proxy.https.type=offload: Can CHP redirect requests originally being HTTP requests to HTTPS?

[arturozv]

We are putting together a JupyterHub POC in AWS/EKS

We have a working setup for https with offload to a aws ELB using annotations for the load balancer (docs)

The hub can still be accessed by using http and we are trying to set up a redirect to https. According to aws docs this cant be done at the ELB level.

Is there an alternative to set up an nginx in front of the jhub proxy?

Thank you!

Contents of config.yaml

  service:
    annotations:
      # https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws
      # Certificate ARN
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "{sslcertarn}"
      # The protocol to use on the backend, we use TCP since we're using websockets
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      # Which ports should use SSL
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"

[cslovell]

This is also something we'd need for our setup -- hope to hear soon how this can be done!

[manics]

I don't have any experiences with EKS, but could you use an ingress? https://kubernetes.io/docs/concepts/services-networking/ingress/

[arturozv]

I don't have any experiences with EKS, but could you use an ingress? https://kubernetes.io/docs/concepts/services-networking/ingress/

I thought about that way, but adding another proxy on top of Tornado doesn't seem like a clean solution...

[manics]

I wouldn't say it's "unclean". Load-balanced-ingress proxying to (a potentially multi-layer) backend-app is a pretty common pattern.

[cslovell]

We just ended up using cloudflare and it has a feature that does this automagically...

[consideRatio]

I explored and documented this in #1811, but for that PR to get merged, I'll need help with review by people with a proxy.https.type=offload setup.

[rpwagner]

Hi,

I'm not sure if this question is best answered here, in #1811, or on Discourse. I'm testing an EKS-based deployment and when I configure c.JupyterHub.subdomain_host, I end up with a redirect loop error. Wildcard DNS and certs are setup, and I've configured SSL termination in the ELB.

Any suggestions, @consideRatio? I'd be glad to test #1811 if that's relevant to what I'm seeing.

Thanks

--Rick

Minimal configuration for testing:

proxy:
  secretToken: "<a token>"
  https:
    enabled: true
    type: offload
  service:
    annotations:
      # Certificate ARN
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<an arn>"
      # The protocol to use on the backend, we use TCP since we're using websockets
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      # Which ports should use SSL
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
hub:
  config:
    JupyterHub:
      subdomain_host: 'https://<FQDN>'

Helm command

RELEASE=jhub
NAMESPACE=jhub
helm upgrade --cleanup-on-fail   --install $RELEASE jupyterhub/jupyterhub   --namespace $NAMESPACE   --create-namespace   --version=0.11.1   --values config.yaml

[consideRatio]

I think maybe yes? This would be the CHP feature enabled by --redirect-port and --redirect-to flag, right? See https://github.com/jupyterhub/configurable-http-proxy#command-line-options.

So, with proxy.chp.extraCommandLineFlags configuration of the Helm chart, it think it could be possible.

https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/a28bb23737f8d66ec3b13db902c262f6b20e4c48/jupyterhub/templates/proxy/deployment.yaml#L100-L102

I'll close this as stale/resolved.