Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ujb6d-009cr5-QY for pgadmin-support@arkaria.postgresql.org; Wed, 06 Aug 2025 10:10:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ujb6b-00EhQJ-OV for pgadmin-support@arkaria.postgresql.org; Wed, 06 Aug 2025 10:10:45 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ujb6b-00EhPy-7x for pgadmin-support@lists.postgresql.org; Wed, 06 Aug 2025 10:10:45 +0000 Received: from mail-yw1-x112a.google.com ([2607:f8b0:4864:20::112a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ujb6W-0011DA-2s for pgadmin-support@lists.postgresql.org; Wed, 06 Aug 2025 10:10:43 +0000 Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-71b5279714cso49900727b3.0 for ; Wed, 06 Aug 2025 03:10:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1754475041; x=1755079841; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ikP5L5zV+YmzGpPDoND1B/g4uw/U6oyzGktazYsI3sk=; b=iB5QQ1F+ZUzTtZo8qnt6YwSRtTWLsJPPcAx2O7m5ioCBw6lzUzE/oAao4uvFOgCje6 ZW04TBpFfWFz27lvh6yLEQgytHbPNBAdQuhvIqjwpWp7QlFW7lTXLqd7dl7Gs1vgDkgD uHnh6ddSxIcEGBUXO5raB0HcHRYBphGzZitxGVjXA2+eP0b09kT1qluVfDLqfulehMIN HzrGQLqu6j6RyVr6efq+jct1XZXy2h837ft/0ekIVr6OMo30gLoYhsCcKZOmHx7iJi21 +mZ9DghhSA8GEWwvSP+F0OVWJ++00Yynf8KmFiDTi7zp9b9W0+f1MoDapKgDEduwR+Xq yPYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754475041; x=1755079841; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ikP5L5zV+YmzGpPDoND1B/g4uw/U6oyzGktazYsI3sk=; b=WV++ZxxzfConTWEEAYeLcf8lUDOHnGxtZ/+yGYhZi+BfIHSX6O/MielMHuf56Ryivh ItR9/1OaG1Jepiy2473QNVBLcVGzNaxm8aVO2vjsunk76eVQzytqnu7jk1pdUW3zpl4c DIZRtFzVjtt3XrIVgJJdfy8SDst8pjaEjNfeLwQxRiSwZcVLTpSlom61fukYfpIT1GwQ Elq5z+Q247S1oiyaOMTI86YgtFqQDZFOix/npev9nibEV4VCA27xOnorQwKu7WsnI+H1 8rwjDnV3OiiaDTtgh0Jwk0zSp/oy9Au79Y+tU3GizGOCVjEboyoFk0wEkeZlqg4tXZEw XzsA== X-Forwarded-Encrypted: i=1; AJvYcCVQ5RsmG6byngIT3WUXIBBOdjOd4xLTPAwG7tVbEdusFZyADs+M6ESJ1/SyCDrhv/prrVARXa0QQl+BAZh1ORk=@lists.postgresql.org X-Gm-Message-State: AOJu0YyfLA1oxNGoUBUK/ROESfPJPtOKgonx8SibahxfriZuVRV1GzAd GT15nQT+Ubr49XUmbn3Y8yeoMsTxipGUSMfst5XuWzX5nsCSmQZ3K9LTT/koptUeVDfHPmVr1AQ jHgqtCovrxnnqH5z9VgUQYnA1xT5qUgIcH0De4A/I X-Gm-Gg: ASbGncsH0Di+CCva4I10EjxtHzimKFQN6t6qwG5iNl2QRnthZ/hyJm412z0nQmpYqx+ CiwQqvFhjQx2Guo3eh8NUeZuFzyoPdWi6jbYjg8dlQWXXtsga1UN1XaQmHO7wcoFiXNZZ2v8VOq Ww+ocyeBWmxcIpulAn88eU1M7ozhEwv6exmmkxfvT6NKNgRQ6TqIDGvZvtWUwS5wJX5CUHS4TMh dU7OgkFL13t92irK26Ir4OFB8bFvF4Z2RbSdKhCSw== X-Google-Smtp-Source: AGHT+IFYYN5FfjM/J19Q2+LPqK7g+hokIQxBOKBsjhFryE5AVL66yte/WRr3b2wvqsqxJXeuAoFLtzw40pMY8ch/3NM= X-Received: by 2002:a05:690c:3690:b0:71a:1aa3:30e9 with SMTP id 00721157ae682-71bc96f3395mr26282287b3.5.1754475040568; Wed, 