consolidate trusted alt names

- trust subdomain_host by default - JupyterHub.trusted_alt_names is inherited by Spawners by default. Do we need Spawner.ssl_alt_names to be separately configurable?
2025-10-07 18:14:10 +00:00 · 2018-10-16 15:46:50 +02:00
parent 9a45f4a8c9
commit eb7648abc2
3 changed files with 14 additions and 5 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -1216,6 +1216,8 @@ class JupyterHub(Application):
                self.internal_ssl_components_trust)

            default_alt_names = ["IP:127.0.0.1", "DNS:localhost"]
+            if self.subdomain_host:
+                default_alt_names.append("DNS:%s" % urlparse(self.subdomain_host).hostname)
            # The signed certs used by hub-internal components
            try:
                internal_key_pair = certipy.store.get_record("hub-internal")
--- a/jupyterhub/spawner.py
+++ b/jupyterhub/spawner.py
@@ -28,7 +28,7 @@ from tornado.ioloop import PeriodicCallback
 from traitlets.config import LoggingConfigurable
 from traitlets import (
    Any, Bool, Dict, Instance, Integer, Float, List, Unicode, Union,
-    observe, validate,
+    default, observe, validate,
 )

 from .objects import Server
@@ -696,6 +696,8 @@ class Spawner(LoggingConfigurable):
        """
        return s.format(**self.template_namespace())

+    trusted_alt_names = List(Unicode())
+
    ssl_alt_names = List(
        Unicode(),
        config=True,
@@ -705,6 +707,13 @@ class Spawner(LoggingConfigurable):
        or set at runtime by Spawner that know their names.
        """
    )
+
+    @default('ssl_alt_names')
+    def _default_ssl_alt_names(self):
+        # by default, use trusted_alt_names
+        # inherited from global app
+        return list(self.trusted_alt_names)
+
    ssl_alt_names_include_local = Bool(
        True,
        config=True,
--- a/jupyterhub/utils.py
+++ b/jupyterhub/utils.py
@@ -189,11 +189,9 @@ async def wait_for_http_server(url, timeout=10, ssl_context=None):
    """
    loop = ioloop.IOLoop.current()
    tic = loop.time()
-    settings = None
-    if ssl_context:
-        settings = {"ssl_options": ssl_context}
-    AsyncHTTPClient.configure(None, defaults=settings)
    client = AsyncHTTPClient()
+    if ssl_context:
+        client.ssl_options = ssl_context
    async def is_reachable():
        try:
            r = await client.fetch(url, follow_redirects=False)