New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect http to https for notebook #1460
Comments
It probably doesn't even need a page, we can just send an HTTP redirect. |
Sure, but it might be confusing when using self generated certificat, user might directly be forwarded to an "invalid certificat page", which is strange with http. |
Yes, if we do anything it should be a redirect. But I am not sure how this type of thing will work with tornado - don't know if it can do http+https easily. |
For reference, another project which has considered this issue: liftoff/GateOne#68 The easiest way to get half-way would be for our default http and https ports to be different, such that most users trying to access via http would be on 8888, while https would be on 9999. Then https mode could run a tiny http server on 8888 that does nothing but redirect to the https url. I don't know how many cases that would actually catch, though. |
I agree that http and https should use different ports, but I think it is overkill to always run an https server to handle this redirect for the single user notebook. |
I think we should close this, and mark it as a tornado feature request. |
reopening: i keep running into this, particularly because one usually runs https to make the notebook accessible on multiple ip address, and the server prints a line that one can't copy paste into the url field ( given that tornadoweb/tornado#523 has been closed, might we reconsider always having an HTTP entry point into our the notebook application? (such as the http->https redirect @minrk mentioned for liftoff/GateOne#68) |
I'd rather not see us fork tornado or require any monkey patches. Perhaps we could revisit tornadoweb/tornado#523 and suggest that they add a hook Running two servers on two ports seems like overkill, but perhaps others disagree... |
One of the tornado devs mentioned the possibility of using HSTS to tell the browser to always use HTTPS. So long as you're not switching between running the server with and without HTTPS, that could work. We should check whether HSTS acts per-port or per-domain: if it's per-domain, that would interfere with any other local applications that run a web server. |
HSTS doesn't seem to work with non-standard ports. I went ahead and tried this out in #6293, testing showed a complete lack of redirects. The only case I got to actually load and work "appropriately" was opening the notebook server on port 80 (with an SSL configuration setup):
Which is then putting TLS over port 80 (that made me feel dirty): |
(splitting #1459)
When running notebook over https, I tend to forgot it and enter the http url.
could it be possible do display a page that redirect to the same adress but in https instead of having a 404 ?
Eventually after displaying a message.
Thanks.
The text was updated successfully, but these errors were encountered: