I've been trying to fix an issue which is when I try to login to pgAdmin (in docker container) behind Nginx Proxy I'm getting an error that The CSRF tokens do not match.

See https://en.wikipedia.org/wiki/Cross-site_request_forgery

Frankly, the problem is related within nginx or not I'm not sure but configuration files as below:

Docker Swarm Service :

pgAdmin:
 image: dpage/pgadmin4
 networks:
   - my-network
 ports:
   - 9102:80
 environment:
   - PGADMIN_DEFAULT_EMAIL=${PGADMIN_DEFAULT_EMAIL}
   - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_DEFAULT_PASSWORD}
   - PGADMIN_CONFIG_SERVER_MODE=True
 volumes:
   - /home/docker-container/pgadmin/persist-data:/var/lib/pgadmin
   - /home/docker-container/pgadmin/persist-data/servers.json:/pgadmin4/servers.json
 deploy:
  placement:
    constraints: [node.hostname == my-host-name]

Nginx Configuration:

server {

    listen 443 ssl;
    server_name my-server-name;

    location / {

            proxy_pass http://pgAdmin/;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-CSRF-Token $http_x_pga_csrftoken;
    }

    ssl_certificate /home/nginx/ssl/certificate.crt;
    ssl_certificate_key /home/nginx/ssl/private.key;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_prefer_server_ciphers on;
    
server {

    listen 80;
    server_name my-server-name;
    return 301 https://my-server-name $request_uri;

 }

I can able to access to pgAdmin in two ways :

1. The first way is direct host ip like 172.23.53.2:9102
2. The second way is via Nginx proxy.

When I try to access to pgAdmin via direct host ip there is no error but when I try to access to via dns ( like my-server.pgadmin.com ) I'm getting an error when I logged into pgAdmin dashboard.

The error is :

Bad Request. The CSRF tokens do not match.

My first opinion about this error is nginx does not pass CSRF Token header to pgAdmin. For these reason I've changed nginx configuration file many many times but I'm still getting this error.

What could be source of this error and how could I solve this problem?

Try to use the default ports "5050:80". It's solved the same issue on my side.

Using strings is also recommended.

Cf: https://docs.docker.com/compose/compose-file/compose-file-v3/#ports

I had the same problem.

What Worked:

• disabled proxy feature in cloud flare.

What didn't Work:

• Purging the cache on cloudflare
• Adding PGADMIN_CONFIG_WTF_CSRF_CHECK_DEFAULT: "False"

I used pgadmin4 deployed by Apache httpd, the deployment method is similar, I also had the same problem, my solution is Apache httpd loaded the lib of Apr/Aprl-util /pcre, Apache httpd will use token.

As a workaround you can disable the CSRF checks in pgAdmin using docker's environment. From the pgAdmin docker docs :

PGADMIN_CONFIG_* This is a variable prefix that can be used to override any of the configuration options in pgAdmin’s config.py file. Add the PGADMIN_CONFIG_ prefix to any variable name from config.py and give the value in the format ‘string value’ for strings, True/False for booleans or 123 for numbers.

In your Dockerfile add a

PGADMIN_CONFIG_WTF_CSRF_CHECK_DEFAULT=False

Flask will receive a WTF_CSRF_CHECK_DEFAULT=False.

The same problem for me was solved when I disabled proxy feature in Cloudflare but the browser says that my connection is not secure with the same set certificate SSL/TLS in nginx proxy.

Maybe a problem with token expiration by unsynchronized clock. Try add this lines in volumes.

    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

After, you need clear all your browser cache (anonymous tab will not be sufficient if you already opened pgadmin on non-anonymous tab). At firefox history, you can clear the cache for only one site with right click on the site and use the option 'forget this site'.