Zero-to-jupyterhub-k8s: [Question] redirect http to https or block http
Hi there,
Is there a way to redirect http to https in order to access Jupyter Lab. (using a cluster in AWS)
Or is this something that I have to add on top using K8s Egress or a reverse Proxy ?
Best,
Nolan
emirot
All 8 comments
Hmmmm yes! But how that can be done depends on how traffic is intercepted.
For example I use nginx-ingress controller, it will read a kubernetes Ingress file, take incoming traffic and shuttle it to right destination based on what it found in the ingress files it has read. So, I could add a annotation to the kubernetes ingress resource. This works for me and my specific ingress controller for example (see this documentation for that).
ingress:
annotations:
# This is enabled by default on nginx-ingress-controllers with TLS termination anyhow though...
nginx.ingress.kubernetes.io/ssl-redirect: "true"
But, perhaps JupyterHub itself can notice it received traffic on http and redirect also?
Yes I think this would do the trick!
hub:
extraConfig:
myExtraConfig: |
c.ConfigurableHTTPProxy.command = ['configurable-http-proxy', '--redirect-port', '80']
Or, your specific ingress controller can be adjusted based on an annotation on your Ingress resource created by the helm chart through the values in config.yaml that you pass, under ingress.annotations?
consideRatio
on 19 Apr 2019
Unfortunately it looks like :
hub:
extraConfig:
myExtraConfig: |
c.ConfigurableHTTPProxy.command = ['configurable-http-proxy', '--redirect-port', '80']
Does not work.
emirot
on 24 Apr 2019
@emirot for clarity, how does it not work? You arrive at jupyterhub that serves you content at http:// ?
consideRatio
on 24 Apr 2019
@consideRatio Yes sorry, exactly what you said jupyterlab still serves content on http:// and https://
emirot
on 24 Apr 2019
All in all, I don't fully grasp this subject. I'm quite confused that an incomming http:// request doesn't redirect when --redirect-port 80 was provided as the docs describe this as a redirect-to-https kind of description.
So, my path to understanding would be to ask more questions... ^^
Can you describe how your TLS (https) certificates are used to do the TLS termination (https decryption)?
How does your config.yaml look in the proxy.https section?
Are you using something fancy of AWS to do https termination for you?
consideRatio
on 24 Apr 2019
@consideRatio I'm using AWS for the certificates, here are the config block you might be interested in:
proxy:
secretToken: "****"
https:
enabled: true
type: offload
service:
annotations:
dns.alpha.kubernetes.io/external: jupyter-lab.**.com
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "******" # amazon certif
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
# Which ports should use SSL
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
Then the hub looks like:
hub:
extraConfig:
myExtraConfig: |
c.ConfigurableHTTPProxy.command = ['configurable-http-proxy', '--redirect-port', '80']
jupyterlab: |
c.Spawner.cmd = ['jupyter-labhub']
@consideRatio I'm also thinking about another alternative using network policy and only accept incoming and outgoing network form 443 in the proxy, I'm using 0.8.2
proxy:
networkPolicy:
enabled: true
egress:
- ports:
- port: 443
protocol: TCP
ingress:
- ports:
- port: 443
protocol: TCP
I doesn't seem to work and it doesn't change the config:
kubectl describe networkpolicies proxy -n jhub
Gives:
Name: proxy
Namespace: jhub
Created on: 2019-07-03 21:53:27 +0200 CEST
Labels: app=jupyterhub
chart=jupyterhub-0.8.2
component=proxy
heritage=Tiller
release=jhub
Annotations: <none>
Spec:
PodSelector: app=jupyterhub,component=proxy,release=jhub
Allowing ingress traffic:
To Port: 80/TCP
To Port: 443/TCP
To Port: 8000/TCP
To Port: 8080/TCP
To Port: 10254/TCP
From: <any> (traffic not restricted by source)
----------
To Port: 8000/TCP
From PodSelector: hub.jupyter.org/network-access-proxy-http=true
----------
To Port: 8001/TCP
From PodSelector: hub.jupyter.org/network-access-proxy-api=true
Allowing egress traffic:
To Port: 443/TCP
To: <any> (traffic not restricted by source)
Policy Types: Ingress, Egress
[misc-east-k8s] C02WW0ELJG5L:jupyter-
I don't understand why the syntax is different sometimes protocol and port are not in the same order:
like in the documenation : https://zero-to-jupyterhub.readthedocs.io/en/0.8.2/security.html
it's:
ingress:
- ports:
- port: 80
protocol: TCP
ingress:
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
{{- if not $autoHTTPS }}
- protocol: TCP
port: 8000
{{- end }}
I don't understand how values are interpolated in In: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/jupyterhub/templates/proxy/netpol.yaml
emirot
on 3 Jul 2019
I'm closing this as it's quite old, if you still have problems could you please post on the community forum? Thanks!
manics
on 10 Jun 2020
Related issues
bleggett
路
3Comments
consideRatio
路
4Comments
betatim
路
4Comments
jgerardsimcock
路
4Comments
tylere
路
4Comments
Most helpful comment
Hmmmm yes! But how that can be done depends on how traffic is intercepted.
For example I use nginx-ingress controller, it will read a kubernetes Ingress file, take incoming traffic and shuttle it to right destination based on what it found in the ingress files it has read. So, I could add a annotation to the kubernetes ingress resource. This works for me and my specific ingress controller for example (see this documentation for that).
But, perhaps JupyterHub itself can notice it received traffic on http and redirect also?
Yes I think this would do the trick!
Or, your specific ingress controller can be adjusted based on an annotation on your Ingress resource created by the helm chart through the values in
config.yamlthat you pass, under ingress.annotations?