Question

我试图让JupyterHub在Azure上与子域上的Nginx一起运行，但是无法连接到集线器。我收到以下当前设置的502错误网关错误。在我尝试的其他配置中，连接到主机只是挂起。有什么想法吗？

我在具有2个vcpus和7 GB内存的Azure上使用Ubuntu

~$ lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:    16.04
Codename:   xenial

~$ jupyterhub -f /etc/jupyterhub/jupyterhub_config.py --debug

[D 2018-07-06 15:31:16.748 JupyterHub application:555] Looking for /etc/jupyterhub/jupyterhub_config in /home/devmoxie
[D 2018-07-06 15:31:16.749 JupyterHub application:577] Loaded config file: /etc/jupyterhub/jupyterhub_config.py
[I 2018-07-06 15:31:16.751 JupyterHub app:1656] Using Authenticator: jupyterhub.auth.PAMAuthenticator-0.9.0
[I 2018-07-06 15:31:16.751 JupyterHub app:1656] Using Spawner: jupyterhub.spawner.LocalProcessSpawner-0.9.0
[I 2018-07-06 15:31:16.755 JupyterHub app:1014] Loading cookie_secret from /home/devmoxie/jupyterhub_cookie_secret
[D 2018-07-06 15:31:16.756 JupyterHub app:1069] Connecting to db: sqlite:///jupyterhub.sqlite
[D 2018-07-06 15:31:16.779 JupyterHub orm:685] database schema version found: 896818069c98
[I 2018-07-06 15:31:16.785 JupyterHub proxy:429] Generating new CONFIGPROXY_AUTH_TOKEN
[W 2018-07-06 15:31:16.787 JupyterHub app:1160] No admin users, admin interface will be unavailable.
[W 2018-07-06 15:31:16.787 JupyterHub app:1161] Add any administrative users to `c.Authenticator.admin_users` in config.
[I 2018-07-06 15:31:16.787 JupyterHub app:1188] Not using whitelist. Any authenticated user will be allowed.
[E 2018-07-06 15:31:16.827 JupyterHub app:1209] Error adding user adam already in db
    Traceback (most recent call last):
      File "/home/devmoxie/anaconda3/lib/python3.6/site-packages/jupyterhub/app.py", line 1207, in init_users
        await maybe_future(self.authenticator.add_user(user))
      File "/home/devmoxie/anaconda3/lib/python3.6/site-packages/jupyterhub/auth.py", line 525, in add_user
        raise KeyError("User %s does not exist." % user.name)
    KeyError: 'User adam does not exist.'

[W 2018-07-06 15:31:16.829 JupyterHub app:1221]
    You can set
        c.Authenticator.delete_invalid_users = True
    to automatically delete users from the Hub database that no longer pass
    Authenticator validation,
    such as when user accounts are deleted from the external system
    without notifying JupyterHub.

