DocumentationAPICommunitySupport
Guides

AuthProxy Authentication

Suggest Edits

This document describes how to configure OverOps to enable an HTTP reverse proxy to handle authentication. Popular proxy servers have an extensive list of pluggable authentication modules and any of them can be used with the AuthProxy feature.
Here are two examples:

Apache Basic Authentication
Apache openID Connect and Google

Below are the details on how to configure the AuthProxy feature.

# Defaults to false, set to true to enable AuthProxy
CUSTOM_AUTH_ENABLED=true 
# HTTP Header name that will contain the users email
CUSTOM_AUTH_HEADER=X-AUTH-PROXY
# Defaults to false, set to true will enable verbose logging
CUSTOM_AUTH_VERBOSE_LOGGING=false
# Defaults to false, set to true enables Domain Initializer feature
GLOBAL_DOMAIN_AUTH_ENABLED=true
# Defaults to CUSTOM_HEADER
GLOBAL_DOMAIN_AUTH_TYPE=CUSTOM_HEADER
# The email address for the user which is the template for the domains environments for which the authenticated users are enabled
GLOBAL_DOMAIN_INITIALIZER=<domain initializer user email>

Prerequisites

You'll need an On-Premises version 4.44.2 or newer to use the AuthProxy authentication.

Apache Basic Authentication (BasicAuth)

In this example, we use Apache as a reverse proxy in front of OverOps. Apache handles user authentication before forwarding requests to the OverOps backend service.

Apache Configuration

<VirtualHost *:80>
    ServerName authproxy
    ServerAdmin webmaster@authproxy
    ErrorLog ${APACHE_LOG_DIR}/authproxy_error.log
    CustomLog ${APACHE_LOG_DIR}/authproxy_access.log combined

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyRequests Off
    ProxyPass /   http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

     <Location ~ "(^/(app|grafana))(?!/download)">
         Authtype Basic
         Authname "Password Required"
         AuthBasicProvider file
         AuthUserFile /etc/apache2/passwd-nospecial
         Require valid-user

         # Take the $REMOTE_USER environment variable and set it as a header               in the proxy request.
         RewriteEngine On
         RewriteCond %{REMOTE_USER} ^(.*)$
         RewriteRule ^(.*)$ - [E=R_U:%1]
         RequestHeader set X-AUTH-PROXY  %{R_U}e
        </Location>
</VirtualHost>
  • The first 11 lines are somewhat standard so we won't go into any detail on these.
  • Lines 12 to 14 are the standard reverse [roxy configuration to direct all authenticated requests to the OverOps Server running on Port 8080.
  • In the <Location> configuration block we enable proxy authentication only when going to the /app and / grafana URL-paths excluding specifically /app/download. Any other URL-paths to the server are not authenticated as these have their own means (such as calls to /API)
  • Lines 12 to 14 are the standard reverse proxy configuration to direct all authenticated requests to the OverOps Server running on Port 8080.
  • In lines 17 to 21 we use Basic Authentication against the passwd-nospecial file to authenticate users.
  • Line 27 then writes the authorized users email address as the X-AUTH-PROXY header.

Authenticate via OpenID Connect (openIDC) and Google

In the example below, we used the following module to configure openIDC
https://github.com/zmartzone/mod_auth_openidc
As in the Basic Authentication example, Apache handles user authentication by sending the requests to the openID connect provider. In our example below to google which handles the authentication requests before forwarding the session to the OverOps backend service.

Google+ API configuration

  1. login to console.developers.google.com

  2. Enable Google+ API if not already done so

  3. Create credentials for OAuth Client ID

  4. Select Web application

  5. in the Authorized redirect URIs enter the protect path used in the Proxy configuration below
    --> https://example.myserver.com/proctected/redirect_uri

Apache Configuration

<IfModule mod_ssl.c>
 
  <VirtualHost *:80>  
    ServerName example.myserver.com
    Redirect permanent /  https://example.myserver.com
  </VirtualHost>

  <VirtualHost *:443>
    ServerName example.myserver.com
    ServerAlias www.example.myserver.com
    ServerAdmin [email protected]
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # openIDC configuration
    OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
    # Ensure clientID does NOT start with HTTP(s)
    OIDCClientID <your google Client ID>
    OIDCClientSecret <your google Client secret>
    OIDCScope "openid email profile"
    # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
    OIDCRedirectURI https://example.myserver.com/protected/redirect_uri
    OIDCCryptoPassphrase <enter secret passphrase you want to use>
    OIDCCookiePath /
  
    ProxyRequests Off
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPass "/protected/" "!"

    <Location ~ "(^/($|app|grafana))(?!/download)">
       AuthType openid-connect
       Require valid-user
    </Location>

    <Location /protected>
       AuthType openid-connect
       Require valid-user
    </Location>

  #any SSL config files 
</VirtualHost>
</IfModule>
  • Line 16 to 24 is your openID Connect configuration
  • Line 29 and 36 to 39 Ensure that openIDC can do the authentication callback
  • Line 31 to 34 Ensures that the default Urls "/", "/app/", "/grafana" are forced to authenticate.
  • You will notice the Custom Header Request is not set as we did for Basic Authentication. openIDC actually sets the RequestHeader for you we just have to point to it in our my.server.properties. The CUSTOM_AUTH_HEADER property needs to be set to OIDC_CLAIM_email as called out below.

OverOps Setup

In this section, we'll show you how to set up the AuthProxy authentication.

  1. First, you'll need to stop the Analysis Server:
    ./takipi-server.sh stop

  2. Next, set up your proxy server
    See either
    Basic Authentication
    OpenID Connect and Google

  3. In the OverOps Analysis server, add the new custom authentication properties; go to the configuration folder <TAKIPI-SERVER-HOME>/conf/tomcat/shared and add/update the following properties in the my.server.properties file.

CUSTOM_AUTH_ENABLED=true 
CUSTOM_AUTH_HEADER=X-AUTH-PROXY
CUSTOM_AUTH_VERBOSE_LOGGING=false

📘

openID Connect

Please set the CUSTOM_AUTH_HEADER property to
OIDC_CLAIM_email

❗️

No Enabled Domain Initializer

If there's no enabled Domain Initializer, you'll need to invite users to the relevant environments before logging into OverOps Dashboard.

If this is not done, the user will not be assigned to an environment and will be prompted for the environment key.

  1. Next, set the Domain Initializer by adding/updating the following properties in the my.server.properties file to set the domain initializer user:
GLOBAL_DOMAIN_AUTH_ENABLED=true
GLOBAL_DOMAIN_AUTH_TYPE=CUSTOM_HEADER
GLOBAL_DOMAIN_INITIALIZER=<domain initializer users email>
  1. Set the TAKIPI_HOST_URL and FRONTEND_HOST to the proxy by changing the following properties in <TAKIPI_SERVER-HOME>/bin/server-env.sh
    to reflect the URL for your Proxy Server
export TAKIPI_HOST_URL=<PROXY-SERVER-URL>
export FRONTEND_HOST=<PROXY-SERVER-URL>
  1. Finally, start the Analysis Server:
    ./takipi-server.sh start

Updated almost 5 years ago