How to put a bokeh server behind a authentication proxy?

I recently wrote a question about bokeh security on stack overflow.

The answerer gave me good advice about the use of bokeh secret keys and signed sessions. But it isn’t enough security for our purposes. As he said,

Is this enough to completely secure things? Technically anyone who can access the connection string sent to the browser could extract the signed session id [and fake an Origin header]…

…As a last comment, you could probably also (additionally) put the bokeh server URL behind an authenticating proxy of some sort… Tho I am not sure exactly what that would look like offhand. That would be better discussed on the Discourse.

This is what we’d like to do. You can see from the original question that we’re using Flask to route users to various bokeh servers running in the background. So, using apache we’d like to authenticate the users before they reach the flask app and only allow access to the bokeh servers once a user is authenticated and their identity is known.

How do we solve for this?

So I am pretty wholly unfamiliar with Apache, so I am not going to be able to provide explicit pro-active guidance here. This will have to be be something where you make a stab at something, and then we can talk about specific issues that arise in your attempt.

I don’t know how Apache functions in this regard. In the ideal case, Apache itself can be configured to just block any non-authenticated requests at the proxy itself, before they reach the Bokeh server. Less ideally, requests always go through but do (or don’t) have some kind of auth headers applied. There’s no built-in way to have the Bokeh server reject connections based on headers (or cookies), but if necessary I can outline some ways that it could still be achieved with a little work.

Thanks for raising this issue. There is almost certainly some simple feature work we can do to support these kind of situations better, but nothing helps sharpen requirements like a real use-case.