Re: PgAdmin4 behind SSL proxy

Hi

I managed to find some time to start looking at this. I've been working
with Nginx so far, and will hopefully get to Traefik tomorrow. The
following config seems to be working for me with Nginx, communicating with
pgAdmin over http but with the user over https. The important parts of the
config here are setting the X-Script-Name and X-Scheme headers for pgAdmin
to pick up. The former tells it to use the appropriate sub directory
(rather than defaulting to the root directory), and the latter tells it to
generate any URLs using https and not http which it thinks it's using:

server {
listen 443;
server_name _;

ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;

ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

location /pgadmin4/ {
proxy_set_header X-Script-Name /pgadmin4;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $host;
proxy_pass http://localhost:5050/;
proxy_redirect off;
}
}

On Fri, Jun 28, 2019 at 4:38 PM Andrew Coleman <penguincoder(at)gmail(dot)com>
wrote:

> That does sound a lot like the issue I am experiencing. I am using as
> little Traefik configuration as possible, using Kubernetes labels for most
> of the heavy lifting. Here is the relevant bits of traefik.toml file:
>
>
>
> # traefik.toml
>
> logLevel = "INFO"
>
> defaultEntryPoints = ["http"]
>
> [entryPoints]
>
> [entryPoints.http]
>
> address = ":80"
>
> compress = true
>
> [entryPoints.http.redirect]
>
> regex = "^http://(.*)"
>
> replacement = "https://$1"
>
> [kubernetes]
>
> [traefikLog]
>
> format = "json"
>
> [accessLog]
>
> format = "common"
>
> [accessLog.fields]
>
> defaultMode = "keep"
>
> [accessLog.fields.names]
>
> [accessLog.fields.headers]
>
> defaultMode = "keep"
>
> [accessLog.fields.headers.names]
>
>
>
>
>
> Because I am running this in a cluster, my ELB is routing all traffic into
> … Traefik, so I have to use some sort of service mesh to handle routing
> packets to backend containers. That and the ELB handles SSL termination
> with my Route53 certificate.
>
>
>
> Thanks,
>
>
>
> Andrew
>
>
>
> *From: *Dave Page <dpage(at)pgadmin(dot)org>
> *Sent: *Friday, June 28, 2019 6:45 AM
> *To: *Andrew Coleman <penguincoder(at)gmail(dot)com>
> *Cc: *pgadmin-support(at)lists(dot)postgresql(dot)org
> *Subject: *Re: PgAdmin4 behind SSL proxy
>
>
>
> Hi
>
>
>
> On Thu, Jun 27, 2019 at 1:14 PM Andrew Coleman <penguincoder(at)gmail(dot)com>
> wrote:
>
> Has anyone had any success running PgAdmin4 behind a reverse proxy? I am
> using Traefik for routing in my Kubernetes cluster and I am experiencing
> some strange behavior.
>
>
>
> With SSL:
>
>
>
> POST /login, cookie is returned with an empty value, GET /browser redirect
> to /login
>
> Sometimes even requests to /user_management/current_user.js actually
> returns index.html and causes undefined behavior on the page.
>
>
>
> Without SSL, with kubectl port-forward:
>
>
>
> POST /login, cookie is returned with a value, GET to /browser returns page
> contents as expected.
>
>
>
> Hmm, I wonder if this is similar to
> https://redmine.postgresql.org/issues/4254
>
>
>
> Do you have sample Traefik config you can share so I can test? Not
> entirely sure when as I'm travelling at the moment, but I'd like to take a
> look.
>
>
>
> I assume running it in one container with pgAdmin in another is roughly
> what you're doing?
>
>
>
>
>
> I have set X-Forwarded-Proto to https, but that doesn’t do anything. I
> have set X-Scheme to https and that helps, but it’s not all the way.
> Cookies returned do not have the Secure; flag (not sure if that’s
> necessary, though). I have tried setting the values in this blog post both
> in config.py and in the environment to no success:
>
>
>
> https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications
>
>
>
> I really need to expose PgAdmin via https and not http. Is there any way
> to do this without so much hate and discontent?
>
>
>
> If you take Traefik out of the equation, the container supports https
> directly.
>
>
>
> --
>
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
>
>

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company