-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable SSL on forwarded requests #169
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,3 +1,5 @@ | ||||||
import ssl | ||||||
|
||||||
from .handlers import setup_handlers, SuperviseAndProxyHandler | ||||||
from .config import ServerProxy, make_handlers, get_entrypoint_server_processes, make_server_process | ||||||
from notebook.utils import url_path_join as ujoin | ||||||
|
@@ -28,8 +30,19 @@ def load_jupyter_server_extension(nbapp): | |||||
server_handlers = make_handlers(base_url, server_proccesses) | ||||||
nbapp.web_app.add_handlers('.*', server_handlers) | ||||||
|
||||||
# Configure SSL support | ||||||
ssl_options = None | ||||||
if serverproxy.https: | ||||||
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=serverproxy.cafile) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
The default value of
|
||||||
if serverproxy.certfile or serverproxy.keyfile: | ||||||
ssl_context.load_cert_chain(serverproxy.certfile, serverproxy.keyfile or None) | ||||||
else: | ||||||
ssl_context.load_default_certs() | ||||||
ssl_context.check_hostname = serverproxy.check_hostname | ||||||
ssl_options = ssl_context | ||||||
|
||||||
# Set up default handler | ||||||
setup_handlers(nbapp.web_app, serverproxy.host_whitelist) | ||||||
setup_handlers(nbapp.web_app, serverproxy.host_whitelist, ssl_options) | ||||||
|
||||||
launcher_entries = [] | ||||||
icons = {} | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -2,7 +2,7 @@ | |||||
Traitlets based configuration for jupyter_server_proxy | ||||||
""" | ||||||
from notebook.utils import url_path_join as ujoin | ||||||
from traitlets import Dict, List, Union, default | ||||||
from traitlets import Bool, Dict, List, Unicode, Union, default | ||||||
from traitlets.config import Configurable | ||||||
from .handlers import SuperviseAndProxyHandler, AddSlashHandler | ||||||
import pkg_resources | ||||||
|
@@ -203,3 +203,51 @@ def host_whitelist(handler, host): | |||||
@default("host_whitelist") | ||||||
def _host_whitelist_default(self): | ||||||
return ["localhost", "127.0.0.1"] | ||||||
|
||||||
keyfile = Unicode( | ||||||
"", | ||||||
help=""" | ||||||
Path to optional SSL key. | ||||||
|
||||||
Use with `https=True` and `certfile`. | ||||||
""", | ||||||
config=True | ||||||
) | ||||||
|
||||||
certfile = Unicode( | ||||||
"", | ||||||
help=""" | ||||||
Path to optional SSL cert. | ||||||
|
||||||
Use with `https=True` and `keyfile`. | ||||||
""", | ||||||
config=True | ||||||
) | ||||||
|
||||||
cafile = Unicode( | ||||||
"", | ||||||
help=""" | ||||||
Path to optional CA file. | ||||||
|
||||||
Use with `https=True`. | ||||||
""", | ||||||
config=True | ||||||
) | ||||||
|
||||||
https = Bool( | ||||||
False, | ||||||
help=""" | ||||||
Whether to use SSL for forwarded client requests. | ||||||
|
||||||
If this is set to `True` then you should provide a path to an SSL key, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
cert, and CA. Use this if the proxied service expects to service | ||||||
requests over SSL. | ||||||
""", | ||||||
config=True | ||||||
) | ||||||
Comment on lines
+207
to
+247
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is it possible to get all these SSL informations from mybinder (which uses SSL)? |
||||||
|
||||||
check_hostname = Bool( | ||||||
False, | ||||||
help="Whether to check hostname.", | ||||||
config=True | ||||||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we setup the context like this, do we also get all the "normal" CAs or only the one in the
cafile
?"Normal" CAs in this case would be those that your OS trusts.