Qlik Sense + Nginx Reverse Proxy for Automatic, Free HTTPS Certificates

If you’re looking for a straightforward way to get automatically renewed HTTPS certificates for your Qlik Sense Enterprise server, Let’s Encrypt + Nginx may be the way to go. This article provides configuration details on placing an Nginx reverse proxy in front of Qlik Sense Enterprise, plus automatic HTTPS certificate provisioning and renewal through Certbot.

In our own Qlik Sense deployments, we utilize LetsEncrypt’s Certbot  to manage and renew TLS certificates for our Qlik Sense server and provide TLS termination.  Certbot allows us to us to get free, trusted HTTPS certificates that automatically renew, and Nginx provides a nice, lightweight HTTPS proxy in front of Qlik Sense to manage this.

Others around the Qlik community have shared similar configuration steps, some that relied on Nginx Plus and others that were not up to date with the latest Qlik Sense Enterprise Version. Additionally, existing example did not use Nginx + Certbot for TLS termination as we do here. The configuration shared here is compatible with Qlik Sense Februrary 2021 and later.

Configuration steps:

  • Configure Nginx Reverse Proxy for Qlik Sense Enterprise
  • Test Qlik Sense Reverse Proxy Configuration
  • Deploy configuration
  • Configure Certbot for HTTPS in front of Qlik Sense
  • Test certificate auto renewal

Configure Nginx Reverse Proxy for Qlik Sense Enterprise

Assuming you have installed Nginx, create a file in etc/sites-enabled. Conventionally, the name of this file should be the FQDN of the server, for example, qs.mycompany.com. Place the following content in the file

map $http_x_real_ip $remote_ip {
  default $http_x_real_ip;
  "" $remote_addr;
}

# Websocket map for xns
#
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

# nginx server definition
server {
  server_name qs.example.com; # replace with your FQDN

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;

    # X-Forwarded headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https; # We enforce HTTPS for all returns

    # Proxy specific variables
    proxy_redirect off;
    proxy_read_timeout 60m;
    proxy_send_timeout 60m;
    proxy_http_version 1.1;
    proxy_connect_timeout 5s;

    # Add support for websockets
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    # proxy_buffering should be on for all but very rare cases
    proxy_buffering on;

    # proxy_buffers should not exceed 63
    proxy_buffers 63 128k;
    proxy_buffer_size 128k;

    proxy_pass https://10.0.0.2; # Replace with Qlik Sense IP
  }

  # This location is needed for NTLM to work
  location /internal_windows_authentication/ {
    proxy_set_header Host $http_host;

    proxy_http_version 1.1;
    proxy_set_header Connection '';

    proxy_pass https://10.0.0.2 # Replace with Qlik Sense IP;
  }
}

Note that for our scenario, proxy_pass was set to an internal URL to reach Qlik Sense within our VPC. This allows us to reduce hops between the proxy and Qlik Sense.

Test Qlik Sense Reverse Proxy Configuration

A useful command for any Nginx administrator, sudo nginx -t will check your Nginx configuration for any errors. Run sudo nginx -t and validate your configuration is ok.

Deploy configuration

Once you’ve validated the configuration, run sudo service nginx reload to reload the configuration.

Configure Certbot for HTTPS in front of Qlik Sense

Next we’ll configure Certbot. Certbot handles provisioning and renewing HTTPS certificates automatically, and integrates directly with Nginx.

First, navigate to Certbot’s home page and choose “Nginx” and your server’s operating system to get customized installation instructions for your environment.

Certbot provides quick setup instructions based on your OS

Once installed, run sudo certbot --nginx . Certbot will detect your Qlik Sense server directives under the nginx configuration and walk you through the steps to provision the certificates, as well as give you the option to automatically update the Nginx configuration, which is recommended.

Test certificate auto renewal

Before you exit your ssh session, validate that Certbot auto renewal will work as expected by running the following:

sudo certbot renew --dry-run

Certbot issues certificates with a maximum expiry of 3 months from issuance. Before certificates expire, Certbot will automatically provision new TLS certificates for you.

Conclusion

Certbot + Nginx is a fantastic tool to have in your toolbox for any administrator, and in today’s web security landscape, HTTPS is essential. Reach out to us on LinkedIn if you have any questions!