diff --git a/docs/en_US/container_deployment.rst b/docs/en_US/container_deployment.rst index 2d672c122..935e19f54 100644 --- a/docs/en_US/container_deployment.rst +++ b/docs/en_US/container_deployment.rst @@ -197,6 +197,27 @@ for example: -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \ -d dpage/pgadmin4 +pgAdmin X-Forwarded-* configuration +----------------------------------- + +You must tell the middleware how many proxies set each header so it knows what values to trust. +Below are the pgAdmin configuration parameters for 'X-Forwarded-*' options with default values. +pgAdmin is ready by default to run behind reverse proxy even on a non-standard port and +these config options don't need to be changed. If required, you can tweak these config as per your need. + +.. code-block:: python + + # Number of values to trust for X-Forwarded-For + PROXY_X_FOR_COUNT = 1 + # Number of values to trust for X-Forwarded-Proto. + PROXY_X_PROTO_COUNT = 0 + # Number of values to trust for X-Forwarded-Host. + PROXY_X_HOST_COUNT = 0 + # Number of values to trust for X-Forwarded-Port. + PROXY_X_PORT_COUNT = 1 + # Number of values to trust for X-Forwarded-Prefix. + PROXY_X_PREFIX_COUNT = 0 + HTTP via Nginx -------------- diff --git a/docs/en_US/release_notes_4_14.rst b/docs/en_US/release_notes_4_14.rst index 10a4770e4..65ba67350 100644 --- a/docs/en_US/release_notes_4_14.rst +++ b/docs/en_US/release_notes_4_14.rst @@ -23,4 +23,5 @@ Bug fixes | `Issue #4199 `_ - Ensure that 'ENTER' key in the data filter should not run the query. | `Issue #4755 `_ - Ensure that pgAdmin should work behind reverse proxy if the inbuilt server is used as it is. | `Issue #4756 `_ - Fix issue where pgAdmin does not load completely if loaded in an iframe. +| `Issue #4768 `_ - Ensure pgAdmin should work behind reverse proxy on a non standard port. | `Issue #4777 `_ - Fix issue where query history is not visible in the query history tab. \ No newline at end of file diff --git a/web/config.py b/web/config.py index 76ea7ef87..d14877632 100644 --- a/web/config.py +++ b/web/config.py @@ -155,6 +155,21 @@ X_FRAME_OPTIONS = "SAMEORIGIN" # Hashing algorithm used for password storage SECURITY_PASSWORD_HASH = 'pbkdf2_sha512' +# Reverse Proxy parameters +# You must tell the middleware how many proxies set each header +# so it knows what values to trust. +# See https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#werkzeug.middleware.proxy_fix.ProxyFix for more info. +# Number of values to trust for X-Forwarded-For +PROXY_X_FOR_COUNT = 1 +# Number of values to trust for X-Forwarded-Proto. +PROXY_X_PROTO_COUNT = 0 +# Number of values to trust for X-Forwarded-Host. +PROXY_X_HOST_COUNT = 0 +# Number of values to trust for X-Forwarded-Port. +PROXY_X_PORT_COUNT = 1 +# Number of values to trust for X-Forwarded-Prefix. +PROXY_X_PREFIX_COUNT = 0 + # NOTE: CSRF_SESSION_KEY, SECRET_KEY and SECURITY_PASSWORD_SALT are no # longer part of the main configuration, but are stored in the # configuration databases 'keys' table and are auto-generated. diff --git a/web/pgAdmin4.py b/web/pgAdmin4.py index 2063603a6..4bcfccc58 100644 --- a/web/pgAdmin4.py +++ b/web/pgAdmin4.py @@ -71,7 +71,13 @@ if not os.path.isfile(config.SQLITE_PATH): class ReverseProxied(object): def __init__(self, app): # https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix - self.app = ProxyFix(app) + self.app = ProxyFix(app, + x_for=config.PROXY_X_FOR_COUNT, + x_proto=config.PROXY_X_PROTO_COUNT, + x_host=config.PROXY_X_HOST_COUNT, + x_port=config.PROXY_X_PORT_COUNT, + x_prefix=config.PROXY_X_PREFIX_COUNT + ) def __call__(self, environ, start_response): script_name = environ.get("HTTP_X_SCRIPT_NAME", "")