Thanks, Jarno! This is a good tip and it is similar to the one I have posted last night. I am working on to get the SP entityID setup now ( in the shib backend ) -- after it gets set up then I can try a few new things ( including your suggestion ).
--imam On Mon, Oct 29, 2018 at 2:09 AM Jarno Huuskonen <[email protected]> wrote: > Hi, > > Can you describe how you would like this (haproxy -> apache+shib -> > jupyter?) > setup ? (Perhaps with some kind of diagram with desired urls / ips > etc). > > From what I understand you'd like to use public ip/url only on haproxy > and everything else on private ip's (accessed only from the haproxy host). > > AFAIK something like this might work: > haproxy listens on public ip:443 and sends all /jhub /Shibboleth.sso > traffic to apache(shib)+jupyter backend server on port 8443(w/out ssl): > > haproxy: > ... > acl host_web3 path_beg /jhub > acl host_web3_saml2 path_beg /Shibboleth.sso > use_backend web3_cluster if host_web3 || host_web3_saml2 > ... > backend web3_cluster > server apache_server_privateip:8443 check inter 2000 cookie w1 > # If you've more than 1 server then you'll probably need > persistence > > apache vhost (plain http vhost, no ssl configured) > Listen 8443 > <VirtualHost *:8443> > HostnameLookups off > ServerName https://proxy.example.com > UseCanonicalName On > SetEnv HTTPS on > > <Location /jhub> / <LocationMatch ...> > ... # your jupyter proxypass / shibboleth auth (remote_user)/ wss > config > # Also make sure apache passes or sets: > # X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-For > </VirtualHost> > > Configure shibboleth to use https://proxy.example.com/Shibboleth.sso > urls. > > Configure jupyter to trust X- headers: NotebookApp.trust_xheaders > and maybe you need to use NotebookApp.custom_display_url so jupyter > knows it's url is https://proxy.example.com/jhub. > > -Jarno > > -- > Jarno Huuskonen > -- Regards, *Imam Toufique* *213-700-5485*
