phaustin commented 3 years ago

[x] Demo a working jupyterhub on eoas05
[ ] Add documentation to #47 to provide design rationale/urls for packages

slemonide commented 3 years ago

This is just for https, right?

phaustin commented 3 years ago

that's right, we just want to be able securely send real passwords to the jupyterhub login page, and to use github or cwl oauth to authorize a new user on the jupyterhub. nginx, traefik, whatever, but being able to autorenew letsencrypt would be very nice

phaustin commented 3 years ago

I'd like to be able to whitelist my friends at other universities to collaborate, using their github username.

CharlesKrzysik commented 3 years ago

I already have SSL coming from nginx. I used *.eoas SSL cert. Now looking at auth.

Cheers,

Charles

On Sep 24, 2020, at 3:30 PM, Philip Austin notifications@github.com<mailto:notifications@github.com> wrote:

that's right, we just want to be able securely send real passwords to the jupyterhub login page, and to use github or cwl oauth to authorize a new user on the jupyterhub. nginx, traefik, whatever, but being able to autorenew letsencrypt would be very nice

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/eoas-ubc/eoas_tlef/issues/42#issuecomment-698621510, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGKNB6YMQBH7576VIZRNLE3SHPCBFANCNFSM4RYNFKEA.

phaustin commented 3 years ago

@CharlesKrzysik -- it does look like the nginx proxy is working just fine with kubespawner on jupyterhub.eoas.ubc.ca -- does that provide any clues as to why it's refusing to connect with dockerspawner on a301_hub?

CharlesKrzysik commented 3 years ago

This fixed the issue:

map $http_upgrade $connection_upgrade { default upgrade; '' close; } server {

listen 443 ssl;
server_name a301_hub.eoas.ubc.ca<http://a301_hub.eoas.ubc.ca>;

ssl_certificate           /certs/eoas.pem;
ssl_certificate_key       /certs/key.pem;

#ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

access_log            /var/log/nginx/jupyterhub.access.log;

location / {

  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Forwarded-Proto $scheme;

proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host;

Fix the “It appears that your reverse proxy set up is broken" error.

 proxy_pass          http://node07.eos.ubc.ca:8082;
 proxy_read_timeout  90;

  proxy_redirect      https://a301_hub.eoas.ubc.ca http://node07.eos.ubc.ca:8082;
}

}

Cheers,

Charles.

On Sep 24, 2020, at 3:35 PM, Philip Austin notifications@github.com<mailto:notifications@github.com> wrote:

@CharlesKrzysikhttps://github.com/CharlesKrzysik -- it does look like the nginx proxy is working just fine with kubespawner on jupyterhub.eoas.ubc.cahttp://jupyterhub.eoas.ubc.ca -- does that provide any clues as to why it's refusing to connect with dockerspawner on a301_hub?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/eoas-ubc/eoas_tlef/issues/42#issuecomment-698622865, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGKNB642G2HCGJFAOLIOD33SHPCRJANCNFSM4RYNFKEA.

phaustin commented 3 years ago

So @CharlesKrzysik for my own education, can you explain how we get away without having the websocket section in the reference example?

https://jupyterhub.readthedocs.io/en/stable/reference/config-proxy.html

phaustin commented 3 years ago

nevermind, I see it now

CharlesKrzysik commented 3 years ago

I used baseline nginx proxy instructions from nginx.com/bloghttp://nginx.com/blog . It worked on other examples, so I am not sure why it failed in this particular case.

On different note, for authentication do you want to use GitHub:

https://github.com/jupyterhub/oauthenticator via. https://tljh.jupyter.org/en/latest/howto/auth/github.html ?

Shibboleth and CWL will take some time as there are several steps on our side and Central.

Charles.

On Sep 24, 2020, at 6:00 PM, Philip Austin notifications@github.com<mailto:notifications@github.com> wrote:

So @CharlesKrzysikhttps://github.com/CharlesKrzysik for my own education, can you explain how we get away without having the websocket section in the reference example?

https://jupyterhub.readthedocs.io/en/stable/reference/config-proxy.html

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/eoas-ubc/eoas_tlef/issues/42#issuecomment-698663537, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGKNB66HN2LEFW2MCBNZLI3SHPTULANCNFSM4RYNFKEA.

phaustin commented 3 years ago

yes, I think github for my nodes -- cwl for the M235 nodes

eoas-ubc / eoas_tlef

document how to install jupyterhub proxy #42

Fix the “It appears that your reverse proxy set up is broken" error.