Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ujWfP-008kom-2d for pgadmin-support@arkaria.postgresql.org; Wed, 06 Aug 2025 05:26:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ujWfM-00DtFS-Lk for pgadmin-support@arkaria.postgresql.org; Wed, 06 Aug 2025 05:26:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ujWfM-00DtFG-26 for pgadmin-support@lists.postgresql.org; Wed, 06 Aug 2025 05:26:20 +0000 Received: from mail-ej1-x62c.google.com ([2a00:1450:4864:20::62c]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ujWfH-000yyx-29 for pgadmin-support@lists.postgresql.org; Wed, 06 Aug 2025 05:26:19 +0000 Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-af94e75445dso644361466b.0 for ; Tue, 05 Aug 2025 22:26:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=webuzo-com.20230601.gappssmtp.com; s=20230601; t=1754457974; x=1755062774; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5H/KmotK5AaAwczB68hqN92Iv8zX6gwbGrKcrg9m4Bo=; b=NoJfW02dt1yBSecEPRspphZzBBLFYPIs62/1RqPh26ZyyjGC9nZeb8kriaFCrlEPKI QlL4CHoDmkLVlUq+JQLEg8i0THbojoNWyrQRBEkafvPdMV6ljacylGAvh1SQpxfHwMBv 4rkr8mqkpFLqEUiTOLhWaUaTTOPvOGjpy6kS9QqHY4EYMRjo01A0whezl6h3TASuQoFF UNQHLqBSql3vH/qgWmVn6bs+Dr952754SsekWqBVvqi13y0SN3OE2nfIHZlW09jrJjIu q+p1gPaIntX3WpBzutK+Zi7KyyKM1yieEh1qs3ziwCaaLxegfFR8AQpfUPJzZrbtsg4X G+Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754457974; x=1755062774; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5H/KmotK5AaAwczB68hqN92Iv8zX6gwbGrKcrg9m4Bo=; b=Od4+wtj0lbivcA1HeyQLDpRqal3FjoFBa1MGwDU8DliUIjWjmwiFX2XPfYFFpOoE7m eKWkkWZ964QSETrd8Yq7VPHL2xmaTV3SOG29oGgbQq8t8XefpMnEqRxRcY7oulRxy3xe SUSItIMaHnhKhZ9uC9YtnfU1em6fvpysvamnFBbipFkTdqm5R5M/qOF+2MBUTVYEkEPZ 4wZSzjMTnBlxTuNNjZYIHZNAhS5Sl9tP0DZ3XJU4auPO8gYN3gz9qke8N/acuYpU8QiJ jWWsyRgZIz1Qb6JvAoLP3OHVwbHd46ux8e69debXFL0axzk2ppKF890Bl+MP9f/1xdNS ytRg== X-Gm-Message-State: AOJu0Yy1IlcU7IAbRSMHidq9Zm/08ODLqnH+C68SO2sS/RmCxe3/pEXj 3cdQ3ikwlsu16fo68nm3CirvzBpU81lYTdXdxryAk5kufFnOsjTKoKkfZnEDSNa2+5ZyG6ME9Fg ihwRaX7EevOkxS/UPQ+sD/QiSms/JL6a/02ZMzvjOX+apZnwjGRVYYDA= X-Gm-Gg: ASbGnct7rF4lQM/dDp+2Wh3+b5CqeglIxhExAh1jRJ4WAczfUUXmhWtMnj16beCMg86 GS500WZUYQJFll3rUfjLKgCsLwhyqBjjUf+2fBrxGYczQ3YMp+2nYI/Sp7/s/0ZJsPnYn8I5NdW 8WL/xtA2x9ySLnmzcv+fviswxcS/KCvNljRBp0m5lDj2K1F1HQjAWZiLNkHD0frhIDbGMH37VvA rOSVd2/ X-Google-Smtp-Source: AGHT+IFSsus58Bd/It1ZTQF5WLWTo6nhau4sTIUA4NyGY7iD564n8bN1RQNiO30BXw/ILO3xZPHsKsCWWXVx2kv42io= X-Received: by 2002:a17:907:720a:b0:af9:353d:e69a with SMTP id a640c23a62f3a-af990321b19mr119045766b.21.1754457973931; Tue, 05 Aug 2025 22:26:13 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Shakir Idrisi Date: Wed, 6 Aug 2025 10:56:02 +0530 X-Gm-Features: Ac12FXxO4L2fW_BwtZv8F4TQ32BrkVGr8XmQQLk7vJH23hfGbd9T3cg-ghRKdUM Message-ID: Subject: Re: Issue with pgAdmin 4 Login Behind NGINX Reverse Proxy at /pgadmin4 Path To: Yogesh Mahajan Cc: "pgadmin-support lists.postgresql.org" Content-Type: multipart/alternative; boundary="0000000000004f51aa063bab94b0" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000004f51aa063bab94b0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Apologies for the interruption. May I kindly ask if the configuration I provided in my previous reply is correct? On Tue, Aug 5, 2025 at 4:57=E2=80=AFPM Shakir Idrisi wr= ote: > Hi, > > I updated the configuration and it's now working. > I'm using it *$http_host* instead of *$host* for the *Host *header. > Just want to confirm =E2=80=94 is this the correct and recommended way? > > location ^~ /pgadmin4/ { >> >> proxy_pass http://unix:/tmp/pgadmin4.sock; >> proxy_set_header Host $http_host; # here i have changed $host to >> $http_host >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Host $host; >> proxy_set_header X-Script-Name /pgadmin4; >> proxy_http_version 1.1; >> >> >> proxy_read_timeout 300; >> proxy_connect_timeout 60; > > } > > On Tue, Aug 5, 2025 at 2:55=E2=80=AFPM Shakir Idrisi = wrote: > >> Hi, >> >> Do you have any updates or suggestions that could help me further debug >> this issue? >> >> On Tue, Aug 5, 2025 at 10:23=E2=80=AFAM Shakir Idrisi wrote: >> >>> Hi, >>> >>> Yes I have tried that conf which you have provided. >>> I have mentioned that in my last reply that it is not working. >>> Still getting blank page after login on https. >>> >>> On Tue, Aug 5, 2025, 9:53 AM Yogesh Mahajan < >>> yogesh.mahajan@enterprisedb.com> wrote: >>> >>>> Hi, >>>> >>>> I have already provided the nginx configuration. Have you tried it? >>>> Issues is clearly with Nginx config. >>>> >>>> Thanks, >>>> Yogesh Mahajan >>>> EnterpriseDB >>>> >>>> >>>> On Mon, Aug 4, 2025 at 4:34=E2=80=AFPM Shakir Idrisi wrote: >>>> >>>>> Hi, >>>>> I=E2=80=99ve tried the suggested changes, but I=E2=80=99m still encou= ntering the same >>>>> issue =E2=80=94 a blank page appears after logging in over HTTPS. >>>>> >>>>> As a workaround, I modified the config_local.py file and set: >>>>> *WTF_CSRF_CHECK_DEFAULT =3D False* >>>>> >>>>> With this change, pgAdmin works correctly on HTTPS. However, I >>>>> understand that disabling CSRF protection is not recommended in a >>>>> production environment, so I=E2=80=99m looking for a more secure solu= tion. >>>>> >>>>> Here=E2=80=99s a snippet of my current *config_local.py* for referenc= e: >>>>> >>>>> DATA_DIR =3D '/var/lib/pgadmin4' >>>>> SQLITE_PATH =3D '/var/lib/pgadmin4/pgadmin4.db' >>>>> SESSION_DB_PATH =3D '/var/lib/pgadmin4/sessions' >>>>> STORAGE_DIR =3D '/var/lib/pgadmin4/storage' >>>>> AZURE_CREDENTIAL_CACHE_DIR =3D '/var/lib/pgadmin4/azurecredentialcach= e' >>>>> KERBEROS_CCACHE_DIR =3D '/var/lib/pgadmin4/kerberoscache' >>>>> >>>>> SCRIPT_NAME =3D '/pgadmin4' >>>>> >>>>> LOG_LEVEL =3D 'DEBUG' >>>>> CONSOLE_LOG_LEVEL =3D 50 # INFO =3D 20, WARNING =3D 30, ERROR =3D 40= , >>>>> CRITICAL =3D 50 >>>>> FILE_LOG_LEVEL =3D 20 >>>>> LOG_FILE =3D '/var/lib/pgadmin4/log/pgadmin4.log' >>>>> >>>>> Could you please help me identify the correct settings to securely >>>>> enable CSRF protection while ensuring pgAdmin functions properly over= both >>>>> HTTP and HTTPS under /pgadmin4? >>>>> >>>>>> --0000000000004f51aa063bab94b0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

