AuthProxy Authentication

This document describes how to configure OverOps to enable an HTTP reverse proxy to handle authentication. Popular proxy servers have an extensive list of pluggable authentication modules and any of them can be used with the AuthProxy feature.
Here are two examples:

Apache Basic Authentication
Apache openID Connect and Google

Below are the details on how to configure the AuthProxy feature.

# Defaults to false, set to true to enable AuthProxy
# HTTP Header name that will contain the users email
# Defaults to false, set to true will enable verbose logging
# Defaults to false, set to true enables Domain Initializer feature
# Defaults to CUSTOM_HEADER
# The email address for the user which is the template for the domains environments for which the authenticated users are enabled
GLOBAL_DOMAIN_INITIALIZER=<domain initializer user email>


You'll need an On-Premises version 4.44.2 or newer to use the AuthProxy authentication.

Apache Basic Authentication (BasicAuth)

In this example, we use Apache as a reverse proxy in front of OverOps. Apache handles user authentication before forwarding requests to the OverOps backend service.

Apache Configuration

<VirtualHost *:80>
    ServerName authproxy
    ServerAdmin webmaster@authproxy
    ErrorLog ${APACHE_LOG_DIR}/authproxy_error.log
    CustomLog ${APACHE_LOG_DIR}/authproxy_access.log combined

    <Proxy *>
        Order deny,allow
        Allow from all

    ProxyRequests Off
    ProxyPass /   http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

     <Location ~ "(^/(app|grafana))(?!/download)">
         Authtype Basic
         Authname "Password Required"
         AuthBasicProvider file
         AuthUserFile /etc/apache2/passwd-nospecial
         Require valid-user

         # Take the $REMOTE_USER environment variable and set it as a header               in the proxy request.
         RewriteEngine On
         RewriteCond %{REMOTE_USER} ^(.*)$
         RewriteRule ^(.*)$ - [E=R_U:%1]
         RequestHeader set X-AUTH-PROXY  %{R_U}e
  • The first 11 lines are somewhat standard so we won't go into any detail on these.
  • Lines 12 to 14 are the standard reverse [roxy configuration to direct all authenticated requests to the OverOps Server running on Port 8080.
  • In the <Location> configuration block we enable proxy authentication only when going to the /app and / grafana URL-paths excluding specifically /app/download. Any other URL-paths to the server are not authenticated as these have their own means (such as calls to /API)
  • Lines 12 to 14 are the standard reverse proxy configuration to direct all authenticated requests to the OverOps Server running on Port 8080.
  • In lines 17 to 21 we use Basic Authentication against the passwd-nospecial file to authenticate users.
  • Line 27 then writes the authorized users email address as the X-AUTH-PROXY header.

Authenticate via OpenID Connect (openIDC) and Google

In the example below, we used the following module to configure openIDC
As in the Basic Authentication example, Apache handles user authentication by sending the requests to the openID connect provider. In our example below to google which handles the authentication requests before forwarding the session to the OverOps backend service.

Google+ API configuration

  1. login to

  2. Enable Google+ API if not already done so

  3. Create credentials for OAuth Client ID

  4. Select Web application

  5. in the Authorized redirect URIs enter the protect path used in the Proxy configuration below

Apache Configuration

<IfModule mod_ssl.c>
  <VirtualHost *:80>  
    Redirect permanent /

  <VirtualHost *:443>
    ServerAdmin [email protected]
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # openIDC configuration
    # Ensure clientID does NOT start with HTTP(s)
    OIDCClientID <your google Client ID>
    OIDCClientSecret <your google Client secret>
    OIDCScope "openid email profile"
    # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
    OIDCCryptoPassphrase <enter secret passphrase you want to use>
    OIDCCookiePath /
    ProxyRequests Off
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPass "/protected/" "!"

    <Location ~ "(^/($|app|grafana))(?!/download)">
       AuthType openid-connect
       Require valid-user

    <Location /protected>
       AuthType openid-connect
       Require valid-user

  #any SSL config files 
  • Line 16 to 24 is your openID Connect configuration
  • Line 29 and 36 to 39 Ensure that openIDC can do the authentication callback
  • Line 31 to 34 Ensures that the default Urls "/", "/app/", "/grafana" are forced to authenticate.
  • You will notice the Custom Header Request is not set as we did for Basic Authentication. openIDC actually sets the RequestHeader for you we just have to point to it in our The CUSTOM_AUTH_HEADER property needs to be set to OIDC_CLAIM_email as called out below.

OverOps Setup

In this section, we'll show you how to set up the AuthProxy authentication.

  1. First, you'll need to stop the Analysis Server:
    ./ stop

  2. Next, set up your proxy server
    See either
    Basic Authentication
    OpenID Connect and Google

  3. In the OverOps Analysis server, add the new custom authentication properties; go to the configuration folder <TAKIPI-SERVER-HOME>/conf/tomcat/shared and add/update the following properties in the file.



openID Connect

Please set the CUSTOM_AUTH_HEADER property to


No Enabled Domain Initializer

If there's no enabled Domain Initializer, you'll need to invite users to the relevant environments before logging into OverOps Dashboard.

If this is not done, the user will not be assigned to an environment and will be prompted for the environment key.

  1. Next, set the Domain Initializer by adding/updating the following properties in the file to set the domain initializer user:
GLOBAL_DOMAIN_INITIALIZER=<domain initializer users email>
  1. Set the TAKIPI_HOST_URL and FRONTEND_HOST to the proxy by changing the following properties in <TAKIPI_SERVER-HOME>/bin/
    to reflect the URL for your Proxy Server
  1. Finally, start the Analysis Server:
    ./ start