"'_xsrf' argument missing from POST" (PUT request) for jupyterlab extension behind nginx reverse proxy #6425
Labels
bug
pkg:services
status:resolved-locked
Closed issues are locked after 30 days inactivity. Please open a new issue for related discussion.
Milestone
I am running a jupyter notebook with enabled jupyterlab extension behind an nginx reverse proxy.
The jupyter notebooks part works fine. URLs of the type
https://server/base/tree
or
https://server/base/notebooks/Untitled1.ipynb
are proxied, the _xsrf cookie is forwarded and various kernels work.
Accessing
https://server/base/lab
All requests work except for a PUT request to
https://server/base/lab/api/workspaces/base/lab?1559052959210
which comes back as 403. After the 403 log line, jupyter notebook also logs:
This failure is silent on the client side, the lab GUI does completely load.
Trying to open anything from the launcher or a file yield another PUT request which returns 403 with the jupyter log again. This time the GUI reports the error and also displays a second error when something in the launcher was clicked:
I am reporting this here, because this may a configuration error in the proxy or a bug in jupyterlab, as jupyter notebook in the same instance works without problems. However, it does not appear to use PUT requests.
Sending that same PUT request to the same proxy, only to a different path which it forwarded to a stub which only echoes the received request shows that the _xsrf cookie is not stripped.
On the other hand, when by passing the proxy (via a port forwarded through SSH) and talking directly to the jupyter notebook instance this problem does not occur.
This does seem to have something to do with the Proxy, but not actually with the _xsrf missing.
What could the error
be caused by, assuming the _xsrf cookie is actually present? Could it actually be some security policy in jupyterlab which is triggered by some client or host headers being inconsistent, but which is not checked by in jupyter notebook, or something like this?
I guess as a feature request, I would like to ask for a more helpful error message.
pip3 show ...:
Update: nginx is not the problem
There is another apache responsible for both Shibboleth authentication and SSL termination in front of the nginx. When talking directly to the nginx jupyterlab works.
This for one forwards the initial https request as plain http and sets some headers as well a introducing a _shibsession_xxx=xxx cookie. However, rewriting the cookie header to only contain the _xsrf cookie does not fix the problem and jupyterlab still complains, that _xsrf is missing.
Maybe the apache is the problem. In any case the error message form jupyterlab seems to be wrong. Actually removing the _xsrf cookie leads all GET requests to fail too. Can anyone tell what could be different about that PUT request?
The text was updated successfully, but these errors were encountered: