1 Reply Latest reply on Feb 4, 2018 5:43 PM by Oliver Falk

    Reverse proxy implementation with Apache and Tableau server

    Oliver Falk

      Greetings.

       

      Background:

      I have read the official document to configure both Apache (version 2.4) and Tableau Server (version 10.4) to implement a single-hop reverse proxy. The official document link is here: Configuring Reverse Proxies for Tableau Server

       

      Problem:

      After setting up things. I could see the login page from a device access thru the internet. but once I enter credentials and login, the landing page is showing for 1~2 seconds and the browser forces me to logged time with reason "Session Expired" and from the URL i know the error code is 46.

       

      Diagnostic:

      So there must be something wrong about the configurations. After double checking, I could find the only difference from what the official document say is the XFF (X-Forwarded-For) header. From the capture at Tableau server, header XFF in packets from proxy server only includes the client IP (i.e. 1.1.1.1) , but not a chain of IP includng the proxy IP (i.e. 1.1.1.1, 2.2.2.2). Below is the captured packet details:

       

           Host: www.proxyhostname.com

           Origin: https://www.proxyhostname.com

           Referer: https://www.proxyhostname.com

           X-Forwarded-Proto: https

           X-Forwarded-For: 1.1.1.1

           X-Forwarded-Host: www.proxyhostname.com

           X-Forwarded-Server: www.proxyhostname.com

      (other irrelevant headers omitted)

       

      Current Configurations:

      Here are my Apache config and tableau server config (to keep privacy, i shall use 1.1.1.1, 2.2.2.2 and 3.3.3.3 as IPs for client, proxy, tableau server; just follow the official document naming convention):

       

      Apache

      <VirtualHost _default_:443>

              ServerName www.proxyhostname.com

       

              SSLProxyEngine on

              SSLEngine on

              SSLHonorCipherOrder on

              SSLProtocol all -SSLv2

              SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

              SSLProxyVerify none

              SSLProxyCheckPeerCN off

              SSLProxyCheckPeerName off

       

              SSLCertificateFile /CRT_location

              SSLCertificateKeyFile /KEY_location

       

              ErrorLog logs/ssl_error_log

              TransferLog logs/ssl_access_log

              LogLevel warn

       

              <Proxy *>

                      Require all granted

              </Proxy>

       

              ProxyPreserveHost On

              ProxyPass / http://3.3.3.3/

              ProxyPassReverse / http://3.3.3.3/

       

              RequestHeader set X-Forwarded-Proto https

              CustomLog logs/ssl_request_log \

                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

      </VirtualHost>

       

      Tableau Server:

      authorization.servicepassword: ENC(a long string)

      clustercontroller.zookeeper.password: ENC(a long string)

      config.version: 17

      crypto.configuration.active_key_id: a UUID

      crypto.configuration.active_key_value: a long string

      crypto.master.active_key_id: a UUID

      filestore.zookeeper.password: ENC(a long string)

      gateway.external_url: https://www.proxyhostname.com

      gateway.public.host: 2.2.2.2

      gateway.public.port: 443

      gateway.trusted: 2.2.2.2

      gateway.trusted_hosts: www.proxyhostname.com, proxyhostname.com

      jdbc.password: ENC(a long string)

      pgsql.adminpassword: ENC(a long string)

      pgsql.readonly_password: ENC(a long string)

      pgsql.remote_password: ENC(a long string)

      recommendations.servicepassword: ENC(a long string)

      redis.password: ENC(a long string)

      servercrashupload.scheduled_time: 01:00:00 AM China Daylight Time

      service.init.state: start

      service.runas.username: a username

      ssl.cert.file: C:\path_to_crt (PS: i have disabled SSL in Tableau server)

      ssl.key.file: C:\path_to_key (PS: i have disabled SSL in Tableau server)

      ssl.key.passphrase: a string embraced by " (PS: i have disabled SSL in Tableau server)

      svcmonitor.notification.smtp.canonical_url: a string embraced by " (PS: i have disabled SSL in Tableau server)

      tabadminservice.password: ENC(a long string)

      telemetry.servicepassword: ENC(a long string)

      vizportal.servicepassword: ENC(a long string)

      vizqlserver.data_refresh: 60

      wgserver.trusted_hosts: 2.2.2.2

      wgserver.unrestricted_ticket: true

       

      Seek for help

      Could you help to point out which setup is wrong? BTW, the apache configuration should be alright as i copied from another working platform which is Apache +Tableau server combo.

        • 1. Re: Reverse proxy implementation with Apache and Tableau server
          Oliver Falk

          The problem is not yet resolved but root cause has been identified. I have also made a hacking workaround to make it usable at least. Please note this is not a solution yet.

           

          Root cause:

          the HTTP header "X-XSRF-token" is not provided in the client request after login success. in vizportal log, it also complains about this in WARN log level. The absence of the header has been proven by packet capture.

           

          Hacking workaround:

          Due to the emergency to make the server usable, i have applied a header modification configuration in Apache: copy the cookie "XSRF-header" content and create a new header "X-XSRF-token" in all client requests.

           

          That surely breaks the purpose of the header to avoid XSRF attack. Considering tableau server is a kind of read-only system, this workaround should no harm to the server and thus it is still an acceptable workaround.

           

          New help

          Would someone know why the client does not provide the header? how to overcome this?