Skip to content

Instantly share code, notes, and snippets.

@raystyle

raystyle/jupyter.md

Forked from gist4ray/jupyter.md
Created December 1, 2021 02:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save raystyle/cf0ee60f07ddd5bfd15256ecfb6889c1 to your computer and use it in GitHub Desktop.
Save raystyle/cf0ee60f07ddd5bfd15256ecfb6889c1 to your computer and use it in GitHub Desktop.
Download ZIP
ngnix双向https配置
Raw
jupyter.md

jupyter/notebook#1311 https://github.com/openfisca/jupyter/blob/master/config/nginx_configuration/jupyterhub.nginx.conf https://programming.vip/docs/running-jupyter-jupyterhub-jupyterlab-as-a-system-service.html https://janakiev.com/blog/jupyter-systemd/

jupyter lab --generate-config
Writing default config to: /root/.jupyter/jupyter_lab_config.py

c.ServerApp.allow_remote_access = True
c.ServerApp.allow_root = True
c.ServerApp.open_browser = False
c.ServerApp.allow_origin = '*' 
c.ServerApp.password # from jupyter_server.auth import passwd; passwd()
c.ServerApp.root_dir = '/root'

root@vultr:/etc/systemd/system# cat jupyter.service
[Unit]
Description=Jupyter Lab
After=syslog.target network.target

[Service]
User=root
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
WorkDirectory=/root/
ExecStart=jupyter lab

[Install]
WantedBy=multi-user.target

upstream notebook {
    server localhost:8888;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        #server_name  www.yourdomain.com;
        
        listen       443 ssl;
        ssl                  on;
        ssl_certificate      /etc/nginx/sites-available/server.crt;  #server公钥证书
        ssl_certificate_key  /etc/nginx/sites-available/server.key;  #server私钥
        ssl_client_certificate /etc/nginx/sites-available/client.crt;  #客户端公钥证书
        ssl_verify_client on;  #开启客户端证书验证

location / {
        proxy_pass http://notebook;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Origin "";
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
}

location ~* /(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? {
        proxy_pass http://notebook;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Origin "";
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
        
}
}
Raw
证书生成.md

所需文件

  • 服务器端公钥证书:server.crt
  • 服务器端私钥文件:server.key
  • 客户端公钥证书:client.crt
  • 客户端私钥文件:client.key
  • 客户端集成证书(包括公钥和私钥,用于浏览器访问场景):client.p12

注意字段

  • Common Name 填写证书对应的服务域名;
  • 所有字段的填写,根证书、服务器端证书、客户端证书需保持一致
  • 最后的密码可以直接回车跳过

一、生成自签名根证书

  1. 创建根证书私钥
$ openssl genrsa -out root.key 2048
  1. 创建根证书请求文件
$ openssl req -new -out root.csr -key root.key
  1. 创建根证书
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650

经过上面三个命令行,我们得到:

  • root.key : 一个签名有效期为 10 年的根证书私钥
  • root.crt :一个签名有效期为 10 年的根证书公钥

二、 生成自签名服务器端证书

  1. 生成服务器端证书私钥:
$ openssl genrsa -out server.key 2048
  1. 生成服务器证书请求文件
$ openssl req -new -out server.csr -key server.key
  1. 生成服务器端公钥证书
$ openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650

经过上面的三个命令,我们得到:

  • server.key:服务器端的私钥文件
  • server.crt:有效期十年的服务器端公钥证书,使用根证书和服务器端私钥文件一起生成

三、 生成自签名客户端证书

  1. 生成客户端证书私钥
$ openssl genrsa -out client.key 2048
  1. 生成客户端证书请求文件
$ openssl req -new -out client.csr -key client.key
  1. 生客户端证书公钥
$ openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650
  1. 生客户端 P12 格式证书
$ openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

经过上面的三个命令,我们得到:

  • client.key:客户端的私钥文件
  • client.crt:有效期十年的客户端公钥证书,使用根证书和客户端私钥一起生成
  • client.p12:客户端 p12 格式,这个证书文件包含客户端的公钥和私钥,主要用来给浏览器访问使用

四、服务端配置

ngnix配置文件

server {
        listen       443 ssl;
        server_name  www.yourdomain.com;
        ssl                  on;  
        ssl_certificate      /data/sslKey/server.crt;  #server公钥证书
        ssl_certificate_key  /data/sslKey/server.key;  #server私钥
        ssl_client_certificate /data/sslKey/client.crt;  #客户端公钥证书
        ssl_verify_client on;  #开启客户端证书验证  
 
 
        location / {
            root   html;
            index  index.html index.htm;
        }

五、测试

curl测试

# --cert指定客户端公钥证书的路径
# --key指定客户端私钥文件的路径
# -k不校验证书的合法性,因为我们用的是自签名证书,所以需要加这个参数
# 可以使用 -v 来观察具体的 SSL 握手过程
 
 
$ curl --cert ./client.crt --key ./client.key https://xxxx -k -v
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment