Re: PgAdmin4 behind SSL proxy
Hi On Wed, Jul 10, 2019 at 7:25 PM Andrew Coleman wrote: > Your example documentation doesn’t include the X-Scheme header, which I > think is pretty important when you are proxying to an HTTP backend but > using HTTPS terminated at Traefik. > It wasn't needed in my testing. SCRIPT_NAME is the same thing, but passed to the environment of the container running pgAdmin. You do also need a label on the pgAdmin container though to tell Traefik to rewrite the URLs: traefik.frontend.rule=PathPrefix:/pgadmin4 > > > FWIW, I wasn’t using a path but I was still unable to get it working > correctly behind Traefik even with a SCRIPT_NAME=/ > I didn't try using SCRIPT_NAME with the app mounted at the root of the vhost, so don't know if that works. The root is the default though, so you should be able to omit it. > > > I’ll take another look at it soon and see if I can get it working better > with the newer container that has the servers.json change already included. > > > FWIW, I tested all the configs I documented using the pgAdmin 4.11 container and Traefik 1.7.12 running on the Docker host. I also tested some of the configs with the latest Traefik container, but I found I was getting the same behaviour with that as when running on the host so ended up finishing my work just using it on the host. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
RE: PgAdmin4 behind SSL proxy
Your example documentation doesn’t include the X-Scheme header, which I think is pretty important when you are proxying to an HTTP backend but using HTTPS terminated at Traefik. FWIW, I wasn’t using a path but I was still unable to get it working correctly behind Traefik even with a SCRIPT_NAME=/ I’ll take another look at it soon and see if I can get it working better with the newer container that has the servers.json change already included. Thanks, Andrew From: Dave Page Sent: Wednesday, July 10, 2019 7:17 AM To: Andreas Steinel Cc: Andrew Coleman; pgadmin-support@lists.postgresql.org Subject: Re: PgAdmin4 behind SSL proxy Hi On Mon, Jul 8, 2019 at 5:22 PM Andreas Steinel wrote: Hi Dave, On Mon, Jul 8, 2019 at 6:06 PM Dave Page wrote: > I managed to find some time to start looking at this. I've been working with > Nginx so far, and will hopefully get to Traefik tomorrow. I posted a working configuration for serving pgadmin4 as the root application with traefik in Ticket #4443 (without SSL). I've done some testing with both Traefik and Nginx now, and committed some doc changes at https://www.pgadmin.org/docs/pgadmin4/dev/container_deployment.html#reverse-proxying Note that I kept the Traefik part simple, showing options with plain Docker only. I'll leave it up to the user to translate that into Compose/Swarm/K8s/whatever. Feedback or suggestions for improvements welcome! -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: PgAdmin4 behind SSL proxy
Hi On Mon, Jul 8, 2019 at 5:22 PM Andreas Steinel wrote: > Hi Dave, > > On Mon, Jul 8, 2019 at 6:06 PM Dave Page wrote: > > I managed to find some time to start looking at this. I've been working > with Nginx so far, and will hopefully get to Traefik tomorrow. > > I posted a working configuration for serving pgadmin4 as the root > application with traefik in Ticket #4443 (without SSL). > I've done some testing with both Traefik and Nginx now, and committed some doc changes at https://www.pgadmin.org/docs/pgadmin4/dev/container_deployment.html#reverse-proxying Note that I kept the Traefik part simple, showing options with plain Docker only. I'll leave it up to the user to translate that into Compose/Swarm/K8s/whatever. Feedback or suggestions for improvements welcome! -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: PgAdmin4 behind SSL proxy
Hi Dave, On Mon, Jul 8, 2019 at 6:06 PM Dave Page wrote: > I managed to find some time to start looking at this. I've been working with > Nginx so far, and will hopefully get to Traefik tomorrow. I posted a working configuration for serving pgadmin4 as the root application with traefik in Ticket #4443 (without SSL). -- With kind regards / Mit freundlichen Grüßen Andreas Steinel M.Sc. Visual Computing M.Sc. Informatik
Re: PgAdmin4 behind SSL proxy
Hi I managed to find some time to start looking at this. I've been working with Nginx so far, and will hopefully get to Traefik tomorrow. The following config seems to be working for me with Nginx, communicating with pgAdmin over http but with the user over https. The important parts of the config here are setting the X-Script-Name and X-Scheme headers for pgAdmin to pick up. The former tells it to use the appropriate sub directory (rather than defaulting to the root directory), and the latter tells it to generate any URLs using https and not http which it thinks it's using: server { listen 443; server_name _; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location /pgadmin4/ { proxy_set_header X-Script-Name /pgadmin4; proxy_set_header X-Scheme $scheme; proxy_set_header Host $host; proxy_pass http://localhost:5050/; proxy_redirect off; } } On Fri, Jun 28, 2019 at 4:38 PM Andrew Coleman wrote: > That does sound a lot like the issue I am experiencing. I am using as > little Traefik configuration as possible, using Kubernetes labels for most > of the heavy lifting. Here is the relevant bits of traefik.toml file: > > > > # traefik.toml > > logLevel = "INFO" > > defaultEntryPoints = ["http"] > > [entryPoints] > > [entryPoints.http] > > address = ":80" > > compress = true > > [entryPoints.http.redirect] > > regex = "^http://(.*)" > > replacement = "https://$1"; > > [kubernetes] > > [traefikLog] > > format = "json" > > [accessLog] > > format = "common" > > [accessLog.fields] > > defaultMode = "keep" > > [accessLog.fields.names] > > [accessLog.fields.headers] > > defaultMode = "keep" > > [accessLog.fields.headers.names] > > > > > > Because I am running this in a cluster, my ELB is routing all traffic into > … Traefik, so I have to use some sort of service mesh to handle routing > packets to backend containers. That and the ELB handles SSL termination > with my Route53 certificate. > > > > Thanks, > > > > Andrew > > > > *From: *Dave Page > *Sent: *Friday, June 28, 2019 6:45 AM > *To: *Andrew Coleman > *Cc: *pgadmin-support@lists.postgresql.org > *Subject: *Re: PgAdmin4 behind SSL proxy > > > > Hi > > > > On Thu, Jun 27, 2019 at 1:14 PM Andrew Coleman > wrote: > > Has anyone had any success running PgAdmin4 behind a reverse proxy? I am > using Traefik for routing in my Kubernetes cluster and I am experiencing > some strange behavior. > > > > With SSL: > > > > POST /login, cookie is returned with an empty value, GET /browser redirect > to /login > > Sometimes even requests to /user_management/current_user.js actually > returns index.html and causes undefined behavior on the page. > > > > Without SSL, with kubectl port-forward: > > > > POST /login, cookie is returned with a value, GET to /browser returns page > contents as expected. > > > > Hmm, I wonder if this is similar to > https://redmine.postgresql.org/issues/4254 > > > > Do you have sample Traefik config you can share so I can test? Not > entirely sure when as I'm travelling at the moment, but I'd like to take a > look. > > > > I assume running it in one container with pgAdmin in another is roughly > what you're doing? > > > > > > I have set X-Forwarded-Proto to https, but that doesn’t do anything. I > have set X-Scheme to https and that helps, but it’s not all the way. > Cookies returned do not have the Secure; flag (not sure if that’s > necessary, though). I have tried setting the values in this blog post both > in config.py and in the environment to no success: > > > > https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications > > > > I really need to expose PgAdmin via https and not http. Is there any way > to do this without so much hate and discontent? > > > > If you take Traefik out of the equation, the container supports https > directly. > > > > -- > > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > > > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
RE: PgAdmin4 behind SSL proxy
That does sound a lot like the issue I am experiencing. I am using as little Traefik configuration as possible, using Kubernetes labels for most of the heavy lifting. Here is the relevant bits of traefik.toml file: # traefik.toml logLevel = "INFO" defaultEntryPoints = ["http"] [entryPoints] [entryPoints.http] address = ":80" compress = true [entryPoints.http.redirect] regex = "^http://(.