pgAdmin4 unable to work behind Nginx reverse proxy running on a non-standard port.

Werkzeug middleware allows us to set the number of trusted ports and few other params
behind the proxy. By default values are set to zero.

Added 'X-Forwarded-*' configuration options and set the default value of the port to 1 to work with non-standard port.

Fixes #4768

docs/en_US/container_deployment.rst

@@ -197,6 +197,27 @@ for example:
         -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \
         -d dpage/pgadmin4
 
+pgAdmin X-Forwarded-* configuration
+-----------------------------------
+
+You must tell the middleware how many proxies set each header so it knows what values to trust.
+Below are the pgAdmin configuration parameters for 'X-Forwarded-*' options with default values.
+pgAdmin is ready by default to run behind reverse proxy even on a non-standard port and
+these config options don't need to be changed. If required, you can tweak these config as per your need.
+
+.. code-block:: python
+
+    # Number of values to trust for X-Forwarded-For
+    PROXY_X_FOR_COUNT = 1
+    # Number of values to trust for X-Forwarded-Proto.
+    PROXY_X_PROTO_COUNT = 0
+    # Number of values to trust for X-Forwarded-Host.
+    PROXY_X_HOST_COUNT = 0
+    # Number of values to trust for X-Forwarded-Port.
+    PROXY_X_PORT_COUNT = 1
+    # Number of values to trust for X-Forwarded-Prefix.
+    PROXY_X_PREFIX_COUNT = 0
+
 HTTP via Nginx
 --------------
 

docs/en_US/release_notes_4_14.rst

@@ -23,4 +23,5 @@ Bug fixes
 | `Issue #4199 <https://redmine.postgresql.org/issues/4199>`_ -  Ensure that 'ENTER' key in the data filter should not run the query.
 | `Issue #4755 <https://redmine.postgresql.org/issues/4755>`_ -  Ensure that pgAdmin should work behind reverse proxy if the inbuilt server is used as it is.
 | `Issue #4756 <https://redmine.postgresql.org/issues/4756>`_ -  Fix issue where pgAdmin does not load completely if loaded in an iframe.
+| `Issue #4768 <https://redmine.postgresql.org/issues/4768>`_ -  Ensure pgAdmin should work behind reverse proxy on a non standard port.
 | `Issue #4777 <https://redmine.postgresql.org/issues/4777>`_ -  Fix issue where query history is not visible in the query history tab.

web/config.py

@@ -155,6 +155,21 @@ X_FRAME_OPTIONS = "SAMEORIGIN"
 # Hashing algorithm used for password storage
 SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'
 
+# Reverse Proxy parameters
+# You must tell the middleware how many proxies set each header
+# so it knows what values to trust.
+# See https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#werkzeug.middleware.proxy_fix.ProxyFix for more info.
+# Number of values to trust for X-Forwarded-For
+PROXY_X_FOR_COUNT = 1
+# Number of values to trust for X-Forwarded-Proto.
+PROXY_X_PROTO_COUNT = 0
+# Number of values to trust for X-Forwarded-Host.
+PROXY_X_HOST_COUNT = 0
+# Number of values to trust for X-Forwarded-Port.
+PROXY_X_PORT_COUNT = 1
+# Number of values to trust for X-Forwarded-Prefix.
+PROXY_X_PREFIX_COUNT = 0
+
 # NOTE: CSRF_SESSION_KEY, SECRET_KEY and SECURITY_PASSWORD_SALT are no
 #       longer part of the main configuration, but are stored in the
 #       configuration databases 'keys' table and are auto-generated.

web/pgAdmin4.py

@@ -71,7 +71,13 @@ if not os.path.isfile(config.SQLITE_PATH):
 class ReverseProxied(object):
     def __init__(self, app):
         # https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix
-        self.app = ProxyFix(app)
+        self.app = ProxyFix(app,
+                            x_for=config.PROXY_X_FOR_COUNT,
+                            x_proto=config.PROXY_X_PROTO_COUNT,
+                            x_host=config.PROXY_X_HOST_COUNT,
+                            x_port=config.PROXY_X_PORT_COUNT,
+                            x_prefix=config.PROXY_X_PREFIX_COUNT
+                            )
 
     def __call__(self, environ, start_response):
         script_name = environ.get("HTTP_X_SCRIPT_NAME", "")