Apologies for the interruption. May= I kindly ask if the configuration I provided in my previous reply is corre= ct?=C2=A0=C2=A0

On Tue, Aug 5, 2025 at 4:57=E2= =80=AFPM Shakir Idrisi <shakir@webu= zo.com> wrote:
Hi,

I updated the configuration a= nd it's now working.
I'm using it=C2=A0$http_host instead of $host for the Host header.
Just want to confirm =E2=80=94 is this the correct and recommended way?=C2= =A0=C2=A0

location ^~ /pgadmin4/ {
=C2=A0 =C2=A0 proxy_pass http:= //unix:/tmp/pgadmin4.sock;
=C2=A0 =C2=A0 proxy_set_header Host $http_hos= t; # here i have=C2=A0changed=C2=A0$host to $http_host
proxy_set_header= X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_= forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_se= t_header X-Forwarded-Host $host;
proxy_set_header X-Script-Name /pgadmi= n4;
proxy_http_version 1.1;

=C2=A0 =C2=A0 proxy_read_timeout 3= 00;
=C2=A0 =C2=A0 proxy_connect_timeout 60;
}
On Tue, A= ug 5, 2025 at 2:55=E2=80=AFPM Shakir Idrisi <shakir@webuzo.com> wrote:
Hi,

<= /div>
Do you have any updates or suggestions that could help me further= debug this issue?=C2=A0=C2=A0

On Tue, Aug 5, 2025 at 10:23=E2=80=AFAM= Shakir Idrisi <s= hakir@webuzo.com> wrote:
Hi,=C2=A0

Yes I have tried that conf which you have provided.=C2=A0
I have mentioned that in my last reply that it is not w= orking.=C2=A0
Still getting blank page after login o= n https.=C2=A0

On Tue, Aug 5, 2025, 9:53 AM Yogesh Mahajan <yogesh.mahaja= n@enterprisedb.com> wrote:
Hi,

=
I have already=C2=A0provided the nginx configuration. Ha= ve you tried it? Issues is clearly with Nginx config.

Thanks,
Yogesh Mahajan
EnterpriseDB


On Mon, Aug 4, 2025 = at 4:34=E2=80=AFPM Shakir Idrisi <shakir@webuzo.com> wrote:
Hi,
I=E2=80=99ve tried the suggested changes, but I=E2=80=99= m still encountering the same issue =E2=80=94 a blank page appears after lo= gging in over HTTPS.

As a workaround, I modified the config_local.py= file and set:
WTF_CSRF_CHECK_DEFAULT =3D False

With this = change, pgAdmin works correctly on HTTPS. However, I understand that disabl= ing CSRF protection is not recommended in a production environment, so I=E2= =80=99m looking for a more secure solution.

Here=E2=80=99s a snippet= of my current config_local.py for reference:

DATA_DIR =3D &#= 39;/var/lib/pgadmin4'
SQLITE_PATH =3D '/var/lib/pgadmin4/pgadmin= 4.db'
SESSION_DB_PATH =3D '/var/lib/pgadmin4/sessions'
ST= ORAGE_DIR =3D '/var/lib/pgadmin4/storage'
AZURE_CREDENTIAL_CACHE= _DIR =3D '/var/lib/pgadmin4/azurecredentialcache'
KERBEROS_CCACH= E_DIR =3D '/var/lib/pgadmin4/kerberoscache'

SCRIPT_NAME =3D = '/pgadmin4'

LOG_LEVEL =3D 'DEBUG'
CONSOLE_LOG_LEV= EL =3D 50 =C2=A0# INFO =3D 20, WARNING =3D 30, ERROR =3D 40, CRITICAL =3D 5= 0
FILE_LOG_LEVEL =3D 20
LOG_FILE =3D '/var/lib/pgadmin4/log/pgadm= in4.log'

Could you please help me identify the correct settings = to securely enable CSRF protection while ensuring pgAdmin functions properl= y over both HTTP and HTTPS under /pgadmin4?
=
--0000000000004f51aa063bab94b0--