Thread: PgAdmin4 behind SSL proxy
Has anyone had any success running PgAdmin4 behind a reverse proxy? I am using Traefik for routing in my Kubernetes cluster and I am experiencing some strange behavior.
With SSL:
POST /login, cookie is returned with an empty value, GET /browser redirect to /login
Sometimes even requests to /user_management/current_user.js actually returns index.html and causes undefined behavior on the page.
Without SSL, with kubectl port-forward:
POST /login, cookie is returned with a value, GET to /browser returns page contents as expected.
I have set X-Forwarded-Proto to https, but that doesn’t do anything. I have set X-Scheme to https and that helps, but it’s not all the way. Cookies returned do not have the Secure; flag (not sure if that’s necessary, though). I have tried setting the values in this blog post both in config.py and in the environment to no success:
https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications
I really need to expose PgAdmin via https and not http. Is there any way to do this without so much hate and discontent?
Thanks,
Andrew
Has anyone had any success running PgAdmin4 behind a reverse proxy? I am using Traefik for routing in my Kubernetes cluster and I am experiencing some strange behavior.
With SSL:
POST /login, cookie is returned with an empty value, GET /browser redirect to /login
Sometimes even requests to /user_management/current_user.js actually returns index.html and causes undefined behavior on the page.
Without SSL, with kubectl port-forward:
POST /login, cookie is returned with a value, GET to /browser returns page contents as expected.
I have set X-Forwarded-Proto to https, but that doesn’t do anything. I have set X-Scheme to https and that helps, but it’s not all the way. Cookies returned do not have the Secure; flag (not sure if that’s necessary, though). I have tried setting the values in this blog post both in config.py and in the environment to no success:
https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications
I really need to expose PgAdmin via https and not http. Is there any way to do this without so much hate and discontent?
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
That does sound a lot like the issue I am experiencing. I am using as little Traefik configuration as possible, using Kubernetes labels for most of the heavy lifting. Here is the relevant bits of traefik.toml file:
# traefik.toml
logLevel = "INFO"
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[kubernetes]
[traefikLog]
format = "json"
[accessLog]
format = "common"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
Because I am running this in a cluster, my ELB is routing all traffic into … Traefik, so I have to use some sort of service mesh to handle routing packets to backend containers. That and the ELB handles SSL termination with my Route53 certificate.
Thanks,
Andrew
From: Dave Page
Sent: Friday, June 28, 2019 6:45 AM
To: Andrew Coleman
Cc: pgadmin-support@lists.postgresql.org
Subject: Re: PgAdmin4 behind SSL proxy
Hi
On Thu, Jun 27, 2019 at 1:14 PM Andrew Coleman <penguincoder@gmail.com> wrote:
Has anyone had any success running PgAdmin4 behind a reverse proxy? I am using Traefik for routing in my Kubernetes cluster and I am experiencing some strange behavior.
With SSL:
POST /login, cookie is returned with an empty value, GET /browser redirect to /login
Sometimes even requests to /user_management/current_user.js actually returns index.html and causes undefined behavior on the page.
Without SSL, with kubectl port-forward:
POST /login, cookie is returned with a value, GET to /browser returns page contents as expected.
Hmm, I wonder if this is similar to https://redmine.postgresql.org/issues/4254
Do you have sample Traefik config you can share so I can test? Not entirely sure when as I'm travelling at the moment, but I'd like to take a look.
I assume running it in one container with pgAdmin in another is roughly what you're doing?
I have set X-Forwarded-Proto to https, but that doesn’t do anything. I have set X-Scheme to https and that helps, but it’s not all the way. Cookies returned do not have the Secure; flag (not sure if that’s necessary, though). I have tried setting the values in this blog post both in config.py and in the environment to no success:
https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications
I really need to expose PgAdmin via https and not http. Is there any way to do this without so much hate and discontent?
If you take Traefik out of the equation, the container supports https directly.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
listen 443;
server_name _;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location /pgadmin4/ {
proxy_set_header X-Script-Name /pgadmin4;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $host;
proxy_pass http://localhost:5050/;
proxy_redirect off;
}
}
That does sound a lot like the issue I am experiencing. I am using as little Traefik configuration as possible, using Kubernetes labels for most of the heavy lifting. Here is the relevant bits of traefik.toml file:
# traefik.tomllogLevel = "INFO"defaultEntryPoints = ["http"][entryPoints][entryPoints.http]address = ":80"compress = true[entryPoints.http.redirect]regex = "^http://(.*)"replacement = "https://$1"[kubernetes][traefikLog]format = "json"[accessLog]format = "common"[accessLog.fields]defaultMode = "keep"[accessLog.fields.names][accessLog.fields.headers]defaultMode = "keep"[accessLog.fields.headers.names]
Because I am running this in a cluster, my ELB is routing all traffic into … Traefik, so I have to use some sort of service mesh to handle routing packets to backend containers. That and the ELB handles SSL termination with my Route53 certificate.
