Authenticating with a Proxy

Security Requirements and Controls

One way to accomplish single sign-on (SSO) in LogScale is by using a reverse proxy in front of LogScale. If that proxy has a way of knowing a proper username or user email or other unique user identifier, you can let the proxy decide what username the user gets access as inside LogScale.

Make sure LogScale is not accessible without passing through the proxy, as direct access to the LogScale server in this configuration allows anyone to assume any identity.

Configure using:

ini
AUTHENTICATION_METHOD=byproxy
AUTH_BY_PROXY_HEADER_NAME=name-of-http-header

The proxy must add a header with the username of the end user in the specified header. If the proxy leaves the header blank, the user does not get authenticated, and can thus only access shared dashboards.

LogScale uses the Authentication header as transport from the browser to the LogScale backend. It is thus not possible to use a proxy that also uses this header. This rules out using https://github.com/bitly/oauth2_proxy.