Configuring proxy authentication

Learn about the properties that you need to set for configuring proxy authentication.

Edge Flow Manager (EFM) can be configured to trust an HTTP reverse proxy to authenticate users externally and pass the user details with each request. This is useful in some SSO environments in which OIDC or SAML is not an option, and some gateway, proxy, or central web service handles user authentication to multiple backend services.
You need to set the following configuration options for using proxy authentication:
efm.security.user.proxy.enabled=true
efm.security.user.proxy.headerName=x-webauth-user
efm.security.user.proxy.ipWhitelist=
efm.security.user.proxy.dnWhitelist[0]=
Where,
  • efm.security.user.proxy.enabled

    Whether proxy authentication is enabled.

  • efm.security.user.proxy.headerName

    Case-insensitive header name set by the proxy holding the end user identity.

  • efm.security.user.proxy.ipWhitelist

    Limits trusted proxy IP addresses to prevent spoofing the user header. Comma-separated or multiple properties using the ipWhitelist[n] syntax:

    • efm.security.user.proxy.ipWhitelist[0]=
    • efm.security.user.proxy.ipWhitelist[1]=
  • efm.security.user.proxy.dnWhitelist[0]..[n]

    Limits trusted proxy client certificate DNs to prevent spoofing the user header. Use the dnWhitelist[n] syntax as it is common for certificate DNs to contain commas.

If you are using proxy authentication, Cloudera strongly recommends that you use either the DN whitelist or IP whitelist feature to specify trusted reverse proxies. If you are not using a whitelist, it is assumed that you are using some other networking mechanism to ensure that all authenticated requests are coming from a trusted client, such as only binding the EFM server to localhost and running the authenticating proxy on the same machine on a different network interface.

The following is a curl example of passing the proxy user header to the /api/access endpoint that returns the recognized current user:

curl -H "X-WEBAUTH-USER: alice"
        https://localhost:10090/efm/api/access
# Response:
{"identity":"alice","anonymous":false}

As you can see, this header can be added to any request, which is why DN whitelisting, IP whitelisting, or localhost binding should be used with proxy authentication.