Thanks,
Andrew
From: Dave Page
Sent: Friday, June 28, 2019 6:45 AM
To: Andrew Coleman
Cc: pgadmin-support@lists.postgresql.org
Subject: Re: PgAdmin4 behind SSL proxy
Hi
On Thu, Jun 27, 2019 at 1:14 PM Andrew Coleman <penguincoder@gmail.com> wrote:
Has anyone had any success running PgAdmin4 behind a reverse proxy? I am using Traefik for routing in my Kubernetes cluster and I am experiencing some strange behavior.
With SSL:
POST /login, cookie is returned with an empty value, GET /browser redirect to /login
Sometimes even requests to /user_management/current_user.js actually returns index.html and causes undefined behavior on the page.
Without SSL, with kubectl port-forward:
POST /login, cookie is returned with a value, GET to /browser returns page contents as expected.
Hmm, I wonder if this is similar to https://redmine.postgresql.org/issues/4254
Do you have sample Traefik config you can share so I can test? Not entirely sure when as I'm travelling at the moment, but I'd like to take a look.
I assume running it in one container with pgAdmin in another is roughly what you're doing?
I have set X-Forwarded-Proto to https, but that doesn’t do anything. I have set X-Scheme to https and that helps, but it’s not all the way. Cookies returned do not have the Secure; flag (not sure if that’s necessary, though). I have tried setting the values in this blog post both in config.py and in the environment to no success:
https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications
I really need to expose PgAdmin via https and not http. Is there any way to do this without so much hate and discontent?
If you take Traefik out of the equation, the container supports https directly.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Hi Dave, On Mon, Jul 8, 2019 at 6:06 PM Dave Page <dpage@pgadmin.org> wrote: > I managed to find some time to start looking at this. I've been working with Nginx so far, and will hopefully get to Traefiktomorrow. I posted a working configuration for serving pgadmin4 as the root application with traefik in Ticket #4443 (without SSL). -- With kind regards / Mit freundlichen Grüßen Andreas Steinel M.Sc. Visual Computing M.Sc. Informatik
Hi Dave,
On Mon, Jul 8, 2019 at 6:06 PM Dave Page <dpage@pgadmin.org> wrote:
> I managed to find some time to start looking at this. I've been working with Nginx so far, and will hopefully get to Traefik tomorrow.
I posted a working configuration for serving pgadmin4 as the root
application with traefik in Ticket #4443 (without SSL).
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Your example documentation doesn’t include the X-Scheme header, which I think is pretty important when you are proxying to an HTTP backend but using HTTPS terminated at Traefik.
FWIW, I wasn’t using a path but I was still unable to get it working correctly behind Traefik even with a SCRIPT_NAME=/
I’ll take another look at it soon and see if I can get it working better with the newer container that has the servers.json change already included.
Thanks,
Andrew
From: Dave Page
Sent: Wednesday, July 10, 2019 7:17 AM
To: Andreas Steinel
Cc: Andrew Coleman; pgadmin-support@lists.postgresql.org
Subject: Re: PgAdmin4 behind SSL proxy
Hi
On Mon, Jul 8, 2019 at 5:22 PM Andreas Steinel <a.steinel@gmail.com> wrote:
Hi Dave,
On Mon, Jul 8, 2019 at 6:06 PM Dave Page <dpage@pgadmin.org> wrote:
> I managed to find some time to start looking at this. I've been working with Nginx so far, and will hopefully get to Traefik tomorrow.
I posted a working configuration for serving pgadmin4 as the root
application with traefik in Ticket #4443 (without SSL).
I've done some testing with both Traefik and Nginx now, and committed some doc changes at https://www.pgadmin.org/docs/pgadmin4/dev/container_deployment.html#reverse-proxying
Note that I kept the Traefik part simple, showing options with plain Docker only. I'll leave it up to the user to translate that into Compose/Swarm/K8s/whatever.
Feedback or suggestions for improvements welcome!
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Your example documentation doesn’t include the X-Scheme header, which I think is pretty important when you are proxying to an HTTP backend but using HTTPS terminated at Traefik.
FWIW, I wasn’t using a path but I was still unable to get it working correctly behind Traefik even with a SCRIPT_NAME=/
I’ll take another look at it soon and see if I can get it working better with the newer container that has the servers.json change already included.
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company