-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy unix socket? #321
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
BTW, I realised this while writing a minimal example of a proxied application to check that I knew what was going on: hello_jupyter_proxy. |
Yes, that's correct. I thought the docs said (or used to say) this is recommended for use in a container or similar environment for exactly this reason.... can't seem to find any mention of this though 😞 I think the big difficulty is getting the proxied application to work with any of these solutions:
|
I realise I missed some context: I am looking at writing small applications specifically to be run through JSP. So I can make them work with a Unix socket from the start. 😉 Obviously this would be something apps opt into, but I think it's not that unusual for an application itself to listen on a Unix socket, and a proxy running separately expose that to TCP. And the context for that is that there are things where it might be helpful to give people a web app, but having one which is visible from outside is either a technical hassle (SSH tunnelling / proxy config) or an admin hassle (forwarding a public port; edit: and dealing with authentication). JSP offers a nice way round that - it's kind of like the HTTP equivalent of writing a GUI app and telling people to use it in remote desktop. |
I agree that this would be nice to have, even if not all web services support it. For example novnc/websockify (jupyter-desktop) supports unix sockets, but the open source version of rstudio (jupyter-rsession-proxy) does not. One could theoretically lock down a web service within a network namespace to prevent unauthorized access but to set that up I think you'd need elevated privileges. |
Thanks! Yes, I'm particularly interested in what can be done without special privileges - I don't have sudo access to our cluster. 🙂 In terms of the config, the least effort option would be to have a new entry in the config dictionary
|
I spent a little while looking into what this would take, and I think it should be fairly doable. The trickiest piece looks like the websocket support - tornado's I'll hopefully start working on this soon, if no-one says otherwise, but I'll leave websockets out of the first draft. |
I've had a go at this in #337. |
Proposed change
Where jupyter-server-proxy launches a process, allow a configuration option to specify that the process will listen on a Unix socket rather than TCP/IP. By default, I would assume that JSP creates a temp directory and invites the child process to make a socket inside it.
Our JupyterHub instance (optionally) runs single-user servers on a shared node, with each user's server running in their own system user account. In this scenario, I believe that once I've launched a proxied server, any other user can connect to it and make requests, either by going to
/proxy/<portno>
, or by running arbitrary code from a notebook or a terminal. I'd be happy to hear I'm wrong about this! Unix sockets can have permissions like files, so if you get these right, only the user a socket belongs to can connect to it.This also avoids the race condition where the parent picks an unused port, but then something else binds it before the child can. The parent process instead creates a temp directory to pass to the child.
This could also be extended to the explicit proxying, to allow a Unix socket path in place of host+port. But that gets more complicated, because you need to work out how much of the URL is the socket path, and how much is the path to forward in the HTTP request.
This was touched on in #1, but the focus of that is different. https://gist.github.com/bdarnell/8641880 contains an example of using tornado AsyncHTTPClient with a Unix socket - it probably needs updating, but the tornado docs look like something similar should still work.
Alternative options
request_headers_override
. But it relies on every application which might be sensitive implementing the check, and all parties ensuring the secret doesn't leak. Relying on the OS to block connections to Unix sockets seems safer - though I'm not a security expert.Who would use this feature?
(Optional): Suggest a solution
{port}
for the socket path? Or a new name?)The text was updated successfully, but these errors were encountered: