Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache: set X-Forwarded-Proto header #3808

Merged
merged 1 commit into from
Mar 1, 2022
Merged

Apache: set X-Forwarded-Proto header #3808

merged 1 commit into from
Mar 1, 2022

Conversation

manics
Copy link
Member

@manics manics commented Feb 28, 2022
edited
Loading

This should ensure JupyterHub correctly compares the protocol used for the request (e.g. https) with the protocol from the referrer when checking for cross-site requests in the admin pages.

Closes #3780

@rzo1 @tobi45 would you mind checking this matches your configuration?

Preview of the rendered docs is at https://jupyterhub--3808.org.readthedocs.build/en/3808/reference/config-proxy.html#apache

@manics manics mentioned this pull request Feb 28, 2022
Closed
rzo1
rzo1 approved these changes Mar 1, 2022
View reviewed changes
Copy link
Contributor

@rzo1 rzo1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This matches our current configuration - so should work fine.

However, I would suggest to update the SSL/TLS configuration (to a more modern config) in an other PR.

tobi45
tobi45 approved these changes Mar 1, 2022
View reviewed changes
Copy link

@tobi45 tobi45 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can confirm that adding that line solves #3780.

WebSocket-Config and Proxy-Configuration matches my apache config.

@consideRatio
Copy link
Member

I would suggest to update the SSL/TLS configuration (to a more modern config)

@rzo1 are you referring to this section?

  # configure SSL
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/HUB.DOMAIN.TLD/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/HUB.DOMAIN.TLD/privkey.pem
  SSLProtocol All -SSLv2 -SSLv3
  SSLOpenSSLConfCmd DHParameters /etc/ssl/certs/dhparam.pem
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

I think indeed that would be important to keep updated, preferably with a comment next to it saying that it may needs to be updated over time and perhaps also with a link to some helpful resource on how to do it?

I've never worked with Apache and won't try this myself. If you want, please open a PR! For reference, this is some related configuration I did of a proxy server accepting HTTPS traffic: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/38c694b3c9a0a53f846379fd418a4a718eb073b7/jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml#L89-L108

@rzo1
Copy link
Contributor

rzo1 commented Mar 1, 2022

@rzo1 are you referring to this section?

Yes. A good reference is offered by Mozilla: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6

We could link it in the documentation (or in a comment). I can provide a PR after this one is merged.

@consideRatio consideRatio merged commit 76f06a6 into jupyterhub:main Mar 1, 2022
@manics manics deleted the apache-x-forwarded-proto branch March 1, 2022 13:37
@rzo1 rzo1 mentioned this pull request Mar 3, 2022
Merged
cemacrr added a commit to cemac/jupyterhub_provisioning that referenced this pull request Mar 17, 2022
@cemacrr
Update Apache config
a8b01fa 
Ensure protocol is maintianed for forwarded requests to avoid
breakage with newer juypterhub.

See:

  jupyterhub/jupyterhub#3780
  jupyterhub/jupyterhub#3808
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@consideRatio consideRatio consideRatio approved these changes

@rzo1 rzo1 rzo1 approved these changes

@tobi45 tobi45 tobi45 approved these changes

Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Apache ReverseProxy not working with Hub 2.0.1 and later.
4 participants
@manics @consideRatio @rzo1 @tobi45