I’ve been experimenting with running a Jupyter server inside an LXC container, and making it publicly accessible in a controlled way, via a reverse-proxy setup in Apache. This way, the web server handles all the authentication access, the Jupyter server doesn’t need to impose any restrictions. And being isolated inside a container should help to minimize the impact of a security breach.

I found some related documentation here https://jupyterhub.readthedocs.io/en/stable/howto/configuration/config-proxy.html, though it talks about JupyterHub, not Jupyter. This part matched what I initially tried (but didn’t fully work on its own):

ProxyPreserveHost on ProxyPass http://%C2%ABcontainer-host%C2%BB:%C2%ABport%C2%BB/ ProxyPassReverse http://%C2%ABcontainer-host%C2%BB:%C2%ABport%C2%BB/

This line was not something I did, so I’m not sure it’s really needed:

RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

However, this whole rewrite business I found to be quite unnecessary:

RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) ws://«container-host»:«port»/$1 [P,L]

Because the same effect can be achieved much more simply, by one small change to those initial three lines:

ProxyPreserveHost on ProxyPass http://%C2%ABcontainer-host%C2%BB:%C2%ABport%C2%BB/ upgrade=websocket ProxyPassReverse http://%C2%ABcontainer-host%C2%BB:%C2%ABport%C2%BB/

Notice that “upgrade=websocket” bit? That’s all it took to get the proxying to work.