverse Proxy with HTTPS, ADFS SAML and Qlik Sense

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
pbr
Employee
Employee

Quick guide to configure Apache as a Reverse Proxy with HTTPS, ADFS SAML and Qlik Sense

Last Update:

Feb 1, 2023 3:20:47 AM

Updated By:

Sonja_Bauernfeind

Created date:

May 2, 2018 4:41:03 PM

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.


Prerequisites:

 

Example Environment:

  • Qlik Sense: QlikServer1.domain.local - IP: 172.16.16.100
  • Apache Web Server: QlikServer3.domain.local  - IP: 172.16.16.102
    • Other Active Servers:AD FS: DC1.domain.local
  • Qlik Sense February 2018 GA
  • Windows 2016
  • ADFS 4.0 
  • Apache 2.4 (httpd-2.4.33-o110h-x64-vc14-r2)
  • HTTPS / SSL - SHA256 with "Microsoft Enhanced RSA and AES Cryptographic Provider" added Enabled / Active on Sense, ADFS and Apache. 

Note: This documentation is only to used to validate and test ADFS SAML while using Apache as a Reverse Web Server and HTTPS/SSL is enabled. This example is under the assumption there's an understanding of the environment and having the proper permissions to perform the actions shown. Accounts used are all Local Administrators and the servers are open, with nothing blocked and no other programs installed on them.​Read the entire documentation to verify access and understanding of all actions stated within prior to starting the install and configuration. Any other versions or configurations of any software may need other steps/options/settings/etc ... that are not documented here. ​Use this at your own discretion as Qlik does NOT support Apache/OpenSSL/ADFS in their installation/configuration or use.

 

Setup

 

Step 1:

Download (​Recommended to verify the zip file is not Blocked: Right click on the zip file -> Properties -> General -> Click Unblock -> Apply), Extract the Zip file and Read the "readme_first.html" then use the instructions to Install Apache Web Server as Service on a separate machine from Sense and ADFS - https://httpd.apache.org/docs/2.4/platform/windows.html. Verify Apache is running under HTTP/HTTPS.
Location Installed: C:\Apache24\

Note: Tested with http://www.apachehaus.com version Apache 2.4.33 x64 Distribution File: httpd-2.4.33-o110h-x64-vc14-r2.zip

 

Step 2:

Place a valid certificates .crt and .key files on the Apache Web Server.
Location used: C:\Apache24\conf\ssl

Note: Process used: How to convert a certificate for NPrinting to the .key and .crt files for HTTPS/SSL in the Web Conso...

 

Step 3:

Navigate to the location and Edit the "httpd.conf" file (Location used: C:\Apache24\conf\). Then uncomment certain modules used in this example and save the file.

Search for and then uncomment the following modules:

  • LoadModule proxy_module modules/mod_proxy.so
  • LoadModule proxy_http_module modules/mod_proxy_http.so
  • LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
  • LoadModule rewrite_module modules/mod_rewrite.so
  • LoadModule vhost_alias_module modules/mod_vhost_alias.so

Find and uncomment the following line so that the reverse proxy will use the configuration that will be written later:

Include conf/extra/httpd-vhosts.conf

Note: To uncomment the option/module remove the pound ( # ) symbol in front of the line and save the file.

Step 4:

Navigate to and Edit the file "httpd-vhosts.conf" under the directory (Location used: C:\Apache24\conf\extra) to add the virtual host that will used for Qlik Sense and save the file. 

Example "httpd-vhosts.conf":

 

# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Qlik Sense configuration needed:
#
# - Create a new virtual proxy with SAML called adfsapache
# - Add reverse proxy name and IP address to whitelist of virtual proxy
#Put IP address of reverse proxy as LOCAL_ADDR
#Put IP address of Qlik Sense server as REMOTE_ADDR
#Put your virtual proxy prefix as VIRTUAL_PROXY

Define LOCAL_ADDR 172.16.16.102
Define REMOTE_ADDR 172.16.16.100
Define VIRTUAL_PROXY adfsapache
 
<VirtualHost *:443>
    ServerAdmin name@qlik.com
    DocumentRoot "${SRVROOT}/htdocs"
    ServerName ${LOCAL_ADDR}:443
    ServerAlias qlikserver3.domain.local
    
    SSLProxyEngine on
    SSLEngine on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    
   #Location of the SSL certificate used for this virtual host in their .crt and .key file format
    SSLCertificateFile  "${SRVROOT}/conf/ssl/QlikServer3Certificate.crt"
    SSLCertificateKeyFile   "${SRVROOT}/conf/ssl/QlikServer3Certificate.key"
 
    ProxyRequests Off
    ProxyPreserveHost On
    KeepAlive On

    RewriteEngine On

    # If it is a websocket request forward as websocket traffic
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RewriteRule ^/(.*) wss://${REMOTE_ADDR}%{REQUEST_URI} [P]
    <Proxy *>
         Require all granted
    </Proxy>
    <Location /${VIRTUAL_PROXY}>
        ProxyPass https://${REMOTE_ADDR}/${VIRTUAL_PROXY} connectiontimeout=5 timeout=300
        ProxyPassReverse https://${REMOTE_ADDR}/${VIRTUAL_PROXY}
    </Location>
</Virtualhost>

 

Note: Some parameters/options may need to be turned off or on depending on your certificates and other configuration items.

 

Step 5 & 6:

For Steps 5 & 6, refer to Article Quick Guide to installing ADFS for testing SAML starting from Step 5 until Step 11  and apply where needed

 

Step 7:

Configure a Virtual Proxy in Qlik Sense called "adfsapache"

Edit Virtual Proxy Authentication.png

Note: Verify the Host allow list has the correct IPs/DNS (FQDN/Servername/Alias) added to it,

Host White list.png

 

Step 8:

Create the Relaying Party Trust for the "adfsapache" Virtual Proxy in ADFS



Step 9:

Restart the Apache Web Server service and attempt to log into a URL from a machine that's NOT the Apache Server. Example URL: https://qlikserver3.domain.local/adfsapache 

Note: 
Reason for attempting it outside the Apache Web Server is that certain OS level settings may not allow access to the FQDN/Servername locally to the machine. Review this article if you're able to connect to it locally with IP/Localhost: Authentication failed repeatedly when using external DNS alias locally on the server

 

Environment:

Qlik Sense Enterprise on Windows 

Comments
RaviGinqo
Partner - Contributor II
Partner - Contributor II

Hi @pbr @Sonja_Bauernfeind 

 

One of our client is using Apache reverse proxy configuration and while using above code they noticed issue loading Qlik Sense hub on Firefox browser specifically, but it would work fine on the Chrome/Edge.

As per Our Client ,  The fix is sort of explained in this article.   https://stackoverflow.com/a/34371105/1830268

Changes are like The  "httpd-vhosts.conf" example file should be modified from:

Before:
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
After:
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]

 

Feel free to test it out and update the post as needed.

 

Thanks

Ravi

 

Sonja_Bauernfeind
Digital Support
Digital Support

Thank you for the input, @RaviGinqo 

Contributors
Version history
Last update:
‎2023-02-01 03:20 AM
Updated by: