Hi,
Can you describe how you would like this (haproxy -> apache+shib -> jupyter?)
setup ? (Perhaps with some kind of diagram with desired urls / ips
etc).
>From what I understand you'd like to use public ip/url only on haproxy
and everything else on private ip's (accessed only from the haproxy host).
AFAIK something like this might work:
haproxy listens on public ip:443 and sends all /jhub /Shibboleth.sso
traffic to apache(shib)+jupyter backend server on port 8443(w/out ssl):
haproxy:
...
acl host_web3 path_beg /jhub
acl host_web3_saml2 path_beg /Shibboleth.sso
use_backend web3_cluster if host_web3 || host_web3_saml2
...
backend web3_cluster
server apache_server_privateip:8443 check inter 2000 cookie w1
# If you've more than 1 server then you'll probably need persistence
apache vhost (plain http vhost, no ssl configured)
Listen 8443
<VirtualHost *:8443>
HostnameLookups off
ServerName https://proxy.example.com
UseCanonicalName On
SetEnv HTTPS on
<Location /jhub> / <LocationMatch ...>
... # your jupyter proxypass / shibboleth auth (remote_user)/ wss config
# Also make sure apache passes or sets:
# X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-For
</VirtualHost>
Configure shibboleth to use https://proxy.example.com/Shibboleth.sso
urls.
Configure jupyter to trust X- headers: NotebookApp.trust_xheaders
and maybe you need to use NotebookApp.custom_display_url so jupyter
knows it's url is https://proxy.example.com/jhub.
-Jarno
--
Jarno Huuskonen
