hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-15 14:03:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add info on updates and Qualsys SSL analyzer to docs

Browse Source
This commit is contained in:
Carol Willing
2016-09-07 22:00:33 -07:00
parent 8ca321ecc3
commit 0b14e89404
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/source/getting-started.md
View File

@@ -218,7 +218,7 @@ security configuration:
2. Cookie secret (a key for encrypting browser cookies) 2. Cookie secret (a key for encrypting browser cookies)
3. Proxy authentication token (used for the Hub and other services to authenticate to the Proxy) 3. Proxy authentication token (used for the Hub and other services to authenticate to the Proxy)
## SSL encryption ### SSL encryption
Since JupyterHub includes authentication and allows arbitrary code execution, you should not run Since JupyterHub includes authentication and allows arbitrary code execution, you should not run
it without SSL (HTTPS). This will require you to obtain an official, trusted SSL certificate or it without SSL (HTTPS). This will require you to obtain an official, trusted SSL certificate or
@@ -249,7 +249,7 @@ Note: In certain cases, e.g. **behind SSL termination in nginx**, allowing no SS
running on the hub may be desired. To run the Hub without SSL, you must opt running on the hub may be desired. To run the Hub without SSL, you must opt
in by configuring and confirming the `--no-ssl` option, added as of [version 0.5](./changelog.html). in by configuring and confirming the `--no-ssl` option, added as of [version 0.5](./changelog.html).
## Cookie secret ### Cookie secret
The cookie secret is an encryption key, used to encrypt the browser cookies used for The cookie secret is an encryption key, used to encrypt the browser cookies used for
authentication. If this value changes for the Hub, all single-user servers must also be restarted. authentication. If this value changes for the Hub, all single-user servers must also be restarted.
@@ -291,7 +291,7 @@ You can also set the secret in the configuration file itself as a binary string:
c.JupyterHub.cookie_secret = bytes.fromhex('VERY LONG SECRET HEX STRING') c.JupyterHub.cookie_secret = bytes.fromhex('VERY LONG SECRET HEX STRING')
``` ```
## Proxy authentication token ### Proxy authentication token
The Hub authenticates its requests to the Proxy using a secret token that the Hub and Proxy agree upon. The value of this string should be a random string (for example, generated by `openssl rand -hex 32`). You can pass this value to the Hub and Proxy using either the `CONFIGPROXY_AUTH_TOKEN` environment variable: The Hub authenticates its requests to the Proxy using a secret token that the Hub and Proxy agree upon. The value of this string should be a random string (for example, generated by `openssl rand -hex 32`). You can pass this value to the Hub and Proxy using either the `CONFIGPROXY_AUTH_TOKEN` environment variable:
@@ -313,6 +313,17 @@ subprocess of the Hub, this should happen automatically (this is the default con
Another time you must set the Proxy authentication token yourself is if you want other services, such as [nbgrader](https://github.com/jupyter/nbgrader) to also be able to connect to the Proxy. Another time you must set the Proxy authentication token yourself is if you want other services, such as [nbgrader](https://github.com/jupyter/nbgrader) to also be able to connect to the Proxy.
### Security audits
We recommend that you do periodic reviews of your deployment's security. It's
good practice to keep JupyterHub, configurable-http-proxy, and nodejs up to
date.
A handy website for testing your deployment is
[Qualsys' SSL analyzer tool](https://www.ssllabs.com/ssltest/analyze.html).
## Authentication and users ## Authentication and users
The default Authenticator uses [PAM][] to authenticate system users with their username and password. The default Authenticator uses [PAM][] to authenticate system users with their username and password.