2 Replies Latest reply on Oct 25, 2016 7:09 AM by Marco Bakker

    [Solved] Unable to run Tableau Server behind reverse Apache proxy: returns with error 46 and 401 unauthorized messages

    Marco Bakker

      We are running a 3-node Tableau Cluster (gateway and 2 workers). The current version is 9.3. Authorization of the tableau users is via Active Directory.

       

      Tableau and the proxy are set as follows:

      • The proxy is configured to use SSL
      • The connection between the proxy and the Tableau Gateway is plain HTTP
      • I have configured Tableau to trust the proxy (gatweay.public.host, gateway.public.port , gateway.trusted and gateway.trusted_hosts)

       

      The problem:

       

      Looking at the response headers, I see this one for the above request:

       

      HTTP/1.1 401 Unauthorized

      Date: Fri, 21 Oct 2016 10:29:42 GMT

      Server: Tableau

      Pragma:

      Cache-Control: private, max-age=0, must-revalidate

      Content-Type: application/json;charset=UTF-8

      Content-Length: 35

      P3P: CP="NON"

      X-UA-Compatible: IE=Edge

      Set-Cookie: workgroup_session_id=""; Path=http://tableau/; HttpOnly

      Set-Cookie: XSRF-TOKEN=sJHQQmRoRyNBAxs17mjQHNWh1YrzTale; Path=http://tableau/

      Keep-Alive: timeout=5, max=99

      Connection: Keep-Alive

       

      The request headers look like this:

       

      POST /vizportal/api/web/v1/getSessionInfo HTTP/1.1

      Host: tableau.example.com

      Connection: keep-alive

      Content-Length: 39

      Accept: application/json, text/plain, */*

      Origin: https://tableau.example.com

      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

      Content-Type: application/json;charset=UTF-8

      Referer: https://tableau.example.com/

      Accept-Encoding: gzip, deflate, br

      Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4

      Cookie: workgroup_session_id=""; XSRF-TOKEN=oJsk7VyIs0RmvQ6UFZm5m9YgCphIrZi8; csrftoken=Vvgs8K71awPG6gk5gYsi8XHaIOoYkIym

       

      Does anyone know what the problem is, and how it can be solved?

       

      Sharing some working Apache & Tableau settings would be a great help!

        • 1. Re: Unable to run Tableau Server behind reverse Apache proxy: returns with error 46 and 401 unauthorized messages
          Jeff Strauss

          have you tried adding headers to the proxy config?  I have a similar setup and adding a few of these headers helped.

           

          Reverse Proxy Server URL Reverts to Internal URL | Tableau Software

          • 2. Re: Unable to run Tableau Server behind reverse Apache proxy: returns with error 46 and 401 unauthorized messages
            Marco Bakker

            Well we finallly managed to get everything working!

             

            The actual problem was the translation of cookie paths. This is more or less standard for all other applications, but Tableau doesn't need that, so by removing the cookie proxy it just worked.

             

            The configuration is as follows (using http://onlinehelp.tableau.com/current/server/en-us/help.htm#proxy.htm#Configur  as the example).

             

            Our setup is as follows:

            • We have a proxy in the DMZ which forwards requests from web clients to the Tableau Primary Gateway
            • The incoming connection is HTTPS, the internal proxy <--> Tableau connection is HTTP
            • The proxy is using Apache as the proxy server

            everybody_client_access_reverse_proxy.PNG

             

            The documentation states that the proxy server should fill the following headers to give Tableau the required information to work behind a reverse proxy:

            • The added information which I needed to make it work is the publci IP address of the proxy, and NOT the local IP address!
            • So for this example:
              • Proxy_Public_Name = "tableau.example.com"
              • Proxy_Public_IP = 100.100.100.100
              • Proxy_Local_Name = "proxy", "proxy.local"
              • Proxy_Local_IP = 10.10.10.10
              • Tableau_Local_Name = "tableaugw"
              • Tableau_Local_IP = 20.20.20.20

             

            On top of that, one should configure Tableau's server configuration, tabsvc.yml:

            • gateway.public.host: 100.100.100.100 (Proxy_Public_IP)
            • gateway.public.port: 443 (as we are using HTTPS)
            • gateway.trusted: 10.10.10.10
            • gateway.trusted_hosts: "proxy, proxy.local"

             

            And the configuration of the Apache 2.4 server to complete the configuration:

            # General settings for the proxy

            #

            ProxyRequests off

            ProxyPreserveHost On

            <Proxy *>

               Order deny,allow

               Allow from all

            </Proxy>

             

            # The actual proxy settings:

            # Translate all requests from https://tableau.example.com/  to http://tableaugw/

            #

            ProxyPass / http://tableaugw/

            ProxyPassReverse / http://tableaugw/

             

            # Proxy is not allowed to cache contents

            #

            <IfModule mod_cache.c>

               CacheDisable *

            </IfModule>

             

            # Set the requestheader to HTTPS

            #

            RequestHeader set X-Forwarded-Proto "https"

             

            # That's it. Do not set the ProxyPassReverseCookiePath or the ProxyPassReverseCookieDomain!

            # Tableau uses the root, "/" as the cookiepath! and doen't care about the domain!

             

            That's it!

             

            Hope that it can help others.

            1 of 1 people found this helpful