Using app proxy with pgadmin

cpa

I'm trying to use the app proxy to proxy to my pgadmin container (which is only available on a private network), but I can't make it work.

Here's the setup:

• pgadmin is available on 10.0.A.B:5050 (started as a container). I've tested a direct connection through a ssh tunnel, it works
• cloudron has a public interface and a private one (10.0.C.D), which can reach pgadmin (tested too)
• I created an app proxy to http://10.0.A.B:5050, available to all users

What happens:

• I get the cloudron login page and when I log in (with the correct credentials) it redirects to the same login page
• In the pgadmin logs I see (213.X.Y.186 is the IP address of my laptop, not the one of my cloudron instance):

pgadmin4_container  | 213.X.Y.186 - - [04/Sep/2023:07:38:42 +0000] "GET / HTTP/1.1" 302 217 "https://pgadmin.domain.net/login?next=%2F" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0"
pgadmin4_container  | ::ffff:10.0.C.D - - [04/Sep/2023:07:38:50 +0000] "GET / HTTP/1.1" 302 217 "-" "Mozilla (CloudronHealth)"

Note that hitting directly https://pgadmin.domain.net/login?next=%2F from my browser yields the same behavior (infinite cloudrin login page).

What I was expecting:

• After logging with my cloudron credentials, I was expecting to see the pgadmin login page

It seems related to this, although that's unresolved.

girish

@cpa To simplify things, can you install the app proxy without authentication first. Does it work without auth ?

cpa

Without authentication, it does work as intended (I get the pgadmin login page and can log in).

girish

@cpa I looked into this now. I deployed based on instructions at https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html . As you said, without auth in the proxy, it works fine.

For making it work with auth in the proxy, we need a way to disable auth in pgadmin. AFAICT, this is not possible. What happens is: cloudron proxy authenticates and forwards to pgadmin. But pgadmin redirects to /login since it needs authentication as well. The /login is a route reserved by the proxy (the proxy's own login page). So, the whole setup is untenable. Even if pgadmin used some other route, we will still have double login (once for cloudron and again for pgadmin).

cpa

I see, that's a bummer, since the login route isn't configurable by either pgadmin or cloudron. Btw, I wouldn't mind the double login (I just don't want to expose a pgadmin instance publicly, even with auth).

That being said, the reserved /login route may cause trouble down the road as it is a very common route. Maybe consider making it customisable or just change it to /cloudron-login?

girish

@cpa yeah, cloudron-login is reasonable. We are moving over the proxy auth to oidc, so the routes get automatically renamed.

cpa

Not sure what that means/implies, but looks like you think that'll be the right way to solve this so good enough for me! Should I create a ticket for this change somewhere?

girish

@cpa it's being tracked https://git.cloudron.io/cloudron/box/-/issues/822 . Note the issue tracker is internal, so you cannot see it.

cpa

Hi! Just checking on the status of this issue/improvement. Has it been implemented? I couldn't find any info in the docs.

girish

@cpa the Proxy App has indeed moved to OIDC. I am not sure if pgadmin now has unathenticated access. Without that, you cannot use Proxy App in Cloudron authentication mode. Are you able to use the Proxy App in 'Leave user management to the app' mode?

cpa

I've tried to use pgadmin and jupyter notebook under App Proxy today and I can confirm that the issue still exists, since /login/ locations are required by both apps but are also reserved for cloudron. Pretty annoying !

@joseph : this is not solved, can you unmark it?