docs/howto/admin/https.rst

.. _howto/admin/https:

============
Enable HTTPS
============

Every JupyterHub deployment should enable HTTPS!

HTTPS encrypts traffic so that usernames, passwords and your data are
communicated securely. sensitive bits of information are communicated
securely. The Littlest JupyterHub supports automatically configuring HTTPS
via `Let's Encrypt <https://letsencrypt.org>`_, or setting it up
:ref:`manually <howto/admin/https/manual>` with your own TLS key and
certificate. Unless you have a strong reason to use the manual method,
you should use the :ref:`Let's Encrypt <howto/admin/https/letsencrypt>`
method.

.. note::

   You *must* have a domain name set up to point to the IP address on
   which TLJH is accessible before you can set up HTTPS.

   To do that, you would have to log in to the website of your registrar
   and go to the DNS records section. The interface will look like something
   similar to this:

    .. image:: ../../images/dns.png
       :alt: Adding an entry to the DNS records

.. _howto/admin/https/letsencrypt:

Automatic HTTPS with Let's Encrypt
==================================

.. note::

   If the machine you are running on is not reachable from the internet -
   for example, if it is a machine internal to your organization that
   is cut off from the internet - you can not use this method. Please
   set up a DNS entry and HTTPS :ref:`manually <howto/admin/https/manual>`.

To enable HTTPS via letsencrypt::

    sudo tljh-config set https.enabled true
    sudo tljh-config set https.letsencrypt.email you@example.com
    sudo tljh-config add-item https.letsencrypt.domains yourhub.yourdomain.edu

where ``you@example.com`` is your email address and ``yourhub.yourdomain.edu``
is the domain where your hub will be running.

Once you have loaded this, your config should look like::

    sudo tljh-config show

.. sourcecode:: yaml

    https:
      enabled: true
      letsencrypt:
        email: you@example.com
        domains:
        - yourhub.yourdomain.edu

Finally, you can reload the proxy to load the new configuration::

    sudo tljh-config reload proxy

At this point, the proxy should negotiate with Let's Encrypt to set up a
trusted HTTPS certificate for you. It may take a moment for the proxy to
negotiate with Let's Encrypt to get your certificates, after which you can
access your Hub securely at https://yourhub.yourdomain.edu.

These certificates are valid for 3 months. The proxy will automatically
renew them for you before they expire.

.. _howto/admin/https/manual:

Manual HTTPS with existing key and certificate
==============================================

You may already have an SSL key and certificate.
If so, you can tell your deployment to use these files::

    sudo tljh-config set https.enabled true
    sudo tljh-config set https.tls.key /etc/mycerts/mydomain.key
    sudo tljh-config set https.tls.cert /etc/mycerts/mydomain.cert


Once you have loaded this, your config should look like::

    sudo tljh-config show


.. sourcecode:: yaml

    https:
      enabled: true
      tls:
        key: /etc/mycerts/mydomain.key
        cert: /etc/mycerts/mydomain.cert

Finally, you can reload the proxy to load the new configuration::

    sudo tljh-config reload proxy

and now access your Hub securely at https://yourhub.yourdomain.edu.

Troubleshooting
===============

If you're having trouble with HTTPS, looking at the :ref:`traefik
proxy logs <troubleshooting/logs/traefik>` might help.
updating content from zexuan's user test 2018-08-10 10:09:24 -07:00			`.. _howto/admin/https:`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
			`============`
			`Enable HTTPS`
			`============`

			`Every JupyterHub deployment should enable HTTPS!`

Cleanup HTTPS documentation - Wrap some lines - Normalize reference anchors to conform to hierarchy - Mention that the certificates will be renewed - Strengthen suggestion to use Let's Encrypt Fixes #305 2019-05-18 14:19:42 -07:00			`HTTPS encrypts traffic so that usernames, passwords and your data are`
			`communicated securely. sensitive bits of information are communicated`
			`securely. The Littlest JupyterHub supports automatically configuring HTTPS`
			via `Let's Encrypt <https://letsencrypt.org>`_, or setting it up
			:ref:`manually <howto/admin/https/manual>` with your own TLS key and
			`certificate. Unless you have a strong reason to use the manual method,`
			you should use the :ref:`Let's Encrypt <howto/admin/https/letsencrypt>`
			`method.`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
Document that you need a domain name before HTTPS Also note that Let's Encrypt doesn't work in private networks. Fixes #217 2019-05-18 17:46:06 -07:00			`.. note::`

			`You must have a domain name set up to point to the IP address on`
			`which TLJH is accessible before you can set up HTTPS.`

Add quick note about DNS records 2020-03-09 16:16:58 +01:00			`To do that, you would have to log in to the website of your registrar`
			`and go to the DNS records section. The interface will look like something`
			`similar to this:`

			`.. image:: ../../images/dns.png`
			`:alt: Adding an entry to the DNS records`

Cleanup HTTPS documentation - Wrap some lines - Normalize reference anchors to conform to hierarchy - Mention that the certificates will be renewed - Strengthen suggestion to use Let's Encrypt Fixes #305 2019-05-18 14:19:42 -07:00			`.. _howto/admin/https/letsencrypt:`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
			`Automatic HTTPS with Let's Encrypt`
			`==================================`

Document that you need a domain name before HTTPS Also note that Let's Encrypt doesn't work in private networks. Fixes #217 2019-05-18 17:46:06 -07:00			`.. note::`

			`If the machine you are running on is not reachable from the internet -`
			`for example, if it is a machine internal to your organization that`
			`is cut off from the internet - you can not use this method. Please`
			set up a DNS entry and HTTPS :ref:`manually <howto/admin/https/manual>`.

docs for setting up HTTPS 2018-07-30 16:08:47 +02:00			`To enable HTTPS via letsencrypt::`

Move tljh-config symlink to /usr/bin Removes a lot of 'sudo -E' usage, and eventually should let us get rid of the $PATH override for jupyterhub-admins, which arguably is less secure than just dropping stuff into /usr/bin Also remove sudo -E from apt and mkdir calls. Not necessary. 2018-08-12 21:52:04 -07:00			`sudo tljh-config set https.enabled true`
			`sudo tljh-config set https.letsencrypt.email you@example.com`
			`sudo tljh-config add-item https.letsencrypt.domains yourhub.yourdomain.edu`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
Cleanup HTTPS documentation - Wrap some lines - Normalize reference anchors to conform to hierarchy - Mention that the certificates will be renewed - Strengthen suggestion to use Let's Encrypt Fixes #305 2019-05-18 14:19:42 -07:00			where ``you@example.com`` is your email address and ``yourhub.yourdomain.edu``
Typo fix: `s` -> `is` 2019-06-16 11:00:11 +02:00			`is the domain where your hub will be running.`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
			`Once you have loaded this, your config should look like::`

Move tljh-config symlink to /usr/bin Removes a lot of 'sudo -E' usage, and eventually should let us get rid of the $PATH override for jupyterhub-admins, which arguably is less secure than just dropping stuff into /usr/bin Also remove sudo -E from apt and mkdir calls. Not necessary. 2018-08-12 21:52:04 -07:00			`sudo tljh-config show`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
			`.. sourcecode:: yaml`

			`https:`
			`enabled: true`
			`letsencrypt:`
			`email: you@example.com`
			`domains:`
			`- yourhub.yourdomain.edu`

			`Finally, you can reload the proxy to load the new configuration::`

Move tljh-config symlink to /usr/bin Removes a lot of 'sudo -E' usage, and eventually should let us get rid of the $PATH override for jupyterhub-admins, which arguably is less secure than just dropping stuff into /usr/bin Also remove sudo -E from apt and mkdir calls. Not necessary. 2018-08-12 21:52:04 -07:00			`sudo tljh-config reload proxy`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
Cleanup HTTPS documentation - Wrap some lines - Normalize reference anchors to conform to hierarchy - Mention that the certificates will be renewed - Strengthen suggestion to use Let's Encrypt Fixes #305 2019-05-18 14:19:42 -07:00			`At this point, the proxy should negotiate with Let's Encrypt to set up a`
			`trusted HTTPS certificate for you. It may take a moment for the proxy to`
			`negotiate with Let's Encrypt to get your certificates, after which you can`
			`access your Hub securely at https://yourhub.yourdomain.edu.`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
Cleanup HTTPS documentation - Wrap some lines - Normalize reference anchors to conform to hierarchy - Mention that the certificates will be renewed - Strengthen suggestion to use Let's Encrypt Fixes #305 2019-05-18 14:19:42 -07:00			`These certificates are valid for 3 months. The proxy will automatically`
			`renew them for you before they expire.`

			`.. _howto/admin/https/manual:`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
			`Manual HTTPS with existing key and certificate`
			`==============================================`

			`You may already have an SSL key and certificate.`
			`If so, you can tell your deployment to use these files::`

Move tljh-config symlink to /usr/bin Removes a lot of 'sudo -E' usage, and eventually should let us get rid of the $PATH override for jupyterhub-admins, which arguably is less secure than just dropping stuff into /usr/bin Also remove sudo -E from apt and mkdir calls. Not necessary. 2018-08-12 21:52:04 -07:00			`sudo tljh-config set https.enabled true`
			`sudo tljh-config set https.tls.key /etc/mycerts/mydomain.key`
			`sudo tljh-config set https.tls.cert /etc/mycerts/mydomain.cert`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00

			`Once you have loaded this, your config should look like::`

Move tljh-config symlink to /usr/bin Removes a lot of 'sudo -E' usage, and eventually should let us get rid of the $PATH override for jupyterhub-admins, which arguably is less secure than just dropping stuff into /usr/bin Also remove sudo -E from apt and mkdir calls. Not necessary. 2018-08-12 21:52:04 -07:00			`sudo tljh-config show`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00

			`.. sourcecode:: yaml`

			`https:`
			`enabled: true`
			`tls:`
			`key: /etc/mycerts/mydomain.key`
			`cert: /etc/mycerts/mydomain.cert`

			`Finally, you can reload the proxy to load the new configuration::`

Move tljh-config symlink to /usr/bin Removes a lot of 'sudo -E' usage, and eventually should let us get rid of the $PATH override for jupyterhub-admins, which arguably is less secure than just dropping stuff into /usr/bin Also remove sudo -E from apt and mkdir calls. Not necessary. 2018-08-12 21:52:04 -07:00			`sudo tljh-config reload proxy`
docs for setting up HTTPS 2018-07-30 16:08:47 +02:00
			`and now access your Hub securely at https://yourhub.yourdomain.edu.`
Add bit more info on troubleshooting HTTPS We no longer use CHP, so add section on getting logs from traefik instead 2019-05-20 09:44:31 -07:00
			`Troubleshooting`
			`===============`

			If you're having trouble with HTTPS, looking at the :ref:`traefik
			proxy logs <troubleshooting/logs/traefik>` might help.