Reputation: 5549
how-to create an insecure jupyter server
Jupyter only allows access from localhost unless I do a bunch of extra security stuff. I am running my server so that it is only accessible on a local network where anyone with access is equal in trustworthiness to localhost. How do I set up a jupyter notebook server with no extra security features?
Upvotes: 3
Views: 6798
Answers (1)
Reputation: 38608
Based on your question, I expect you want this configuration (in ~/.jupyter/jupyter_notebook_config.py):
c.NotebookApp.ip = '0.0.0.0' # listen on all IPs
c.NotebookApp.token = '' # disable authentication
There are a few security features in Jupyter (as of 4.3.1). I'll go over how to disable each one, and whether/when it makes sense to disable it:
It listens only on localhost. This can be changed to all public IP addresses:
c.NotebookApp.ip = '0.0.0.0'Listening on public IPs should generally come with enabling HTTPS and/or password or token authentication (docs). If it's all internal on a trusted network where nothing bad ever happens, you can proceed to disable other security features:
Token authentication is enabled by default. To disable it:
c.NotebookApp.token = ''Disabling authentication means that anyone with access to the host can run code. It seems like this is what you want. You can also enable a password:
In [1]: from notebook.auth import passwd In [2]: passwd() Enter password: Verify password: Out[2]: 'sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed'You can store this in
c.NotebookApp.password.You can also store this password in (
~/.jupyter/jupyter_notebook_config.json):{ "NotebookApp": { "password": "sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed" } }Jupyter also has CORS protections, to avoid other websites from being able to access this server. This means that when a user on your network visits
example.com, javascript on that page cannot execute code on your notebook server. It sounds like you don't want to touch this, but if you are running a service that should be able to access the notebook server, you can add it to:c.NotebookApp.allow_origin = 'https://your.other.host'Finally, Jupyter 4.3.1 introduces an xsrf token, which is part of dealing with the same category of cross-site execution above. You don't need to touch this if users are only accessing the server directly, rather than through javascript on additional websites.
c.NotebookApp.disable_check_xsrf = True
A completely insecure notebook server, which is to say one where any website can run code on it, as long as a browser can connect to its host (this would include localhost or LAN if the browser is running from inside the LAN):
c.NotebookApp.ip = '0.0.0.0' # listen on all IPs
c.NotebookApp.token = '' # disable authentication
c.NotebookApp.allow_origin = '*' # allow access from anywhere
c.NotebookApp.disable_check_xsrf = True # allow cross-site requests
This might be desirable if you are aiming to make compute resources free for the world to use however they want via the notebook API.
Upvotes: 16
Related Questions
- How to run Jupyter notebooks locally with password and no token?
- Jupyter notebook not trusted
- Security issues I should be aware of with jupyter notebook?
- Trusting a Jupyter untrusted notebook
- Password protect a SPECIFIC Jupyter notebook
- Change jupyter notebook server password
- Connecting Jupyter notebook to Remote server
- Exposing python jupyter on LAN
- Setting up a Jupyter Notebooks Server
- two factor authentication with username and password for a Jupyter Notebook server