Documentation behind proxy

[fm75]

• Add / update documentation
• Add tests

This addresses issue #219.
Perhaps you won't consider this within the existing requirements because it does not strictly meet Pre-requisite 4 - a Public IP address. If we relax the public to mean that it is reachable from your audience, which is on the same private side of a proxy or proxies, then I think this is a good modification.

I thought about offering several choices for a one-line installer something like:

http_proxy=http://your.domain.here:port curl https://raw.githubusercontent.com/jupyterhub/the-littlest-jupyterhub/master/bootstrap/bootstrap.py | sudo python3 - --admin <admin-user-name>

but exporting the proxy information will be needed by the installer once bootstrap runs it.

Is there a better answer for the npm issue than just going insecure?
Any suggestions welcome.

[yuvipanda]

Thank you for the PR, and apologies for the late review! I like the sudo -E change, but left comments about the other change.

[fm75]

@yuvipanda Thanks for the review. I am sure you are busy with many other projects and I have appreciated your assistance.

When I get home, I will look at moving the issues to a new section of troubleshooting, as suggested. The issues in the two cloud solutions are about restarting problems, where mine are about installation problems.

If we like the issues there, I would still suggest a "red flag or warning" in the installation instructions that says something like, "if you need to go through a proxy" to reach github/PyPI, ... see the trouble-shooting section, first - so the user does not have to wait until it fails to learn about how to set up the proxy.

Some time in the next few days, I plan to reuse a different VM and will re-run this exercise, so that I can experiment with whether both http_proxy and https_proxy where needed. Does anybody know how npm is different (from pip/conda) w.r.t. security?

[yuvipanda]

The issues in the two cloud solutions are about restarting problems, where mine are about installation problems.

I think that's ok, hopefully those sections will grow to include more troubleshooting tips in the future!

If we like the issues there, I would still suggest a "red flag or warning" in the installation instructions that says something like, "if you need to go through a proxy" to reach github/PyPI, ... see the trouble-shooting section, first - so the user does not have to wait until it fails to learn about how to set up the proxy.

This sounds good to me. We can also possibly put this warning in bootstrap.py itself, if we can find ways to detect it.

Some time in the next few days, I plan to reuse a different VM and will re-run this exercise, so that I can experiment with whether both http_proxy and https_proxy where needed.

This is awesome and thank you for doing this. I'd count this as two separate things - HTTP / HTTPS proxy, and the certificates on the machine.

Does anybody know how npm is different (from pip/conda) w.r.t. security?

Can you tell me what aspects of security you are referring to?

[fm75]

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates
sudo npm config set strict-ssl false

The first line seemed to make the http stuff work.
I needed the second line or the npm install part failed.

[yuvipanda]

sudo npm config set strict-ssl false

seems extremely dangerous, since it basically turns off HTTPS certificate validation for npm (per https://docs.npmjs.com/misc/config#strict-ssl). I would be somewhat hestitant to recommend anyone do that in TLJH. Do you have any idea from your IT department (or whoever has setup these restrictions) what exactly they have done and why?

[fm75]

:) That is why I asked. Researching...

[fm75]

@yuvipanda If it is ok with you, I will close this PR, and give you a different one that I think addresses these issues.

But I have two questions before that.

• A public IP where the server can be accessed from the internet. (I think this can be relaxed, based on my success.) I am open to suggestions on rewording it
• This will take 5-10 minutes, and will say 'Done!' ... This is not currently true. I have added a separate issue Documentation inconsistent with install - minor #241 for it. Please advise.

[yuvipanda]

@fm75 that sounds like a good idea!

re: 'public IP', perhaps something like 'a way to access the instance from your browser (such as a public IP)'?

[fm75]

Ok - will tweak requirement 4 slightly.

[fm75]

@yuvipanda - I hope this properly addresses your concerns. Hoping to get this done so I can move onto the trouble-shooting issues.

[yuvipanda]

I'm happy with the text, but I would like this to be under docs/troubleshooting/providers/custom-server.rst, and a link to that from here instead.

[yuvipanda]

I chatted with @fm75 on Gitter. I'm going to merge this now, but do the move to the troubleshooting section myself later.

Thanks for the PR, @fm75