Authenticated Proxy + Zero-Day Protection

Add Enterprise SSO to Internal Apps. Block Zero-Day Exploits — Without Code Changes.

PumaGate's authenticated reverse proxy adds SAML/OIDC Single Sign-On to Jenkins, Grafana, GitLab, Kibana, SonarQube, and any app that supports HTTP header authentication. Every request is identity-verified. Every zero-day is shielded. Deploy in minutes.

Start Free Trial View Supported Apps
33+
Apps Supported
100%
Unauthenticated Attacks Blocked
0
Code Changes Required
<5min
Avg. Deployment Time
How It Works

SSO via HTTP Header Authentication — In 3 Steps

Many internal apps (Jenkins, Grafana, GitLab, etc.) natively support HTTP header authentication. PumaGate leverages this to add enterprise SSO without touching the application.

1

User Hits PumaGate

Instead of accessing the app directly, users connect through PumaGate's authenticated proxy. PumaGate redirects unauthenticated users to your corporate IdP (Okta, Azure AD, Google Workspace).

2

IdP Authenticates + MFA

Your Identity Provider handles authentication — SAML 2.0 or OIDC. MFA is enforced (Duo, FIDO2, push notifications). PumaGate validates the signed assertion.

3

Header Injected, App Trusts

PumaGate injects the authenticated identity via HTTP headers (X-Forwarded-User, REMOTE_USER, etc.). The app trusts the header and creates a session — no app-side login page.

Zero-Day Protection

Your Internal Apps Are One CVE Away from Compromise

Jenkins, Confluence, GitLab, and Kibana have all had critical zero-day vulnerabilities exploited in the wild. PumaGate shields your apps by ensuring no unauthenticated traffic ever reaches them.

Frequent CVEs

Internal apps like Jenkins and Confluence average 10+ critical CVEs per year. Each one is a door for attackers.

Slow Patching

Enterprise patch cycles take weeks or months. During the gap, every exposed app is vulnerable to active exploitation.

Network Exposure

Many internal apps are reachable from the corporate network or VPN. Any compromised endpoint can exploit them.

Active Exploitation

Nation-state actors and ransomware groups actively target Confluence, GitLab, and Jenkins as initial access vectors.

The PumaGate Shield

How PumaGate Blocks Zero-Day Exploitation

No Direct Access

Apps only accept connections from PumaGate. Attackers cannot reach the app directly, even from the internal network.

Identity-First

Every request must carry a valid, IdP-verified identity. No anonymous requests reach the application process.

Request Inspection

PumaGate inspects requests before proxying. Malformed or suspicious requests are blocked before reaching the app.

Patch Safely

Take time to test patches. PumaGate shields the app from exploitation during the patch window.

Supported Applications

Apps We Secure with SSO + Zero-Day Protection

Click any application to see the detailed SSO integration guide, HTTP header configuration, zero-day protection details, and FAQ.

Jenkins

CI/CD Automation
X-Forwarded-User

Protect Jenkins with PumaGate's authenticated reverse proxy. Add enterprise SSO via HTTP header authentication while shielding your CI/CD pipeline from CVEs and zero-day vulnerabilities.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Grafana

Observability & Monitoring
X-WEBAUTH-USER

Secure Grafana with PumaGate's authenticated proxy. Enable SAML/OIDC SSO via Grafana's auth.proxy feature while protecting your monitoring dashboards from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Kibana

Log Analytics & SIEM
X-Proxy-User / es-security-runas-user

Add enterprise SSO to Kibana using PumaGate's authenticated reverse proxy. Shield your log analytics and SIEM data from CVEs while enforcing centralized identity controls.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

GitLab Self-Managed

DevOps Platform
X-Forwarded-User / REMOTE_USER

Add enterprise SSO to self-managed GitLab using PumaGate's authenticated reverse proxy. Shield your source code, CI/CD pipelines, and container registry from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

SonarQube

Code Security & Quality
X-Forwarded-Login

Secure SonarQube with PumaGate's authenticated proxy. Enable enterprise SSO via HTTP header authentication and protect your code security findings from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Apache Guacamole

Clientless Remote Desktop
N/A (native protocol)

Migrate from Apache Guacamole to PumaGate's native RDP/VNC implementation. Get built-in Kerberos authentication, Protected User support, SAML/OIDC SSO, and session recording without the Guacamole/Tomcat stack.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Jira Data Center

Project Management
X-Forwarded-User

Secure Jira Data Center with PumaGate's authenticated reverse proxy. Enable enterprise SSO via HTTP header authentication while shielding your project management data from CVEs.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Confluence Data Center

