Skip to main content

Enable HTTPS proxy authentication

You can use a trusted proxy for authentication, which authenticates the user and then sends the user's username to Contrast in an HTTP header. (This type of authentication is particularly useful for x509 clients.)

Users must be configured in Contrast before starting their authentication configuration, and use the same email address as their usernames for both configurations, in order to be granted access to Contrast after authentication.

To enable trusted HTTPS proxy authentication:

  1. Update the property file by changing the authentication mode in ~/path_to_contrast_installation/data/conf/ to http_header.

  2. By default, the HTTP header name is Contrast-Authentication. You can also configure this in the file by updating the value of

  3. After restarting Contrast, each request must include the HTTP header Contrast-Authentication: username to log in.


Trusted HTTPS proxy authentication should only be used if all Contrast nodes are accessible exclusively through a trusted proxy. No nodes should be accessible directly; otherwise, an attacker could impersonate any authorized user.