Jupyter notebook 서브도메인 설정 및 Nginx https 설정 방법
1. DNS TXT Record 로 Let’s Encrypt SSL 인증서 발급 받기
letsencrypt 라고 무료로 SSL 인증서 발급 서비스를 해주는 곳이 있다.
무료라서 인증 개수라던가 제한사항이 많지만
개인이 사용할 jupyter notebook 하나 정도는 문제 없다.
1.1. certbot 설치
1
$ apt install certbot
필자도 Nginx를 사용하고 있어서 python-certbot-nginx 라고 nginx 설정까지 한번에 해주는 무언가가 있는 것 같지만,
할 줄 모르므로 패스한다.
1.2. SSL 인증서 발급
1
$ certbot certonly -d jupyternotebook.ju-ing.com --manual --preferred-challenges dns
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for jupyternotebook.ju-ing.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
1
2
3
4
5
6
7
8
9
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.jupyternotebook.ju-ing.com with the following value:
zaa6ssD2d3J6cG8fNgyqcexUEqafrXd4Yh1v1wdS8f
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
엔터 치지 말고 여기서 잠시 도메인 작업
1.3. jupyter notebook 8888 포트에 할당할 서브도메인 작업
- 타입 : TXT
- 호스트 : _acme-challenge.jupyternotebook
- 값/위치 : zaa6ssD2d3J6cG8fNgyqcexUEqafrXd4Yh1v1wdS8f
이제 아까 터미널로 다시 돌아가서..
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jupyternotebook.ju-ing.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jupyternotebook.ju-ing.com/privkey.pem
Your cert will expire on 2022-01-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
2. nginx 서브도메인(subdomain) 설정 방법
2.1. nginx 설치
1
$ apt install nginx
2.2. subdomain 변경
아래 경로로 들어가면 default 파일이 들어있는데, 건들지 않아도 된다.
1
2
$ cd /etc/nginx/sites-available
$ vim jupyternotebook.conf
파일이름은 꼭 jupyternotebook.conf 일 필요는 없고 원하는대로 작성한다.
아래 내용을 복붙해서 붙여넣는다.
Ctrl + f 해서 jupyternotebook.ju-ing.com 이부분을 본인의 도메인으로 변경하고 port 또한 본인 것으로 바꿔서 저장한다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name jupyternotebook.ju-ing.com;
rewrite ^ https://jupyternotebook.ju-ing.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/jupyternotebook.ju-ing.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jupyternotebook.ju-ing.com/privkey.pem;
location / {
proxy_pass http://localhost:8888;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Host $host;
}
}
jupyterhub 공식문서 추가
https://jupyterhub.readthedocs.io/en/stable/reference/config-proxy.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# top-level http config for websocket headers
# If Upgrade is defined, Connection = upgrade
# If Upgrade is empty, Connection = close
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP server to redirect all 80 traffic to SSL/HTTPS
server {
listen 80;
server_name HUB.DOMAIN.TLD;
# Tell all requests to port 80 to be 302 redirected to HTTPS
return 302 https://$host$request_uri;
}
# HTTPS server to handle JupyterHub
server {
listen 443;
ssl on;
server_name HUB.DOMAIN.TLD;
ssl_certificate /etc/letsencrypt/live/HUB.DOMAIN.TLD/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/HUB.DOMAIN.TLD/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# Managing literal requests to the JupyterHub front end
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# websocket headers
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Scheme $scheme;
proxy_buffering off;
}
# Managing requests to verify letsencrypt host
location ~ /.well-known {
allow all;
}
}
1
2
$ ln -s /etc/nginx/sites-available/jupyternotebook.conf /etc/nginx/sites-enabled/
$ systemctl restart nginx.service
마지막으로 http://서브도메인.도메인.com 주소창에 쳐서 http –> https 로 잘 연결되는지 확인한다.
참고
https://jupyterhub.readthedocs.io/en/stable/reference/config-proxy.html
이 기사는 저작권자의 CC BY 4.0 라이센스를 따릅니다.