Knowledge Management
X-Forwarded-User

Add enterprise SSO to Confluence Data Center using PumaGate's authenticated proxy. Protect internal documentation, runbooks, and sensitive knowledge from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

pgAdmin

Database Management
X-Forwarded-User / REMOTE_USER

Add enterprise SSO to pgAdmin using PumaGate's authenticated reverse proxy. Protect PostgreSQL database administration from unauthorized access and zero-day vulnerabilities.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Rundeck

Operations Automation
X-Forwarded-User / REMOTE_USER

Secure Rundeck with PumaGate's authenticated reverse proxy. Enable enterprise SSO via preauthenticated mode while shielding your operations automation from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Harbor

Container Registry
X-Forwarded-User / X-Forwarded-Groups

Add enterprise SSO to Harbor container registry using PumaGate's authenticated proxy. Protect your container supply chain from CVEs and unauthorized image push/pull operations.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Zabbix

Infrastructure Monitoring
X-Forwarded-User / PHP_AUTH_USER

Secure Zabbix with PumaGate's authenticated reverse proxy. Enable enterprise SSO via HTTP authentication and shield your infrastructure monitoring from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Nexus Repository

Artifact Management
X-Forwarded-User / REMOTE_USER

Protect Nexus Repository with PumaGate's authenticated reverse proxy. Enable enterprise SSO via HTTP header authentication and shield your artifact management from CVEs and supply chain attacks.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Wiki.js

Modern Wiki Platform
X-Forwarded-User / Authorization

Secure Wiki.js with PumaGate's authenticated reverse proxy. Enable SAML/OIDC SSO via HTTP header authentication while protecting internal documentation from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Prometheus

Metrics & Monitoring
X-Forwarded-User (proxy-level auth)

Prometheus has no built-in authentication. PumaGate's authenticated reverse proxy adds enterprise SSO and blocks unauthenticated access to your metrics, targets, and alert rules.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

MinIO

Object Storage
X-Forwarded-User / Authorization

Secure MinIO Console with PumaGate's authenticated reverse proxy. Enable enterprise SSO and shield your object storage infrastructure from CVEs and unauthorized data access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Portainer

Container Management
X-Forwarded-User

Secure Portainer with PumaGate's authenticated proxy. Enable enterprise SSO and protect your Docker and Kubernetes management interface from CVEs and unauthorized container operations.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Apache Airflow

Workflow Orchestration
REMOTE_USER

Add enterprise SSO to Apache Airflow using PumaGate's authenticated proxy. Shield your data pipelines, DAGs, and connections from CVEs and unauthorized execution.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Apache Superset

Business Intelligence
REMOTE_USER

Secure Apache Superset with PumaGate's authenticated reverse proxy. Enable enterprise SSO via REMOTE_USER and shield your business intelligence data from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Gitea

Git Hosting
X-WEBAUTH-USER

Secure Gitea with PumaGate's authenticated reverse proxy. Enable enterprise SSO via reverse proxy authentication and protect your source code from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Mattermost

Team Messaging
X-Forwarded-User / X-Forwarded-Email

Secure self-hosted Mattermost with PumaGate's authenticated proxy. Enable enterprise SSO via GitLab-style proxy headers and shield team communications from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Redmine

Project Management
REMOTE_USER

Secure Redmine with PumaGate's authenticated reverse proxy. Enable enterprise SSO via REMOTE_USER header authentication and protect project data from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

NetBox

Network DCIM / IPAM
REMOTE_USER / HTTP_REMOTE_USER

Secure NetBox with PumaGate's authenticated reverse proxy. Enable enterprise SSO via REMOTE_USER and shield your network documentation from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

AWX / Ansible Automation Platform

IT Automation
REMOTE_USER / X-Forwarded-User

Secure AWX with PumaGate's authenticated reverse proxy. Enable enterprise SSO and protect your Ansible automation, playbooks, and machine credentials from CVEs and unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

phpMyAdmin

Database Administration
REMOTE_USER / PHP_AUTH_USER

Secure phpMyAdmin with PumaGate's authenticated reverse proxy. Add enterprise SSO and protect MySQL/MariaDB administration from CVEs, SQL injection, and unauthorized database access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Argo CD

GitOps & Continuous Delivery
X-Forwarded-User / Argocd-User-Info

Secure Argo CD with PumaGate's authenticated reverse proxy. Enable enterprise SSO and shield your GitOps deployment pipeline from CVEs and unauthorized application sync operations.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

n8n

Workflow Automation
X-Forwarded-User / X-n8n-User

Secure self-hosted n8n with PumaGate's authenticated proxy. Enable enterprise SSO and protect your automation workflows, API credentials, and integrations from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

HashiCorp Consul

Service Mesh & Discovery
X-Forwarded-User (proxy-level auth)

Secure HashiCorp Consul's web UI with PumaGate's authenticated proxy. Enable enterprise SSO and shield service discovery, KV store, and mesh configuration from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

HashiCorp Vault UI

Secrets Management
X-Forwarded-User (defense-in-depth)

Add an extra security layer to HashiCorp Vault with PumaGate's authenticated proxy. Shield the Vault UI from zero-day exploits while providing seamless SSO for secrets management access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Rancher

Kubernetes Management
X-Forwarded-User / Authorization

Add authenticated proxy protection to Rancher with PumaGate. Shield your Kubernetes cluster management interface from CVEs while providing seamless SSO and complete access auditing.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Backstage

Developer Portal
X-Forwarded-User / Authorization

Secure Backstage with PumaGate's authenticated reverse proxy. Enable enterprise SSO and shield your developer portal, service catalog, and TechDocs from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Outline

Team Knowledge Base
X-Forwarded-User / Authorization

Secure self-hosted Outline with PumaGate's authenticated proxy. Enable enterprise SSO and protect your team's knowledge base, documents, and internal processes from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Uptime Kuma

Uptime Monitoring
X-Forwarded-User (proxy-level auth)

Secure Uptime Kuma with PumaGate's authenticated reverse proxy. Enable enterprise SSO and shield your uptime monitoring, alerts, and status pages from unauthorized access and zero-day exploits.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

WeKan

Project Management
X-Forwarded-User / HTTP-REMOTEUSER

Secure self-hosted WeKan with PumaGate's authenticated proxy. Enable enterprise SSO and protect your Kanban boards, project workflows, and team assignments from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Traefik Dashboard

Reverse Proxy & Ingress
X-Forwarded-User (via ForwardAuth)

Secure self-hosted Traefik Dashboard with PumaGate's authenticated proxy. Enable enterprise SSO and protect your reverse proxy configuration, routing rules, and TLS certificates from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Drone CI

CI/CD Automation
X-Forwarded-User

Protect self-hosted Drone CI with PumaGate's authenticated proxy. Enable enterprise SSO and shield your continuous integration pipelines from unauthorized access and zero-day exploits.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Metabase

Business Intelligence
X-Forwarded-User

Secure self-hosted Metabase with PumaGate's authenticated proxy. Enable enterprise SSO and protect your dashboards, SQL queries, and business data from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

JupyterHub

Data Science & ML
REMOTE_USER / X-Forwarded-User

Protect JupyterHub with PumaGate's authenticated proxy. Enable enterprise SSO and secure your data science notebooks, ML models, and research data with zero trust access controls.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

code-server (VS Code)

Cloud IDE
X-Forwarded-User

Protect code-server with PumaGate's authenticated proxy. Enable enterprise SSO for browser-based VS Code and secure source code access with identity verification and session recording.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

BookStack

Documentation & Wiki
REMOTE_USER

Secure self-hosted BookStack with PumaGate's authenticated proxy. Enable enterprise SSO and protect your internal knowledge base, runbooks, and documentation from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Keycloak Admin Console

Identity & Access Management
X-Forwarded-User

Protect the Keycloak Admin Console with PumaGate's authenticated proxy. Add an additional identity verification layer and shield your IAM infrastructure from zero-day exploits.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Proxmox VE

Virtualization & Hypervisor
X-Forwarded-User

Secure Proxmox VE with PumaGate's authenticated proxy. Enable enterprise SSO for your hypervisor management interface and protect VMs, containers, and storage with zero trust access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Semaphore UI

Automation & Configuration
X-Forwarded-User

Protect Semaphore UI with PumaGate's authenticated proxy. Enable enterprise SSO for your Ansible automation dashboard and secure playbook execution, inventories, and credentials.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Authentik

Identity & Access Management
X-Forwarded-User

Protect the Authentik Admin interface with PumaGate's authenticated proxy. Add defense-in-depth security to your identity platform and shield admin operations from zero-day exploits.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Node-RED

IoT & Workflow Automation
X-Forwarded-User

Protect Node-RED with PumaGate's authenticated proxy. Enable enterprise SSO and secure your IoT workflows, API integrations, and automation flows from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Woodpecker CI

