Accessing jupyterhub through a ssh tunnel

329 views
Skip to first unread message

Ivan Gonzalez

unread,
Oct 4, 2017, 1:25:13 AM10/4/17
to Project Jupyter
Hi,

I'm having problems to connect to my jupyterhub through a ssh tunnel. I have jupyterhub running on my workstation, which is behind a firewall. I also have an ssh tunnel running on my laptop:

$ ssh -Nf -L 8443:workstation.edu:443 me@gateway

If I go to https://localhost:8443 on my laptop, I see my browser going to:

https://workstation.edu/hub/oauth_callback?code=(a bunch of numbers here)

but Firefox says "Server not found". The tunnel works if I run just a jupyter notebook and use ports 8888 everywhere.

What am I doing wrong? Which is the best way to connect to a workstation behind a firewall?

Best,

Ivan

MinRK

unread,
Oct 4, 2017, 2:38:02 AM10/4/17
to Project Jupyter

It looks like your Hub uses OAuth. Unfortunately, this is going to be a sticky issue. Which OAuth provider are you using?

One of the security aspects of OAuth is that the application and the oauth provider agree ahead of time on the redirect_uri. OAuth typically looks like this:

  1. visit Hub
  2. redirect to oauth provider, login with provider
  3. oauth provider redirects back to previously agreed-upon redirect_uri, which may not be where the login request originated (protects against spoofing applications)

This means that the redirect back (the oauth_callback url) will always be https://workstation.edu instead of localhost.

There are two not-great ways around this:

  1. edit the failed workstation.edu/oauth_callback... url and change the host to localhost:8443
  2. temporarily edit your /etc/hosts file to tell your laptop that workstation.edu is actually 127.0.0.1 and forward 443 on your laptop in stead of 8443.

When you access your workstation, do you normally visit it via localhost? If so, you can always use localhost and include that in the redirect_uri registered with the oauth provider. Then as long as the port is the same (it can be anything, as long as the tunneled port and target port are the same), it should work fine tunneled or not.

-MinRK


--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscribe@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/ba9e1a11-11de-4027-bd83-efd19f465b57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages