Good Day,

Im finding it hard to resolve 2 issues with newly installed TLJH in docker container with systemd support when using reverse proxy.

1. Kernel doesn’t connect.

2. Terminal isn’t available via web.

   

   image418×576 58.7 KB

Proxy Config

/rda/jupyterh

# Consolidated WebSocket proxy for JupyterHub/JupyterLab endpoints

user/.*/terminals/websocket/.* | user/.*/api/kernels/.*/channels | user/.*/api/events

<LocationMatch “^/rda/jupyterh/(user/.*/(terminals/websocket/.*|api/kernels/.*/channels|api/events))”>
ProxyPreserveHost On
RequestHeader set “X-Forwarded-Host” expr=%{SERVER_NAME}
RequestHeader set “X-Forwarded-Proto” “https”
RequestHeader set “X-Forwarded-Port” “443”
ProxyPass ws://hostname.domain:8000/rda/jupyterh/
ProxyPassReverse ws://hostname.domain:8000/rda/jupyterh/

       # regular http proxy
       Rewriterule  ^/rda/jupyterh$ /rda/jupyterh/ \[R,NC\]

<Location /rda/jupyterh/>
ProxyPreserveHost On
RequestHeader set “X-Forwarded-Host” expr=%{SERVER_NAME}
RequestHeader set “X-Forwarded-Proto” “https”
RequestHeader set “X-Forwarded-Port” “443”
RequestHeader set “X-Real-IP” expr=%{REMOTE_ADDR}
ProxyPass http://hostname.domain:8000/rda/jupyterh/
ProxyPassReverse http://hostname.domain:8000/rda/jupyterh/

tljh-config show

users:
admin:

• admin

user_environment:
default_app: jupyterlab

base_url: /rda/jupyterh/
bind_url: http://127.0.0.1:8000/

log_level: DEBUG

My eventual aim is to enable OAuthenticator with ORCID as the Identity Provider but want to 1st get over this hurdle before attempting OAuth, currently using native auth for now.

It makes sense that both kernels and terminals don’t connect - these are the two websocket connections. It means the reverse proxy isn’t proxying websocket requests.

The documentation has an example apache configuration that should work. Notably:

• you do not need to know what paths will have websockets on them, a single Location should do (no (terminals|websocket…) needed)
• ProxyPass should point to 127.0.0.1, not hostname.domain
• You need some config like this to handle websockets:

• # Use RewriteEngine to handle WebSocket connection upgrades
  RewriteEngine On
  RewriteCond %{HTTP:Connection} Upgrade [NC]
  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteRule /(.*) ws://127.0.0.1:8000/$1 [P,L]
  

Thank you for the response, I should clarify that apache reverse proxy server is running on completely separate machine and used as corporate proxy server handling all SSL. Hence ProxyPass ws://hostname.domain:8000/rda/jupyterh/ where hostname.domain is the host machine where TLJH container is running.

Ah, that makes sense. Then it should be just the rewrite engine and still remove the per-path Location for websockets.

Thanks - it worked, also needed to do few exceptions on BigIP