MIME-Version: 1.0
From: Eamon Doyle <eamon@turnaroundfactor.com>
Date: Thu, 6 Feb 2025 14:26:58 -0500
Message-ID: 
 <CAGoAjNGP5H7=tYN0g-_qWnFSiTJ6tmXM3A5RXy9dO996uMmGUw@mail.gmail.com>
Subject: Issue running pgAdmin behind a reserve proxy
To: pgadmin-support@lists.postgresql.org
Content-Type: multipart/alternative; boundary="00000000000073a3a9062d7e3a5d"
Archived-At: 
 <https://www.postgresql.org/message-id/CAGoAjNGP5H7%3DtYN0g-_qWnFSiTJ6tmXM3A5RXy9dO996uMmGUw%40mail.gmail.com>
Precedence: bulk

--00000000000073a3a9062d7e3a5d
Content-Type: text/plain; charset="UTF-8"

Hi all,

tl;dr, I'm running pgAdmin on a nonstandard ssl port and it breaks after
first use.

Long version: I am currently running pgAdmin4 in server mode using the
standard Apache configuration included with Debian 11 (installed via the
pgAdmin instructions, pgadmin4-web and pgadmin4-server packages
installed).  The apache instance serves pgadmin over ssl on port 8443
(running a different tool on port 443) and we have a cloudflare reverse
proxy in front of that that proxies on port 443 for a particular subdomain
to port 8443 on our backend server.  The first time I go to
https://example.com/pgadmin4 and log in, pgAdmin loads as expected.
However, if I log out and try to log back in, I briefly receive the pgAdmin
loading animation followed by a blank white screen rather than the
browser.  If I watch the network tab of Chrome, I see 401 errors on the
following requests:
 - pgadmin4/preferences/get_all
 - pgadmin4/browser/check_corrupted_db_file
 - pgadmin4/misc/bgprocess/

Looking at the logs, I see the 401 errors being generated in the Apache
logs on my backend server.   Restarting the web server has no effect.  If I
then replace https://example.com/pgadmin4 with
https://example.com:8443/pgadmin4 (ie I add the port of my Apache TLS port
rather than the expected 443 that the Cloudflare reverse proxy expects) in
my browser, pgAdmin will load again and work as expected.  Due to the
security limitations of our organization, I cannot directly connect to the
backend VM on port 8443, only through the Cloudflare reverse proxy.

This seems like a bug with pgAdmin, but I'm wondering if anyone knows
whether or not I missed a configuration option that would solve this.

My Apache config is as follows:

<VirtualHost *:8443>
>     SSLEngine on
>     SSLCertificateFile      /secrets/pgadmin-cert.pem
>     SSLCertificateKeyFile   /secrets/pgadmin-key.pem
>
>     # enable HTTP/2, if available
>     Protocols h2 http/1.1
> </VirtualHost>
>
> # modern configuration
> SSLProtocol             -all +TLSv1.3
> SSLOpenSSLConfCmd       Curves X25519:prime256v1:secp384r1
> SSLHonorCipherOrder     off
> SSLSessionTickets       off


Apache pgAdmin config

WSGIDaemonProcess pgadmin processes=1 threads=25
> python-home=/usr/pgadmin4/venv
> WSGIScriptAlias /pgadmin4 /usr/pgadmin4/web/pgAdmin4.wsgi
>
> <Directory /usr/pgadmin4/web/>
>     WSGIProcessGroup pgadmin
>     WSGIApplicationGroup %{GLOBAL}
>     Require all granted
> </Directory>


Any ideas?

Thanks
Eamon

--00000000000073a3a9062d7e3a5d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi all,<div><br></div><div>tl;dr, I&#39;m running pgAdmin =
on a nonstandard ssl port and it breaks after first use.</div><div><br></di=
v><div>Long version: I am currently running pgAdmin4 in server mode using t=
he standard Apache configuration included with Debian 11 (installed via the=
 pgAdmin instructions,=C2=A0pgadmin4-web and pgadmin4-server packages insta=
lled).=C2=A0 The apache instance serves pgadmin over ssl on port 8443 (runn=
ing a different tool on port 443) and we have a cloudflare reverse proxy in=
 front of that that proxies on port 443 for a particular subdomain to=C2=A0=
port 8443 on our backend server.=C2=A0 The first time I go to <a href=3D"ht=
tps://example.com/pgadmin4">https://example.com/pgadmin4</a> and log in, pg=
Admin loads as expected.=C2=A0 However, if I log out and try to log back in=
, I briefly receive the pgAdmin loading animation followed by a blank white=
 screen rather than the browser.=C2=A0 If I watch the network tab of Chrome=
, I see 401 errors on the following requests:</div><div><span style=3D"back=
ground-color:rgb(255,251,255);color:rgb(30,27,19);font-family:&quot;Google =
Sans Text&quot;,&quot;Google Sans&quot;,system-ui,sans-serif;font-size:12px=
">=C2=A0- pgadmin4/preferences/get_all</span></div><div><font color=3D"#1e1=
b13" face=3D"Google Sans Text, Google Sans, system-ui, sans-serif"><span st=
yle=3D"font-size:12px;background-color:rgb(255,251,255)">=C2=A0- pgadmin4/<=
/span></font><span style=3D"background-color:rgb(255,251,255);color:rgb(30,=
27,19);font-family:&quot;Google Sans Text&quot;,&quot;Google Sans&quot;,sys=
tem-ui,sans-serif;font-size:12px">browser/check_corrupted_db_file</span></d=
iv><div><span style=3D"background-color:rgb(255,251,255);color:rgb(30,27,19=
);font-family:&quot;Google Sans Text&quot;,&quot;Google Sans&quot;,system-u=
i,sans-serif;font-size:12px">=C2=A0- pgadmin4/</span><span style=3D"backgro=
und-color:rgb(255,251,255);color:rgb(30,27,19);font-family:&quot;Google San=
s Text&quot;,&quot;Google Sans&quot;,system-ui,sans-serif;font-size:12px">m=
isc/bgprocess/</span></div><div><br></div><div>Looking at the logs, I see t=
he 401 errors being generated in the Apache logs on my backend server.=C2=
=A0 =C2=A0Restarting the web server has no effect.=C2=A0 If I then replace =
<a href=3D"https://example.com/pgadmin4">https://example.com/pgadmin4</a> w=
ith <a href=3D"https://example.com:8443/pgadmin4">https://example.com:8443/=
pgadmin4</a> (ie I add the port of my Apache TLS port rather than the expec=
ted 443 that the Cloudflare reverse proxy expects) in my browser, pgAdmin w=
ill load again and work as expected.=C2=A0 Due to the security limitations =
of our organization, I cannot directly connect to the backend VM on port 84=
43, only through the Cloudflare reverse proxy.=C2=A0<br><br>This seems like=
 a bug with pgAdmin, but I&#39;m wondering if anyone knows whether or not I=
 missed a configuration option that would solve this.<br><br>My Apache conf=
ig is as follows:<br><br><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
<font face=3D"monospace">&lt;VirtualHost *:8443&gt;<br>=C2=A0 =C2=A0 SSLEng=
ine on<br>=C2=A0 =C2=A0 SSLCertificateFile =C2=A0 =C2=A0 =C2=A0/secrets/pga=
dmin-cert.pem<br>=C2=A0 =C2=A0 SSLCertificateKeyFile =C2=A0 /secrets/pgadmi=
n-key.pem<br><br>=C2=A0 =C2=A0 # enable HTTP/2, if available<br>=C2=A0 =C2=
=A0 Protocols h2 http/1.1<br>&lt;/VirtualHost&gt;<br><br># modern configura=
tion<br>SSLProtocol =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -all +TLSv1.3=
<br>SSLOpenSSLConfCmd =C2=A0 =C2=A0 =C2=A0 Curves X25519:prime256v1:secp384=
r1<br>SSLHonorCipherOrder =C2=A0 =C2=A0 off<br>SSLSessionTickets =C2=A0 =C2=
=A0 =C2=A0 off</font></blockquote><br></div><div>Apache pgAdmin config</div=
><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">WSGIDaemo=
nProcess pgadmin processes=3D1 threads=3D25 python-home=3D/usr/pgadmin4/ven=
v<br>WSGIScriptAlias /pgadmin4 /usr/pgadmin4/web/pgAdmin4.wsgi<br><br>&lt;D=
irectory /usr/pgadmin4/web/&gt;<br>=C2=A0 =C2=A0 WSGIProcessGroup pgadmin<b=
r>=C2=A0 =C2=A0 WSGIApplicationGroup %{GLOBAL}<br>=C2=A0 =C2=A0 Require all=
 granted<br>&lt;/Directory&gt;</blockquote><div><br></div><div><br></div><d=
iv>Any ideas?</div><div><br></div><div>Thanks</div><div>Eamon</div></div>

--00000000000073a3a9062d7e3a5d--