Support proxying to unix sockets #592
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dometto
commented
Jul 28, 2025
| var proxyOptions = { target }; | ||
|
|
||
| if (target.protocol.startsWith("unix")) { | ||
| proxyOptions.secure = false; |
There was a problem hiding this comment.
No support for SSL on unix sockets; this is not really needed anyway.
dometto
force-pushed
the
connect_to_unix_socket
branch
from
e5e243d to
36a6940
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for proxying to servers that are listening on a Unix socket. The Node http client library already supports unix sockets, so adding this functionality was just a matter of setting the right values for the connection options.
It also adds a test for the new functionality.
Rationale
JupyterHub already supports listening on unix sockets.
However, at this point, servers spawned by the hub have no way of contacting the Hub, as
configurable-http-proxyis not capable of proxying back to the Hub when it listens on a unix socket. This functionality would therefore mean a significant step towards being able to host all JupyterHub services on a unix socket. Apart from some (probably small) performance benefits compared to TCP, this would also mean security gains in situations where endusers have shell access to the machine running Jupyter services (while servers listening on TCP can be contacted by any user on the system, unix sockets can be secured using normal file permissions).A next step would be to allow
configurable-http-proxyto listen on unix sockets itself, for both the proxy server and the API server. This should be pretty trivial, as Node's http server library already supports listening on unix sockets. This feature is already used in the test in this PR.Details
unixas a unix socket path, sounix+http://(which is used by JupyterHub) andunix://will both work.unix+http://%2Ftmp%2F/test.sock, and notunix+http:///tmp/test.sock. This again follows the current expectations of JupyterHub. When passing in the unencoded path,URL.parsewill interpret/tmp/test.sockas the path, and set hostname to an empty string.