Technical Reference :Using a reverse proxy

Hi,

I attempt to use a reverse proxy and I followed the instructions on this page

In response to errors, I have modified the jupyterhub.conf like this :

# top-level http config for websocket headers
# If Upgrade is defined, Connection = upgrade
# If Upgrade is empty, Connection = close
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# HTTP server to redirect all 80 traffic to SSL/HTTPS
server {
    listen 80;
    server_name HUB.DOMAIN.TLD;

    # Tell all requests to port 80 to be 302 redirected to HTTPS
    return 302 https://$host$request_uri;
}

# HTTPS server to handle JupyterHub
server {
    listen 443 ssl;

    server_name HUB.DOMAIN.TLD;

    ssl_certificate /etc/letsencrypt/live/HUB.DOMAIN.TLD/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/HUB.DOMAIN.TLD/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    # Managing literal requests to the JupyterHub front end
    location / {
        proxy_pass http://127.0.0.1:8010;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # websocket headers
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Scheme $scheme;

        proxy_buffering off;
    }

    # Managing requests to verify letsencrypt host
    location ~ /.well-known {
        allow all;
    }
}

When I reload nginx, I have the following errors :

Jul 12 06:50:30 vps-cad992f1 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 12 06:50:30 vps-cad992f1 systemd[1]: Reload failed for A high performance web server and a reverse proxy server.
Jul 12 06:51:57 vps-cad992f1 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Jul 12 06:51:57 vps-cad992f1 nginx[96644]: nginx: [emerg] invalid number of arguments in "ssl" directive in /etc/nginx/sites-enabled/jupyterhub.conf:21
Jul 12 06:51:57 vps-cad992f1 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 12 06:51:57 vps-cad992f1 systemd[1]: Reload failed for A high performance web server and a reverse proxy server.
Jul 12 06:53:33 vps-cad992f1 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Jul 12 06:53:33 vps-cad992f1 nginx[96660]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/HUB.DOMAIN.TLD/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system libra>
Jul 12 06:53:33 vps-cad992f1 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 12 06:53:33 vps-cad992f1 systemd[1]: Reload failed for A high performance web server and a reverse proxy server.
lines 1-29/29 (END)

What is wrong on this jupyterhub.conf file ? I attempt to resolve errors with solutions given on the net but it changes nothing.

OS: Ubuntu 20.10
Jupyterhub : version 1.0.0
Nginx: nginx/1.18.0 (Ubuntu)

This indicates there’s an error in your Nginx configuration file. Is this the full configuration file?

It’s the full configuration file of Jupyterhub site (/etc/nginx/sites-available/jupyterhub.conf). In my server I have an other site (/etc/nginx/sites-available/mywebsite.conf) but it work well because the errors appears when I have create this jupyterhub.conf configuration file.

Someone else may be able to spot the Nginx configuration problem, if not you’ll have to step through line by line to figure out the issue.

One thing you could try is to proxy JupyterHub with http only, check it’s working, then add subsets of your SSL configuration back in.

Thanks. Without SSL configurations I don’t have errors but these links doesn’t work :
(Citation from Using a reverse proxy — JupyterHub 1.4.1 documentation)

Now restart nginx , restart the JupyterHub, and enjoy accessing https://HUB.DOMAIN.TLD while serving other content securely on https://NO_HUB.DOMAIN.TLD .