From c4c51106fa58a01c485eb3b1f585a6818296e971 Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 17 Apr 2021 00:05:18 +0100 Subject: [PATCH 1/3] get nginx to proxy websockets correctly --- .../templates/jupyterhub-nginx.conf | 42 +++++++++++-------- roles/nginx/templates/nginx.conf.j2 | 9 ++++ 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/roles/jupyterhub/templates/jupyterhub-nginx.conf b/roles/jupyterhub/templates/jupyterhub-nginx.conf index 301ab2a41..6758458e9 100644 --- a/roles/jupyterhub/templates/jupyterhub-nginx.conf +++ b/roles/jupyterhub/templates/jupyterhub-nginx.conf @@ -1,20 +1,26 @@ -location /jupyterhub { - proxy_pass http://127.0.0.1:8000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; +location /jupyterhub { + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-NginX-Proxy true; + } - # websocket headers - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - #proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Scheme $scheme; +# Managing WebHook/Socket requests between hub user servers and external proxy + location ~* /(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? { + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; -} - -# Managing requests to verify letsencrypt host -location ~ /.well-known { - allow all; -} + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + #proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Scheme $scheme; + proxy_buffering off; + } + # Managing requests to verify letsencrypt host + location ~ /.well-known { + allow all; + } diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 10f33f72f..10fc4cfda 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -67,6 +67,15 @@ http { # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + # top-level http config for websocket headers + # If Upgrade is defined, Connection = upgrade + # If Upgrade is empty, Connection = close + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + ## # Virtual Host Configs ## From fae7a07368e06378c1af0644365dde165dae092f Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 17 Apr 2021 05:02:00 +0100 Subject: [PATCH 2/3] uncomment websocket upgrade line --- roles/jupyterhub/templates/jupyterhub-nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/jupyterhub/templates/jupyterhub-nginx.conf b/roles/jupyterhub/templates/jupyterhub-nginx.conf index 6758458e9..2911a5d5a 100644 --- a/roles/jupyterhub/templates/jupyterhub-nginx.conf +++ b/roles/jupyterhub/templates/jupyterhub-nginx.conf @@ -16,7 +16,7 @@ location /jupyterhub { # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - #proxy_set_header Connection $connection_upgrade; + proxy_set_header Connection $connection_upgrade; proxy_set_header X-Scheme $scheme; proxy_buffering off; } From 77cf77d07458cc6210bbe14d6f5e803142ab00dd Mon Sep 17 00:00:00 2001 From: root Date: Sat, 17 Apr 2021 11:43:04 +0000 Subject: [PATCH 3/3] Lint jupyterhub-nginx.conf & nginx.conf etc, for maintainability --- roles/jupyterhub/tasks/enable-or-disable.yml | 2 +- roles/jupyterhub/tasks/install.yml | 16 +-- .../templates/jupyterhub-nginx.conf | 47 +++---- roles/nginx/templates/nginx.conf.j2 | 125 +++++++++--------- 4 files changed, 95 insertions(+), 95 deletions(-) diff --git a/roles/jupyterhub/tasks/enable-or-disable.yml b/roles/jupyterhub/tasks/enable-or-disable.yml index 1c8a720cc..8aa7c0e57 100644 --- a/roles/jupyterhub/tasks/enable-or-disable.yml +++ b/roles/jupyterhub/tasks/enable-or-disable.yml @@ -18,7 +18,7 @@ when: not jupyterhub_enabled -- name: 'Install from template: {{ nginx_conf_dir }}/jupyterhub-nginx.conf' +- name: "Install from template: {{ nginx_conf_dir }}/jupyterhub-nginx.conf" template: src: jupyterhub-nginx.conf dest: "{{ nginx_conf_dir }}/" diff --git a/roles/jupyterhub/tasks/install.yml b/roles/jupyterhub/tasks/install.yml index 26ea0cb01..8f35b418c 100644 --- a/roles/jupyterhub/tasks/install.yml +++ b/roles/jupyterhub/tasks/install.yml @@ -16,11 +16,11 @@ - name: Make the directories to hold JupyterHub config file: state: directory - path: '{{ item }}' + path: "{{ item }}" with_items: - - '{{ jupyterhub_venv }}/etc/jupyter' - - '{{ jupyterhub_venv }}/etc/jupyterhub' - - '{{ jupyterhub_venv }}/etc/systemd' + - "{{ jupyterhub_venv }}/etc/jupyter" + - "{{ jupyterhub_venv }}/etc/jupyterhub" + - "{{ jupyterhub_venv }}/etc/systemd" - name: Use npm to install configurable-http-proxy npm: @@ -28,7 +28,7 @@ global: yes state: latest -- name: 'Use pip to install into a virtual environment: {{ jupyterhub_venv }}' +- name: "Use pip to install into a virtual environment: {{ jupyterhub_venv }}" pip: name: - pip @@ -45,12 +45,12 @@ extra_args: "--no-cache-dir" when: internet_available -- name: 'Install from template: {{ jupyterhub_venv }}/etc/jupyterhub/jupyterhub_config.py' +- name: "Install from template: {{ jupyterhub_venv }}/etc/jupyterhub/jupyterhub_config.py" template: src: jupyterhub_config.py - dest: '{{ jupyterhub_venv }}/etc/jupyterhub/' + dest: "{{ jupyterhub_venv }}/etc/jupyterhub/" -- name: 'Install from template: /etc/systemd/system/jupyterhub.service' +- name: "Install from template: /etc/systemd/system/jupyterhub.service" template: src: jupyterhub.service dest: /etc/systemd/system/ diff --git a/roles/jupyterhub/templates/jupyterhub-nginx.conf b/roles/jupyterhub/templates/jupyterhub-nginx.conf index 2911a5d5a..6d098f861 100644 --- a/roles/jupyterhub/templates/jupyterhub-nginx.conf +++ b/roles/jupyterhub/templates/jupyterhub-nginx.conf @@ -1,26 +1,27 @@ -location /jupyterhub { - proxy_pass http://127.0.0.1:8000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - } +location /jupyterhub { + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-NginX-Proxy true; +} # Managing WebHook/Socket requests between hub user servers and external proxy - location ~* /(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? { - proxy_pass http://127.0.0.1:8000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +location ~* /(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? { + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # WebSocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Scheme $scheme; - proxy_buffering off; - } - # Managing requests to verify letsencrypt host - location ~ /.well-known { - allow all; - } + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Scheme $scheme; + proxy_buffering off; +} + +# Managing requests to verify letsencrypt host +location ~ /.well-known { + allow all; +} diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 10fc4cfda..3ffcbcd9b 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -7,91 +7,90 @@ pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { - worker_connections 768; - # multi_accept on; + worker_connections 768; + # multi_accept on; } http { - ## - # Basic Settings - ## + ## + # Basic Settings + ## - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; - # server_tokens off; + # server_tokens off; - server_names_hash_bucket_size 64; - # server_name_in_redirect off; + server_names_hash_bucket_size 64; + # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type text/html; + include /etc/nginx/mime.types; + default_type text/html; - ## - # SSL Settings - ## + ## + # SSL Settings + ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; - ## - # Logging Settings - ## + ## + # Logging Settings + ## - log_format awstats - '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "http_x_forwarded_for"'; + log_format awstats + '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "http_x_forwarded_for"'; - access_log {{ nginx_log_dir }}/access.log awstats; - error_log {{ nginx_log_dir }}/error.log; + access_log {{ nginx_log_dir }}/access.log awstats; + error_log {{ nginx_log_dir }}/error.log; - log_format scripts '$request > $document_root$fastcgi_script_name $fastcgi_path_info'; - access_log {{ nginx_log_dir }}/scripts.log scripts; + log_format scripts '$request > $document_root$fastcgi_script_name $fastcgi_path_info'; + access_log {{ nginx_log_dir }}/scripts.log scripts; + ## + # Gzip Settings + ## - ## - # Gzip Settings - ## + gzip on; + gzip_disable "msie6"; - gzip on; - gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + # 2021-04-17: STANZA BELOW THANKS TO @georgejhunt FOR http://box/jupyterhub + # SEE ALSO IIAB's: roles/jupyterhub/templates/jupyterhub-nginx.conf - # top-level http config for websocket headers - # If Upgrade is defined, Connection = upgrade - # If Upgrade is empty, Connection = close - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } + # top-level http config for websocket headers + # If Upgrade is defined, Connection = upgrade + # If Upgrade is empty, Connection = close + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } - ## - # Virtual Host Configs - ## + ## + # Virtual Host Configs + ## + # include a server file which in turn includes conf.d/* + include /etc/nginx/server.conf; - # include a server file which in turn includes conf.d/* - include /etc/nginx/server.conf; - - # include other sites - include /etc/nginx/sites-enabled/*.conf; + # include other sites + include /etc/nginx/sites-enabled/*.conf; - - # define the upstream backend fastcgi for php - upstream php { - server unix:/run/php/php{{ php_version }}-fpm.sock; - } + # define the upstream backend fastcgi for php + upstream php { + server unix:/run/php/php{{ php_version }}-fpm.sock; + } } -