Skip to content

support internal ssl #278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kreuzert wants to merge 2 commits into from
Closed

support internal ssl #278

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
68b6eee
add serversTransports to traefik config
kreuzert Nov 5, 2025
a192caa
dont expect app to be set in TraefikProxy
kreuzert Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 40 additions & 4 deletions jupyterhub_traefik_proxy/proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ def _concurrency_changed(self, change):

extra_static_config = Dict(
config=True,
help="""Extra static configuration for treafik.
help="""Extra static configuration for traefik.

Merged with the default static config before writing to `.static_config_file`.

Expand All @@ -79,7 +79,7 @@ def _concurrency_changed(self, change):

extra_dynamic_config = Dict(
config=True,
help="""Extra dynamic configuration for treafik.
help="""Extra dynamic configuration for traefik.

Merged with the default dynamic config during startup.

Expand Down Expand Up @@ -202,6 +202,12 @@ def __init__(self, **kwargs):
""",
)

traefik_http_servers_transport = Unicode(
"jupyterhub",
config=True,
help="The name of the servers transport to use for internal SSL",
)

provider_name = Unicode(
help="""The provider name that Traefik expects, e.g. file, consul, etcd"""
)
Expand Down Expand Up @@ -364,7 +370,7 @@ async def _check_traefik_dynamic_conf_ready():
scale_factor=1.2,
timeout=self.check_route_timeout,
)
self.log.debug("Treafik route for %s: registered", routespec)
self.log.debug("Traefik route for %s: registered", routespec)

async def _traefik_api_request(self, path):
"""Make an API request to traefik"""
Expand Down Expand Up @@ -551,13 +557,39 @@ async def _setup_traefik_dynamic_config(self):
}
}
}
if getattr(self.app, "internal_ssl", False):

def _resolve_path(path):
if os.path.isabs(path):
return path
return url_path_join(os.getcwd(), path)

client_key = _resolve_path(
self.app.internal_proxy_certs["proxy-client"]['keyfile']
)
client_cert = _resolve_path(
self.app.internal_proxy_certs["proxy-client"]['certfile']
)
client_ca = _resolve_path(
self.app.internal_trust_bundles["proxy-client-ca"]
)
dynamic_config["http"]["serversTransports"] = {
self.traefik_http_servers_transport: {
"certificates": [
{
"certfile": client_cert,
"keyfile": client_key,
}
],
"rootCAs": client_ca,
}
}

self.dynamic_config = deep_merge(dynamic_config, self.dynamic_config)
if self.extra_dynamic_config:
self.dynamic_config = deep_merge(
self.dynamic_config, self.extra_dynamic_config
)

await self._apply_dynamic_config(self.dynamic_config, None)

def validate_routespec(self, routespec):
Expand Down Expand Up @@ -652,6 +684,10 @@ def _dynamic_config_for_route(self, routespec, target, data):
traefik_config["http"]["services"][service_alias] = {
"loadBalancer": {"servers": [{"url": target}], "passHostHeader": True}
}
if getattr(self.app, "internal_ssl", False):
traefik_config["http"]["services"][service_alias]["loadBalancer"][
"serversTransport"
] = self.traefik_http_servers_transport

# Add the data node to a separate top-level node, so traefik doesn't see it.
# key needs to be key-value safe (no '/')
Expand Down