06 Aug 2025 03:10:40 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Khushboo Vashi Date: Wed, 6 Aug 2025 15:40:29 +0530 X-Gm-Features: Ac12FXz_WZihfMj0jWyGvL9T_7_80fzWYMDQ52U6leaQu2f_PxJUaR1cHGIjAdM Message-ID: Subject: Re: Issue with pgAdmin 4 Login Behind NGINX Reverse Proxy at /pgadmin4 Path To: Shakir Idrisi Cc: Yogesh Mahajan , "pgadmin-support lists.postgresql.org" Content-Type: multipart/alternative; boundary="0000000000008f8e2a063baf8d23" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000008f8e2a063baf8d23 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Aug 6, 2025 at 11:38=E2=80=AFAM Shakir Idrisi w= rote: > Hi, > > I referred to the documentation, but my Nginx setup doesn=E2=80=99t have = the > proxy_params file. So I manually added the proxy_set_header lines. Howeve= r, > after logging in, pgAdmin4 was showing a blank page. > > *To fix it, I changed: proxy_set_header Host $host*; > *to: proxy_set_header Host $http_host;* > > After this change, it began to work. I just want to confirm =E2=80=94 is = this the > correct approach, or is it working by chance due to a header mismatch? > Both are different, and $host should be used. You can refer https://stackoverflow.com/questions/39715510/nginx-when-to-use-proxy-set-he= ader-host-host-vs-proxy-host for more understanding. > > On Wed, Aug 6, 2025 at 11:00=E2=80=AFAM Khushboo Vashi < > khushboo.vashi@enterprisedb.com> wrote: > >> Hi, >> >> Please refer >> https://www.pgadmin.org/docs/pgadmin4/9.6/server_deployment.html#nginx-c= onfiguration-with-gunicorn >> for nginx configuration. >> >> >> On Wed, Aug 6, 2025 at 10:56=E2=80=AFAM Shakir Idrisi wrote: >> >>> Hi, >>> >>> Apologies for the interruption. May I kindly ask if the configuration I >>> provided in my previous reply is correct? >>> >>> On Tue, Aug 5, 2025 at 4:57=E2=80=AFPM Shakir Idrisi wrote: >>> >>>> Hi, >>>> >>>> I updated the configuration and it's now working. >>>> I'm using it *$http_host* instead of *$host* for the *Host *header. >>>> Just want to confirm =E2=80=94 is this the correct and recommended way= ? >>>> >>>> location ^~ /pgadmin4/ { >>>>> >>>>> proxy_pass http://unix:/tmp/pgadmin4.sock; >>>>> proxy_set_header Host $http_host; # here i have changed $host to >>>>> $http_host >>>>> proxy_set_header X-Real-IP $remote_addr; >>>>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>>>> proxy_set_header X-Forwarded-Proto $scheme; >>>>> proxy_set_header X-Forwarded-Host $host; >>>>> proxy_set_header X-Script-Name /pgadmin4; >>>>> proxy_http_version 1.1; >>>>> >>>>> >>>>> proxy_read_timeout 300; >>>>> proxy_connect_timeout 60; >>>> >>>> } >>>> >>>> On Tue, Aug 5, 2025 at 2:55=E2=80=AFPM Shakir Idrisi wrote: >>>> >>>>> Hi, >>>>> >>>>> Do you have any updates or suggestions that could help me further >>>>> debug this issue? >>>>> >>>>> On Tue, Aug 5, 2025 at 10:23=E2=80=AFAM Shakir Idrisi >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Yes I have tried that conf which you have provided. >>>>>> I have mentioned that in my last reply that it is not working. >>>>>> Still getting blank page after login on https. >>>>>> >>>>>> On Tue, Aug 5, 2025, 9:53 AM Yogesh Mahajan < >>>>>> yogesh.mahajan@enterprisedb.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have already provided the nginx configuration. Have you tried it? >>>>>>> Issues is clearly with Nginx config. >>>>>>> >>>>>>> Thanks, >>>>>>> Yogesh Mahajan >>>>>>> EnterpriseDB >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 4, 2025 at 4:34=E2=80=AFPM Shakir Idrisi >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> I=E2=80=99ve tried the suggested changes, but I=E2=80=99m still en= countering the >>>>>>>> same issue =E2=80=94 a blank page appears after logging in over HT= TPS. >>>>>>>> >>>>>>>> As a workaround, I modified the config_local.py file and set: >>>>>>>> *WTF_CSRF_CHECK_DEFAULT =3D False* >>>>>>>> >>>>>>>> With this change, pgAdmin works correctly on HTTPS. However, I >>>>>>>> understand that disabling CSRF protection is not recommended in a >>>>>>>> production environment, so I=E2=80=99m looking for a more secure s= olution. >>>>>>>> >>>>>>>> Here=E2=80=99s a snippet of my current *config_local.py* for refer= ence: >>>>>>>> >>>>>>>> DATA_DIR =3D '/var/lib/pgadmin4' >>>>>>>> SQLITE_PATH =3D '/var/lib/pgadmin4/pgadmin4.db' >>>>>>>> SESSION_DB_PATH =3D '/var/lib/pgadmin4/sessions' >>>>>>>> STORAGE_DIR =3D '/var/lib/pgadmin4/storage' >>>>>>>> AZURE_CREDENTIAL_CACHE_DIR =3D >>>>>>>> '/var/lib/pgadmin4/azurecredentialcache' >>>>>>>> KERBEROS_CCACHE_DIR =3D '/var/lib/pgadmin4/kerberoscache' >>>>>>>> >>>>>>>> SCRIPT_NAME =3D '/pgadmin4' >>>>>>>> >>>>>>>> LOG_LEVEL =3D 'DEBUG' >>>>>>>> CONSOLE_LOG_LEVEL =3D 50 # INFO =3D 20, WARNING =3D 30, ERROR =3D= 40, >>>>>>>> CRITICAL =3D 50 >>>>>>>> FILE_LOG_LEVEL =3D 20 >>>>>>>> LOG_FILE =3D '/var/lib/pgadmin4/log/pgadmin4.log' >>>>>>>> >>>>>>>> Could you please help me identify the correct settings to securely >>>>>>>> enable CSRF protection while ensuring pgAdmin functions properly o= ver both >>>>>>>> HTTP and HTTPS under /pgadmin4? >>>>>>>> >>>>>>>>> --0000000000008f8e2a063baf8d23 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Wed, Aug 6, = 2025 at 11:38=E2=80=AFAM Shakir Idrisi <shakir@webuzo.com> wrote:
Hi,

I referred to the docume= ntation, but my Nginx setup doesn=E2=80=99t have the proxy_params file. So = I manually added the proxy_set_header lines. However, after logging in, pgA= dmin4 was showing a blank page.

To fix it, I changed: proxy_set_h= eader Host $host;
to: proxy_set_header Host $http_host;
<= br>After this change, it began to work. I just want to confirm =E2=80=94 is= this the correct approach, or is it working by chance due to a header mism= atch?

Both are different,= and $host should be used. You can refer https://stackoverflow.com/questions/39715510/nginx-when-to-use-proxy= -set-header-host-host-vs-proxy-host for more understanding.
= =C2=A0

On Wed, Aug 6, 2025= at 11:00=E2=80=AFAM Khushboo Vashi <khushboo.vashi@enterprisedb.com> w= rote:

On Wed, Aug 6, 2025 at 10:56=E2=80=AFAM Shakir Idrisi= <shakir@webuzo.c= om> wrote:
Hi,

Apologies for the interruption. M= ay I kindly ask if the configuration I provided in my previous reply is cor= rect?=C2=A0=C2=A0

On Tue, Aug 5, 2025 at 4:57=E2=80=AFPM Shakir Idrisi= <shakir@webuzo.c= om> wrote:
Hi,

I updated the configuration and i= t's now working.
I'm using it=C2=A0$http_host instead of $host for the Host header.
Just want to confirm =E2=80=94 is this the correct and recommended way?=C2= =A0=C2=A0

location ^~ /pgadmin4/ {
=C2=A0 =C2=A0 proxy_pass http:= //unix:/tmp/pgadmin4.sock;
=C2=A0 =C2=A0 proxy_set_header Host $http_hos= t; # here i have=C2=A0changed=C2=A0$host to $http_host
proxy_set_header= X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_= forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_se= t_header X-Forwarded-Host $host;
proxy_set_header X-Script-Name /pgadmi= n4;
proxy_http_version 1.1;

=C2=A0 =C2=A0 proxy_read_timeout 3= 00;
=C2=A0 =C2=A0 proxy_connect_timeout 60;
}
On Tue, A= ug 5, 2025 at 2:55=E2=80=AFPM Shakir Idrisi <shakir@webuzo.com> wrote:
Hi,

<= /div>
Do you have any updates or suggestions that could help me further= debug this issue?=C2=A0=C2=A0

On Tue, Aug 5, 2025 at 10:23=E2=80=AFAM= Shakir Idrisi <s= hakir@webuzo.com> wrote:
Hi,=C2=A0

Yes I have tried that conf which you have provided.=C2=A0
I have mentioned that in my last reply that it is not w= orking.=C2=A0
Still getting blank page after login o= n https.=C2=A0

On Tue, Aug 5, 2025, 9:53 AM Yogesh Mahajan <yogesh.mahaja= n@enterprisedb.com> wrote:
Hi,

I have already=C2=A0provided the nginx configuration. H= ave you tried it? Issues is clearly with Nginx config.

<= font face=3D"verdana, sans-serif">Thanks,
Yogesh Mahajan
EnterpriseDB


On Mon, Aug 4, 2025= at 4:34=E2=80=AFPM Shakir Idrisi <shakir@webuzo.com> wrote:
Hi,
I=E2=80=99ve tried the suggested changes, but I=E2=80= =99m still encountering the same issue =E2=80=94 a blank page appears after= logging in over HTTPS.

As a workaround, I modified the config_local= .py file and set:
WTF_CSRF_CHECK_DEFAULT =3D False

With th= is change, pgAdmin works correctly on HTTPS. However, I understand that dis= abling CSRF protection is not recommended in a production environment, so I= =E2=80=99m looking for a more secure solution.

Here=E2=80=99s a snip= pet of my current config_local.py for reference:

DATA_DIR =3D= '/var/lib/pgadmin4'
SQLITE_PATH =3D '/var/lib/pgadmin4/pgad= min4.db'
SESSION_DB_PATH =3D '/var/lib/pgadmin4/sessions'STORAGE_DIR =3D '/var/lib/pgadmin4/storage'
AZURE_CREDENTIAL_CA= CHE_DIR =3D '/var/lib/pgadmin4/azurecredentialcache'
KERBEROS_CC= ACHE_DIR =3D '/var/lib/pgadmin4/kerberoscache'

SCRIPT_NAME = =3D '/pgadmin4'

LOG_LEVEL =3D 'DEBUG'
CONSOLE_LOG= _LEVEL =3D 50 =C2=A0# INFO =3D 20, WARNING =3D 30, ERROR =3D 40, CRITICAL = =3D 50
FILE_LOG_LEVEL =3D 20
LOG_FILE =3D '/var/lib/pgadmin4/log/= pgadmin4.log'

Could you please help me identify the correct sett= ings to securely enable CSRF protection while ensuring pgAdmin functions pr= operly over both HTTP and HTTPS under /pgadmin4?
=
--0000000000008f8e2a063baf8d23--