hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-15 14:03:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #417 from minrk/require-confirm-insecure

Browse Source 
require confirmation for JupyterHub to run without SSL
This commit is contained in:
Kyle Kelley
2016-02-05 19:27:37 -06:00
parent 010db6ce72 ce8d782220
commit 6e1425e2c0
3 changed files with 28 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/source/changelog.md
View File

@@ -2,6 +2,12 @@
See `git log` for a more detailed summary. See `git log` for a more detailed summary.
## 0.5
- Single-user server must be run with Jupyter Notebook ≥ 4.0
- Require `--no-ssl` confirmation to allow the Hub to be run without SSL (e.g. behind SSL termination in nginx)
## 0.4 ## 0.4
### 0.4.1 ### 0.4.1

20
jupyterhub/app.py
View File

@@ -87,6 +87,9 @@ flags = {
'no-db': ({'JupyterHub': {'db_url': 'sqlite:///:memory:'}}, 'no-db': ({'JupyterHub': {'db_url': 'sqlite:///:memory:'}},
"disable persisting state database to disk" "disable persisting state database to disk"
), ),
'no-ssl': ({'JupyterHub': {'confirm_no_ssl': True}},
"Allow JupyterHub to run without SSL (SSL termination should be happening elsewhere)."
),
} }
SECRET_BYTES = 2048 # the number of bytes to use when generating new secrets SECRET_BYTES = 2048 # the number of bytes to use when generating new secrets
@@ -209,6 +212,11 @@ class JupyterHub(Application):
def _template_paths_default(self): def _template_paths_default(self):
return [os.path.join(self.data_files_path, 'templates')] return [os.path.join(self.data_files_path, 'templates')]
confirm_no_ssl = Bool(False, config=True,
help="""Confirm that JupyterHub should be run without SSL.
This is **NOT RECOMMENDED** unless SSL termination is being handled by another layer.
"""
)
ssl_key = Unicode('', config=True, ssl_key = Unicode('', config=True,
help="""Path to SSL key file for the public facing interface of the proxy help="""Path to SSL key file for the public facing interface of the proxy
@@ -800,6 +808,18 @@ class JupyterHub(Application):
cmd.extend(['--ssl-key', self.ssl_key]) cmd.extend(['--ssl-key', self.ssl_key])
if self.ssl_cert: if self.ssl_cert:
cmd.extend(['--ssl-cert', self.ssl_cert]) cmd.extend(['--ssl-cert', self.ssl_cert])
# Require SSL to be used or `--no-ssl` to confirm no SSL on
if ' --ssl' not in ' '.join(cmd):
if self.confirm_no_ssl:
self.log.warning("Running JupyterHub without SSL."
" There better be SSL termination happening somewhere else...")
else:
self.log.error(
"Refusing to run JuptyterHub without SSL."
" If you are terminating SSL in another layer,"
" pass --no-ssl to tell JupyterHub to allow the proxy to listen on HTTP."
)
self.exit(1)
self.log.info("Starting proxy @ %s", self.proxy.public_server.bind_url) self.log.info("Starting proxy @ %s", self.proxy.public_server.bind_url)
self.log.debug("Proxy cmd: %s", cmd) self.log.debug("Proxy cmd: %s", cmd)
try: try:

1
jupyterhub/tests/mocking.py
View File

@@ -108,6 +108,7 @@ class MockHub(JupyterHub):
"""Hub with various mock bits""" """Hub with various mock bits"""
db_file = None db_file = None
confirm_no_ssl = True
def _ip_default(self): def _ip_default(self):
return '127.0.0.1' return '127.0.0.1'