Redirect http to https for notebook

[Carreau]

(splitting #1459)

When running notebook over https, I tend to forgot it and enter the http url.
could it be possible do display a page that redirect to the same adress but in https instead of having a 404 ?
Eventually after displaying a message.

Thanks.

[takluyver]

It probably doesn't even need a page, we can just send an HTTP redirect.

[Carreau]

Sure, but it might be confusing when using self generated certificat, user might directly be forwarded to an "invalid certificat page", which is strange with http.
I would prefer something like :
'This notebook server is over https, please update your bookmark. Redirecting in 3 seconds ...'

[ellisonbg]

Yes, if we do anything it should be a redirect. But I am not sure how this type of thing will work with tornado - don't know if it can do http+https easily.

[minrk]

For reference, another project which has considered this issue: liftoff/GateOne#68

The easiest way to get half-way would be for our default http and https ports to be different, such that most users trying to access via http would be on 8888, while https would be on 9999. Then https mode could run a tiny http server on 8888 that does nothing but redirect to the https url. I don't know how many cases that would actually catch, though.

[ellisonbg]

I agree that http and https should use different ports, but I think it is overkill to always run an https server to handle this redirect for the single user notebook.

[minrk]

I think we should close this, and mark it as a tornado feature request.

[ellisonbg]

tornadoweb/tornado#523

[ivanov]

reopening:

i keep running into this, particularly because one usually runs https to make the notebook accessible on multiple ip address, and the server prints a line that one can't copy paste into the url field (https://[all ip addresses on your system]:8888) - and I mechanically forget to make it http_s_ since one doesn't need that for the locally running http://127.0.0.1:8888/

given that tornadoweb/tornado#523 has been closed, might we reconsider always having an HTTP entry point into our the notebook application? (such as the http->https redirect @minrk mentioned for liftoff/GateOne#68)

[bfroehle]

I'd rather not see us fork tornado or require any monkey patches. Perhaps we could revisit tornadoweb/tornado#523 and suggest that they add a hook _handle_ssl_error or similar which would allow us to subclass the SSLIOStream object for our purpose.

Running two servers on two ports seems like overkill, but perhaps others disagree...

[takluyver]

One of the tornado devs mentioned the possibility of using HSTS to tell the browser to always use HTTPS. So long as you're not switching between running the server with and without HTTPS, that could work.

We should check whether HSTS acts per-port or per-domain: if it's per-domain, that would interfere with any other local applications that run a web server.

[rgbkrk]

HSTS doesn't seem to work with non-standard ports. I went ahead and tried this out in #6293, testing showed a complete lack of redirects.

The only case I got to actually load and work "appropriately" was opening the notebook server on port 80 (with an SSL configuration setup):

$ sudo ipython notebook --port=80
[I 05:20:24.008 NotebookApp] Using existing profile dir: u'/Users/rgbkrk/.ipython/profile_default'
...
[I 05:20:24.163 NotebookApp] The IPython Notebook is running at: https://localhost:80/
...

Which is then putting TLS over port 80 (that made me feel dirty):