SSL communication for IPython web UI in Linux Secure cluster
This document explains how to enable SSL communication for IPython web UI in Kerberos enabled secure cluster running in Linux nodes.
Perquisite software in Linux node
OpenSSL
Install OpenSSL using the following command.
Ubuntu: sudo apt-get install openssl
CentOS: sudo yum install openssl
Nginx
Install Nginx using the following command.
Ubuntu: sudo apt-get install nginx
CentOS: Add the CentOS EPEL package first, followed by Nginx.
sudo yum install epel-release
sudo yum install nginx
Apache2-utils
Install apache2-utils using the following command.
Ubuntu: sudo apt-get install apache2-utils
CentOS: sudo yum install httpd-tools
Steps involved in hosting IPython service as SSL
Step1: Stop IPython running service in host
Stop the IPython service, if it is already running in your cluster.
Step 2: Create certificate, certificate key, and PEM file
Open terminal and execute the following commands to create the required certificate, certificate key, and PEM file.
openssl genrsa -out /home/syncfusion/HadoopNode/SSL/nginx.key 3650
openssl req -new -x509 -days 3650 -subj "/CN=synclinux104" -key /home/syncfusion/HadoopNode/SSL/nginx.key -out /home/syncfusion/HadoopNode/SSL/nginx.crt
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -subj "/C=IN/ST=TN/L=CH/O=SYNCFUSION/CN=synclinux104" -keyout /home/syncfusion/HadoopNode/SSL/ipython.pem -out /home/syncfusion/HadoopNode/SSL/ipython.pem
In the previous commands, synclinux104 can be replaced with any string.
/home/syncfusion/HadoopNode/SSL: Folder location should be same while updating Nginx and IPython configuration in step 4 and step 5.
Step 3: Create user for HTTPS authentication
Create a new user and set password using the following command. This is the credentials to be entered while authenticating Nginx URL.
sudo htpasswd -c /etc/nginx/.httppassword testuser
/etc/nginx/.httppassword: Location should be same while updating configuration in step 4 location tag.
Step 4: Nginx configuration changes
Open Nginx conf file - /etc/nginx/nginx.conf.
Update the HTTP tag with values based on the following template.
http { include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush off; client_max_body_size 100M; keepalive_timeout 20;
server { listen $proxyport; server_name $proxyserver; ssl on; ssl_certificate $certificatelocation; ssl_certificate_key $certificatekeylocation; ssl_session_cache shared:SSL:1m; ssl_session_timeout 2m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
location / { auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.httppassword; proxy_pass $BackendServer; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Origin ""; }
} }
|
In the previous template, update the following variables where, synclinux104 is hostname.
$proxyport: 10002
$proxyserver: synclinux104
$certificatelocation: /home/syncfusion/HadoopNode/SSL/nginx.crt
$certificatekeylocation: /home/syncfusion/HadoopNode/SSL/nginx.key
$BackendServer: https://synclinux104:10012/
Step 5: IPython configuration changes
Open the ‘jupyter_notebook_config.py’ file from the following location. /home/syncfusion/HadoopNode/Python/settings/jupyter/jupyter_notebook_config.py.
Replace the line (# c.NotebookApp.certfile = u'') with the following.
c.NotebookApp.certfile = u'/home/syncfusion/HadoopNode/SSL/ipython.pem'
Step 6: Restart Nginx server
Restart your Nginx server using the following command and ensure whether it is started properly in port 10002.
sudo service nginx restart
Step 7: Start IPython server
- Open terminal and navigate to /home/syncfusion/HadoopNode/Python/bin location.
- Execute following export commands:
export IPYTHONDIR=/home/syncfusion/HadoopNode/Python/settings/ipython
export JUPYTER_CONFIG_DIR=/home/syncfusion/HadoopNode/Python/settings/jupyter
- Ipython server start command.
./ipython notebook --no-mathjax --port=10012 --no-browser --ip=synclinux104
Here, synclinux104 is hostname
Step 8: Access IPython notebook
You can access IPython via Nginx authentication by opening the Nginx URL in the browser.
The browser will pop up for credentials. Provide the credentials that are configured in Step 3.
For this case, port 10002 has been used as Nginx port and the port 10012 as IPython service port.