*)" replacement = "https://$1"; [kubernetes] [traefikLog] format = "json" [accessLog] format = "common" [accessLog.fields] defaultMode = "keep" [accessLog.fields.names] [accessLog.fields.headers] defaultMode = "keep" [accessLog.fields.headers.names] Because I am running this in a cluster, my ELB is routing all traffic into … Traefik, so I have to use some sort of service mesh to handle routing packets to backend containers. That and the ELB handles SSL termination with my Route53 certificate. Thanks, Andrew From: Dave Page Sent: Friday, June 28, 2019 6:45 AM To: Andrew Coleman Cc: pgadmin-support@lists.postgresql.org Subject: Re: PgAdmin4 behind SSL proxy Hi On Thu, Jun 27, 2019 at 1:14 PM Andrew Coleman wrote: Has anyone had any success running PgAdmin4 behind a reverse proxy? I am using Traefik for routing in my Kubernetes cluster and I am experiencing some strange behavior. With SSL: POST /login, cookie is returned with an empty value, GET /browser redirect to /login Sometimes even requests to /user_management/current_user.js actually returns index.html and causes undefined behavior on the page. Without SSL, with kubectl port-forward: POST /login, cookie is returned with a value, GET to /browser returns page contents as expected. Hmm, I wonder if this is similar to https://redmine.postgresql.org/issues/4254 Do you have sample Traefik config you can share so I can test? Not entirely sure when as I'm travelling at the moment, but I'd like to take a look. I assume running it in one container with pgAdmin in another is roughly what you're doing? I have set X-Forwarded-Proto to https, but that doesn’t do anything. I have set X-Scheme to https and that helps, but it’s not all the way. Cookies returned do not have the Secure; flag (not sure if that’s necessary, though). I have tried setting the values in this blog post both in config.py and in the environment to no success: https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications I really need to expose PgAdmin via https and not http. Is there any way to do this without so much hate and discontent? If you take Traefik out of the equation, the container supports https directly. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Re: PgAdmin4 behind SSL proxy
Hi On Thu, Jun 27, 2019 at 1:14 PM Andrew Coleman wrote: > Has anyone had any success running PgAdmin4 behind a reverse proxy? I am > using Traefik for routing in my Kubernetes cluster and I am experiencing > some strange behavior. > > > > With SSL: > > > > POST /login, cookie is returned with an empty value, GET /browser redirect > to /login > > Sometimes even requests to /user_management/current_user.js actually > returns index.html and causes undefined behavior on the page. > > > > Without SSL, with kubectl port-forward: > > > > POST /login, cookie is returned with a value, GET to /browser returns page > contents as expected. > Hmm, I wonder if this is similar to https://redmine.postgresql.org/issues/4254 Do you have sample Traefik config you can share so I can test? Not entirely sure when as I'm travelling at the moment, but I'd like to take a look. I assume running it in one container with pgAdmin in another is roughly what you're doing? > > > I have set X-Forwarded-Proto to https, but that doesn’t do anything. I > have set X-Scheme to https and that helps, but it’s not all the way. > Cookies returned do not have the Secure; flag (not sure if that’s > necessary, though). I have tried setting the values in this blog post both > in config.py and in the environment to no success: > > > > https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications > > > > I really need to expose PgAdmin via https and not http. Is there any way > to do this without so much hate and discontent? > If you take Traefik out of the equation, the container supports https directly. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
PgAdmin4 behind SSL proxy
Has anyone had any success running PgAdmin4 behind a reverse proxy? I am using Traefik for routing in my Kubernetes cluster and I am experiencing some strange behavior. With SSL: POST /login, cookie is returned with an empty value, GET /browser redirect to /login Sometimes even requests to /user_management/current_user.js actually returns index.html and causes undefined behavior on the page. Without SSL, with kubectl port-forward: POST /login, cookie is returned with a value, GET to /browser returns page contents as expected. I have set X-Forwarded-Proto to https, but that doesn’t do anything. I have set X-Scheme to https and that helps, but it’s not all the way. Cookies returned do not have the Secure; flag (not sure if that’s necessary, though). I have tried setting the values in this blog post both in config.py and in the environment to no success: https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications I really need to expose PgAdmin via https and not http. Is there any way to do this without so much hate and discontent? Thanks, Andrew