Jupyterhub with subdomains: escaping usernames

Anton_Akhmerov · December 23, 2022, 10:57pm

I’m trying to set up a jupyterhub with subdomains for extra security (preparing for the RTC ). I have configured c.JupyterHub.subdomain_host = "https://{{ jupyterhub_hostname }}", wildcard DNS and SSL and everything worked out great… until a user with a dot in a username showed up, let’s say anton.akhmerov. That user gets a sub-subdomain anton.akhmerov.jupyterhub.tld, which has no certificate. Is there a known workaround? In case it’s relevant, I’m running jupyterhub 3.1.0.

EDIT it seems it’s a known issue (see snippet below); any suggestions for a workaround?

github.com

jupyterhub/jupyterhub/blob/49c518940bbdedbaf9037d463bcf455c794e5e3f/jupyterhub/user.py#L567


      
          
          
@property
          def domain(self):
              """Get the domain for my server."""
          
          
    return _dns_quote(self.name) + '.' + self.settings['domain']
          
          
@property
          def host(self):
              """Get the *host* for my server (proto://domain[:port])"""
              # FIXME: escaped_name probably isn't escaped enough in general for a domain fragment
              parsed = urlparse(self.settings['subdomain_host'])
              h = f'{parsed.scheme}://{self.domain}'
              if parsed.port:
                  h += ':%i' % parsed.port
              return h
          
          
@property
          def url(self):
              """My URL

Anton_Akhmerov · December 24, 2022, 8:06pm

I have fixed this by monkey-patching

jupyterhub.user._dns_needs_replace = set(string.ascii_letters + string.digits + '-%')

in jupyterhub_config.py.

I’ve opened the issue below:

github.com/jupyterhub/jupyterhub

Dot should not be an allowed domain name character

opened 08:05PM - 24 Dec 22 UTC

akhmerov

bug

### Bug description If a username contains a period and subdomains are enable…d, they will get a sub-subdomain now because this code doesn't mind sub-subdomains: https://github.com/jupyterhub/jupyterhub/blob/49c518940bbdedbaf9037d463bcf455c794e5e3f/jupyterhub/user.py#L58-L60 I believe, however, that this doesn't match a common use case. For example, wildcard certificates don't support multilevel nesting, if I understand correctly. #### Expected behaviour Dot isn't considered a `_dns_safe` character.

Topic		Replies	Views
Jupyterhub User Subdomaining on K3S Zero to JupyterHub on Kubernetes help-wanted	1	497	November 8, 2022
Jupyterhub subdomain and SSL JupyterHub	2	1170	June 4, 2020
Interpreting the Security Docs JupyterHub jupyterlab , jupyterhub , help-wanted , security	4	290	May 24, 2024
Jupyterhub user server : The filled server name is inconsistent with the generated pod name? The Littlest JupyterHub jupyterlab , jupyterhub	2	621	September 29, 2021
User subdomains: OAuth state missing Zero to JupyterHub on Kubernetes help-wanted	12	58	October 22, 2024

Jupyterhub with subdomains: escaping usernames

Related topics