[WIP]: allow running single-user servers on subdomains

relies on CHP's host-based routing (a feature I didn't add!) requires wildcard DNS and wildcard SSL for a proper setup still lots to workout and cleanup in terms of cookies and where to use host, domain, path, but it works locally.
2025-10-14 21:43:01 +00:00 · 2016-02-22 16:45:50 +01:00
parent 6e7fc0574e
commit b54bfad8c2
6 changed files with 108 additions and 13 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -230,8 +230,20 @@ class JupyterHub(Application):
        """
    )
    ip = Unicode('', config=True,
-        help="The public facing ip of the proxy"
+        help="The public facing ip of the whole application (the proxy)"
    )
+    
+    subdomain_host = Unicode('', config=True,
+        help="""The public-facing host (domain[:port]) on which the Hub will run.
+        
+        Only used when subdomains are involved.
+        """
+    )
+    def _subdomain_host_default(self):
+        # FIXME: use xip.io for debugging
+        return (self.ip or '127.0.0.1') + '.xip.io:%i' % self.port
+    
+    
    port = Integer(8000, config=True,
        help="The public facing port of the proxy"
    )
@@ -248,6 +260,18 @@ class JupyterHub(Application):
        help="Supply extra arguments that will be passed to Jinja environment."
    )
    
+    use_subdomains = Bool(True, config=True,
+        help="""Run single-user servers on subdomains.
+        
+        Provides additional cross-site protections for client-side js.
+        
+        Requires <username>.hub.domain.tld to resolve to the same host as hub.domain.tld.
+        
+        In general, this is most easily achieved with wildcard DNS.
+        
+        When using SSL (i.e. always) this also requires a wildcard cert.
+        """)
+    
    proxy_cmd = Command('configurable-http-proxy', config=True,
        help="""The command to start the http proxy.
        
@@ -769,6 +793,9 @@ class JupyterHub(Application):
            )
            self.db.add(self.proxy)
            self.db.commit()
+        if self.use_subdomains:
+            # assert not ip-address (self.ip)
+            assert self.subdomain_host
        self.proxy.auth_token = self.proxy_auth_token # not persisted
        self.proxy.log = self.log
        self.proxy.public_server.ip = self.ip
@@ -809,6 +836,8 @@ class JupyterHub(Application):
            '--api-port', str(self.proxy.api_server.port),
            '--default-target', self.hub.server.host,
        ]
+        if self.use_subdomains:
+            cmd.append('--host-routing')
        if self.debug_proxy:
            cmd.extend(['--log-level', 'debug'])
        if self.ssl_key:
@@ -893,6 +922,8 @@ class JupyterHub(Application):
        else:
            version_hash=datetime.now().strftime("%Y%m%d%H%M%S"),
        
+        subdomain_host = self.subdomain_host
+        domain = subdomain_host.rsplit(':', 1)[0]
        settings = dict(
            log_function=log_request,
            config=self.config,
@@ -915,6 +946,9 @@ class JupyterHub(Application):
            template_path=self.template_paths,
            jinja2_env=jinja_env,
            version_hash=version_hash,
+            use_subdomains=self.use_subdomains,
+            subdomain_host=subdomain_host,
+            domain=domain,
        )
        # allow configured settings to have priority
        settings.update(self.tornado_settings)