Using app proxy with pgadmin
-
I'm trying to use the app proxy to proxy to my pgadmin container (which is only available on a private network), but I can't make it work.
Here's the setup:
- pgadmin is available on 10.0.A.B:5050 (started as a container). I've tested a direct connection through a ssh tunnel, it works
- cloudron has a public interface and a private one (10.0.C.D), which can reach pgadmin (tested too)
- I created an app proxy to http://10.0.A.B:5050, available to all users
What happens:
- I get the cloudron login page and when I log in (with the correct credentials) it redirects to the same login page
- In the pgadmin logs I see (213.X.Y.186 is the IP address of my laptop, not the one of my cloudron instance):
pgadmin4_container | 213.X.Y.186 - - [04/Sep/2023:07:38:42 +0000] "GET / HTTP/1.1" 302 217 "https://pgadmin.domain.net/login?next=%2F" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0" pgadmin4_container | ::ffff:10.0.C.D - - [04/Sep/2023:07:38:50 +0000] "GET / HTTP/1.1" 302 217 "-" "Mozilla (CloudronHealth)"
Note that hitting directly https://pgadmin.domain.net/login?next=%2F from my browser yields the same behavior (infinite cloudrin login page).
What I was expecting:
- After logging with my cloudron credentials, I was expecting to see the pgadmin login page
It seems related to this, although that's unresolved.
-
-
@cpa I looked into this now. I deployed based on instructions at https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html . As you said, without auth in the proxy, it works fine.
For making it work with auth in the proxy, we need a way to disable auth in pgadmin. AFAICT, this is not possible. What happens is: cloudron proxy authenticates and forwards to pgadmin. But pgadmin redirects to
/login
since it needs authentication as well. The/login
is a route reserved by the proxy (the proxy's own login page). So, the whole setup is untenable. Even if pgadmin used some other route, we will still have double login (once for cloudron and again for pgadmin). -
I see, that's a bummer, since the login route isn't configurable by either pgadmin or cloudron. Btw, I wouldn't mind the double login (I just don't want to expose a pgadmin instance publicly, even with auth).
That being said, the reserved
/login
route may cause trouble down the road as it is a very common route. Maybe consider making it customisable or just change it to/cloudron-login
? -
-
@cpa it's being tracked https://git.cloudron.io/cloudron/box/-/issues/822 . Note the issue tracker is internal, so you cannot see it.
-
-
@cpa the Proxy App has indeed moved to OIDC. I am not sure if pgadmin now has unathenticated access. Without that, you cannot use Proxy App in Cloudron authentication mode. Are you able to use the Proxy App in 'Leave user management to the app' mode?
-
-
I've tried to use pgadmin and jupyter notebook under App Proxy today and I can confirm that the issue still exists, since /login/ locations are required by both apps but are also reserved for cloudron. Pretty annoying !
@joseph : this is not solved, can you unmark it?