[D 2018-07-06 15:31:16.838 JupyterHub app:1460] Loading state for devmoxie from db
[D 2018-07-06 15:31:16.840 JupyterHub app:1460] Loading state for adam from db
[D 2018-07-06 15:31:16.841 JupyterHub app:1476] Loaded users:
    devmoxie admin
        adam
[I 2018-07-06 15:31:16.855 JupyterHub app:1838] Hub API listening on http://127.0.0.1:8081/jupyterhub/hub/
[W 2018-07-06 15:31:16.856 JupyterHub proxy:481] Running JupyterHub without SSL.  I hope there is SSL termination happening somewhere else...
[I 2018-07-06 15:31:16.856 JupyterHub proxy:483] Starting proxy @ http://127.0.0.1:8000/jupyterhub/
[D 2018-07-06 15:31:16.857 JupyterHub proxy:484] Proxy cmd: ['configurable-http-proxy', '--ip', '127.0.0.1', '--port', '8000', '--api-ip', '127.0.0.1', '--api-port', '8001', '--error-target', 'http://127.0.0.1:8081/jupyterhub/hub/error']
15:31:17.501 - info: [ConfigProxy] Proxying http://127.0.0.1:8000 to (no default)
15:31:17.505 - info: [ConfigProxy] Proxy API at http://127.0.0.1:8001/api/routes
[D 2018-07-06 15:31:17.863 JupyterHub proxy:517] Proxy started and appears to be up
[D 2018-07-06 15:31:17.863 JupyterHub proxy:294] Fetching routes to check
[D 2018-07-06 15:31:17.865 JupyterHub proxy:593] Proxy: Fetching GET http://127.0.0.1:8001/api/routes
15:31:17.882 - info: [ConfigProxy] 200 GET /api/routes
[I 2018-07-06 15:31:17.882 JupyterHub proxy:299] Checking routes
[I 2018-07-06 15:31:17.882 JupyterHub proxy:368] Adding default route for Hub: / => http://127.0.0.1:8081
[D 2018-07-06 15:31:17.883 JupyterHub proxy:593] Proxy: Fetching POST http://127.0.0.1:8001/api/routes/
15:31:17.886 - info: [ConfigProxy] Adding route / -> http://127.0.0.1:8081
15:31:17.887 - info: [ConfigProxy] 201 POST /api/routes/
[I 2018-07-06 15:31:17.887 JupyterHub app:1895] JupyterHub is now running at http://127.0.0.1:8000/jupyterhub/

~$ cat /etc/jupyterhub/jupyterhub_config.py

c.JupyterHub.ip = '127.0.0.1'
c.JupyterHub.base_url = u'/jupyterhub'
c.Authenticator.whitelist = {'devmoxie', 'Adam'}
c.Authenticator.admin_users = {'devmoxie'}

~ cat /etc/nginx/sites-available/default

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name 40.###.###.###;
    rewrite ^ https://$host$request_uri? permanent;
}

server {

    # SSL configuration

    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
}

~$ cat /etc/nginx/sites-enabled/jupyterhub.conf

# top-level http config for websocket headers
# If Upgrade is defined, Connection = upgrade
# If Upgrade is empty, Connection = close
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# HTTP server to redirect all 80 traffic to SSL/HTTPS
server {
    listen 80;
    server_name 40.###.###.###;

    # Tell all requests to port 80 to be 302 redirected to HTTPS
    return 302 https://$host$request_uri;
}

# HTTPS server to handle JupyterHub
server {
    listen 443;
    ssl on;

    server_name 40.###.###.###;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    #ssl_session_cache shared:SSL:50m;
    #ssl_stapling on;
    ssl_stapling off;
    #ssl_stapling_verify on;
    ssl_stapling_verify off;
    add_header Strict-Transport-Security max-age=15768000;

    # Managing literal requests to the JupyterHub front end
    location /jupyterhub/ {
        proxy_pass https://127.0.0.1:8000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # websocket headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    # Managing requests to verify letsencrypt host
    location ~ /.well-known {
        allow all;
    }
}

Answer 1

这可能是关键位：

 proxy_pass https://127.0.0.1:8000;

JupyterHub不在本地运行https，因此您需要：

 proxy_pass http://127.0.0.1:8000;

因为nginx和jupyterhub之间的连接未使用SSL。

Answer 2

我花了大约2周的时间来解决这个问题。无法弄清楚为什么我得到了502错误的网关。我添加此答案是为了希望它可以避免其他人的头痛。

我每次重新构建jupyterhub都失败了3次。我开始使用tail -f /var/log/nginx/error.log查看nginx日志，并且发现有些关于SSL的消息引起了我的思考，这可能是我从一开始就使用ECC私钥进行部署的事实吗？

我用RSA重新生成了SSL证书和私钥。更新了nginx和jupyterhub_config.py的证书文件。然后重新启动应用程序。现在它就像一种魅力。

TLDR： Jupyterhub不支持ECC用于SSL证书，仅支持RSA。

无法在Ubuntu vm上使用Ngnix连接到JupyterHub

2 个答案: