Mining is a problem for any public BinderHub instance, especially those without authentication. By far the simplest way to eliminate mining is to use an allow list for egress traffic instead of a block list. This doesn't work for everyone, but many deployments can get away with a relatively simple, and an easy mechanism for users to ask for destinations to be added. Actually enforcing such an allow list is not obvious, though, so we should document what's involved with example configurations.
I believe @yuvipanda has deployed this before, but it's not easy to discover/replicate. Providing documentation and recommendations for folks to start with a safer, more secure starting deployment would benefit everyone deploying BinderHub.
Proposed change
Mining is a problem for any public BinderHub instance, especially those without authentication. By far the simplest way to eliminate mining is to use an allow list for egress traffic instead of a block list. This doesn't work for everyone, but many deployments can get away with a relatively simple, and an easy mechanism for users to ask for destinations to be added. Actually enforcing such an allow list is not obvious, though, so we should document what's involved with example configurations.
I believe @yuvipanda has deployed this before, but it's not easy to discover/replicate. Providing documentation and recommendations for folks to start with a safer, more secure starting deployment would benefit everyone deploying BinderHub.