Issue running pgAdmin behind a reserve proxy

public inbox for [email protected]  
help / color / mirror / Atom feed

Issue running pgAdmin behind a reserve proxy
2+ messages / 2 participants
[nested] [flat]

* Issue running pgAdmin behind a reserve proxy
@ 2025-02-06 19:26 Eamon Doyle <[email protected]>
  2025-02-07 05:52 ` Re: Issue running pgAdmin behind a reserve proxy Yogesh Mahajan <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Eamon Doyle @ 2025-02-06 19:26 UTC (permalink / raw)
  To: [email protected]

Hi all,

tl;dr, I'm running pgAdmin on a nonstandard ssl port and it breaks after
first use.

Long version: I am currently running pgAdmin4 in server mode using the
standard Apache configuration included with Debian 11 (installed via the
pgAdmin instructions, pgadmin4-web and pgadmin4-server packages
installed).  The apache instance serves pgadmin over ssl on port 8443
(running a different tool on port 443) and we have a cloudflare reverse
proxy in front of that that proxies on port 443 for a particular subdomain
to port 8443 on our backend server.  The first time I go to
https://example.com/pgadmin4 and log in, pgAdmin loads as expected.
However, if I log out and try to log back in, I briefly receive the pgAdmin
loading animation followed by a blank white screen rather than the
browser.  If I watch the network tab of Chrome, I see 401 errors on the
following requests:
 - pgadmin4/preferences/get_all
 - pgadmin4/browser/check_corrupted_db_file
 - pgadmin4/misc/bgprocess/

Looking at the logs, I see the 401 errors being generated in the Apache
logs on my backend server.   Restarting the web server has no effect.  If I
then replace https://example.com/pgadmin4 with
https://example.com:8443/pgadmin4 (ie I add the port of my Apache TLS port
rather than the expected 443 that the Cloudflare reverse proxy expects) in
my browser, pgAdmin will load again and work as expected.  Due to the
security limitations of our organization, I cannot directly connect to the
backend VM on port 8443, only through the Cloudflare reverse proxy.

This seems like a bug with pgAdmin, but I'm wondering if anyone knows
whether or not I missed a configuration option that would solve this.

My Apache config is as follows:

<VirtualHost *:8443>
>     SSLEngine on
>     SSLCertificateFile      /secrets/pgadmin-cert.pem
>     SSLCertificateKeyFile   /secrets/pgadmin-key.pem
>
>     # enable HTTP/2, if available
>     Protocols h2 http/1.1
> </VirtualHost>
>
> # modern configuration
> SSLProtocol             -all +TLSv1.3
> SSLOpenSSLConfCmd       Curves X25519:prime256v1:secp384r1
> SSLHonorCipherOrder     off
> SSLSessionTickets       off


Apache pgAdmin config

WSGIDaemonProcess pgadmin processes=1 threads=25
> python-home=/usr/pgadmin4/venv
> WSGIScriptAlias /pgadmin4 /usr/pgadmin4/web/pgAdmin4.wsgi
>
> <Directory /usr/pgadmin4/web/>
>     WSGIProcessGroup pgadmin
>     WSGIApplicationGroup %{GLOBAL}
>     Require all granted
> </Directory>



Any ideas?

Thanks
Eamon


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Issue running pgAdmin behind a reserve proxy
  2025-02-06 19:26 Issue running pgAdmin behind a reserve proxy Eamon Doyle <[email protected]>
@ 2025-02-07 05:52 ` Yogesh Mahajan <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Yogesh Mahajan @ 2025-02-07 05:52 UTC (permalink / raw)
  To: Eamon Doyle <[email protected]>; +Cc: [email protected]

Hi,

If everything is working with Apache TLS port, then something is wrong with
the Cloudfare proxy.
Can you please share details for Cloudfare proxy configuration?

Thanks,
Yogesh Mahajan
EnterpriseDB


On Fri, Feb 7, 2025 at 12:57 AM Eamon Doyle <[email protected]>
wrote:

> Hi all,
>
> tl;dr, I'm running pgAdmin on a nonstandard ssl port and it breaks after
> first use.
>
> Long version: I am currently running pgAdmin4 in server mode using the
> standard Apache configuration included with Debian 11 (installed via the
> pgAdmin instructions, pgadmin4-web and pgadmin4-server packages
> installed).  The apache instance serves pgadmin over ssl on port 8443
> (running a different tool on port 443) and we have a cloudflare reverse
> proxy in front of that that proxies on port 443 for a particular subdomain
> to port 8443 on our backend server.  The first time I go to
> https://example.com/pgadmin4 and log in, pgAdmin loads as expected.
> However, if I log out and try to log back in, I briefly receive the pgAdmin
> loading animation followed by a blank white screen rather than the
> browser.  If I watch the network tab of Chrome, I see 401 errors on the
> following requests:
>  - pgadmin4/preferences/get_all
>  - pgadmin4/browser/check_corrupted_db_file
>  - pgadmin4/misc/bgprocess/
>
> Looking at the logs, I see the 401 errors being generated in the Apache
> logs on my backend server.   Restarting the web server has no effect.  If I
> then replace https://example.com/pgadmin4 with
> https://example.com:8443/pgadmin4 (ie I add the port of my Apache TLS
> port rather than the expected 443 that the Cloudflare reverse proxy
> expects) in my browser, pgAdmin will load again and work as expected.  Due
> to the security limitations of our organization, I cannot directly connect
> to the backend VM on port 8443, only through the Cloudflare reverse proxy.
>
> This seems like a bug with pgAdmin, but I'm wondering if anyone knows
> whether or not I missed a configuration option that would solve this.
>
> My Apache config is as follows:
>
> <VirtualHost *:8443>
>>     SSLEngine on
>>     SSLCertificateFile      /secrets/pgadmin-cert.pem
>>     SSLCertificateKeyFile   /secrets/pgadmin-key.pem
>>
>>     # enable HTTP/2, if available
>>     Protocols h2 http/1.1
>> </VirtualHost>
>>
>> # modern configuration
>> SSLProtocol             -all +TLSv1.3
>> SSLOpenSSLConfCmd       Curves X25519:prime256v1:secp384r1
>> SSLHonorCipherOrder     off
>> SSLSessionTickets       off
>
>
> Apache pgAdmin config
>
> WSGIDaemonProcess pgadmin processes=1 threads=25
>> python-home=/usr/pgadmin4/venv
>> WSGIScriptAlias /pgadmin4 /usr/pgadmin4/web/pgAdmin4.wsgi
>>
>> <Directory /usr/pgadmin4/web/>
>>     WSGIProcessGroup pgadmin
>>     WSGIApplicationGroup %{GLOBAL}
>>     Require all granted
>> </Directory>
>
>
>
> Any ideas?
>
> Thanks
> Eamon
>


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2025-02-07 05:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-02-06 19:26 Issue running pgAdmin behind a reserve proxy Eamon Doyle <[email protected]>
2025-02-07 05:52 ` Yogesh Mahajan <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox