jupyterhub
feature: redirection of already terminated SSL traffic that misses a X-Forwarded-Proto or similar
We often times terminate SSL on a load balancer or ingress proxy instead of on services directly so that application admins don't have to worry with as many secrets (containers combined with service meshes are making this a more common thing too).
In those cases, the service can't tell whether or not it's using SSL using the port information, but only with headers like X-Forwarded-Proto or X-Forwarded-Port.
We'd like to force SSL only in our JupyterHub instance, but the --redirect-port flag won't work in this scenario. Any chance another hook could be added to trigger a redirect when a header/value combination doesn't match some specified value?
If you're already using another layer to terminate SSL, perhaps it makes sense to do the http->https redirect there instead of the proxied service? Still, #187 adds a --redirect-to option to override the redirect target port, which might be what you need. This is released today as 4.1.0.
I'll give it a try. Unfortunately the standard Kubernetes load balancer in AWS is their classic load balancer so we don't get the option of redirecting port 80 there (but it would be the ideal place).
The issues around our existing L7 reverse proxy were related to websockets, and it looks like #187 addresses some of that too, so this may be a simpler fix anyway.