CI/CD Automation
X-Forwarded-User

Protect Woodpecker CI with PumaGate's authenticated proxy. Enable enterprise SSO for your container-native CI/CD platform and secure build pipelines, secrets, and deployment workflows.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

NocoDB

No-Code Database
X-Forwarded-User

Secure self-hosted NocoDB with PumaGate's authenticated proxy. Enable enterprise SSO and protect your databases, forms, and collaborative workspaces from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

Homer Dashboard

Service Dashboard
X-Forwarded-User

Secure self-hosted Homer Dashboard with PumaGate's authenticated proxy. Protect your internal service directory, links, and infrastructure map from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide

OpenProject

Project Management
X-Forwarded-User / REMOTE_USER

Protect self-hosted OpenProject with PumaGate's authenticated proxy. Enable enterprise SSO and secure your project plans, work packages, and Gantt charts from unauthorized access.

SSO via Header Auth Zero-Day Shield MFA Enforcement
View Integration Guide
Business Impact

Why Teams Choose PumaGate for Internal App Security

PumaGate delivers immediate security improvements and operational savings — SSO simplifies access, and the authenticated proxy blocks threats before they reach your apps.

Block Zero-Day Exploits

Unauthenticated attackers cannot reach your apps. CVEs in Jenkins, Confluence, GitLab, and others are unexploitable without first passing PumaGate's identity verification.

Eliminate Password Sprawl

One corporate credential for every internal app. No separate Jenkins, Grafana, GitLab, or Jira passwords. Reduce password reset tickets by 90%.

Enterprise MFA Everywhere

Enforce your IdP's MFA policies (Duo, FIDO2, biometrics) for every internal app — even apps with no native MFA support. One policy, all applications.

Instant Deprovisioning

Disable a user in your IdP and access to all internal apps stops immediately. No orphan accounts in Jenkins, Grafana, GitLab, or any other tool.

Unified Audit Trail

Every internal app access event appears in one audit log — with IdP context, MFA status, device info, location, and optional session recording.

Save on App Licensing

PumaGate provides enterprise SSO to open-source tools (Grafana OSS, GitLab CE, SonarQube Community) — no need for expensive enterprise editions just for SSO.

Comparison

PumaGate vs. Direct App Exposure

See what changes when you put PumaGate's authenticated proxy in front of your internal applications.

Capability With PumaGate Without PumaGate
Zero-Day Protection Unauthenticated attacks blocked App directly exploitable
SSO (SAML/OIDC) Via HTTP header injection Per-app configuration required
MFA Enforcement From IdP (Duo, FIDO2, etc.) Basic TOTP or none
Centralized Audit Trail All apps in one log Fragmented per-app logs
Session Recording Built-in Not available
Instant Deprovisioning Via IdP disable Manual per-app cleanup
Code Changes Needed None Per-app SSO plugins/config
Patch Urgency Reduced (shielded by proxy) Critical (directly exposed)

We had Jenkins, Grafana, GitLab, and SonarQube — each with their own login pages, their own passwords, and their own CVE patch schedules. PumaGate unified authentication across all four in an afternoon, and we sleep better knowing that zero-days can't be exploited remotely anymore.

VP of Engineering
Series B SaaS Company, 200+ Engineers

Your Internal Apps Deserve Enterprise Security. Deploy in Minutes.

Add SSO and zero-day protection to every internal app — no code changes, no vendor lock-in. Start your 14-day free trial today.

Start Free Trial View Pricing

Authenticated Reverse Proxy for Internal Applications

PumaGate adds SAML 2.0 and OpenID Connect (OIDC) Single Sign-On to internal applications that support HTTP header authentication. Applications like Jenkins, Grafana, GitLab, Kibana, SonarQube, Jira Data Center, Confluence Data Center, pgAdmin, Rundeck, Harbor, Zabbix, Nexus Repository, and Wiki.js can be secured with enterprise SSO without code changes.

How HTTP Header Authentication Works

Many web applications support trusting a pre-authenticated user identity from a reverse proxy via HTTP headers such as X-Forwarded-User, REMOTE_USER, X-WEBAUTH-USER, and X-Forwarded-Login. PumaGate authenticates users via SAML/OIDC and injects these headers, providing seamless SSO.

Zero-Day Protection via Authenticated Proxy

By placing PumaGate in front of internal applications, organizations ensure that no unauthenticated traffic reaches the application. This shields applications from network-based zero-day exploits, which require unauthenticated access to exploit. CVEs in Jenkins, Confluence, GitLab, and other applications become unexploitable by remote attackers.