securing Bokeh app on a secure (SSL) wordpress blog

I followed the discussion (link to thread below). regarding reverse-proxying a bokeh app server on Nginx and I got it to work. However, as I get the app link (http://sghrayeb.com:5006/allegation) to work it’s showing as “NOT SECURE”. How do I get it to secure?

/etc/nginx/sites-available/default

upstream flask_siti {

    server 127.0.0.1:8118 fail_timeout=0;

}

upstream bokeh_siti {

    server 127.0.0.1:5006 fail_timeout=0;

}

server {

    root /var/www/wordpress/;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name sghrayeb.com www.sghrayeb.com;

    location / {

try_files $uri $uri/ =404;

       try_files $uri $uri/ /index.php$is_args$args;

    }

    location ~ \.php$ {

            include snippets/fastcgi-php.conf;

            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

    }

    location ~ /\.ht {

            deny all;

    }

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/xxx.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/xxxx.pem; # managed by Certbot

include /etc/letsencrypt/xxxxx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/xxxxx.pem; # managed by Certbot

location = /favicon.ico { log_not_found off; access_log off; }

location = /robots.txt { log_not_found off; access_log off; allow all; }

location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {

    expires max;

    log_not_found off;

}

}

server {

if ($host = www.sghrayeb.com) {

    return 301 http://$host$request_uri;

} # managed by Certbot

if ($host = sghrayeb.com) {

    return 301 https://$host$request_uri;

} # managed by Certbot

listen 80;

    listen 80 default_server;

    server_name sghrayeb.com www.sghrayeb.com;

    return 404; # managed by Certbot

    

   client_max_body_size 75M;

   access_log /var/www/logs/nginx.access.log;

   error_log  /var/www/logs/nginx.log.error;

   

   location /opt/webapps/bokehflask/ {

              proxy_pass http://bokeh_siti;

              proxy_set_header Upgrade $http_upgrade;

              proxy_set_header Connection "upgrade";

              proxy_http_version 1.1;

              proxy_set_header X-Forwarded-Proto $scheme;

              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

              proxy_set_header Host $host:$server_port;

              proxy_buffering off;

    }         

    

    location / {

            # checks for static file, if not found proxy to the app

            try_files $uri @proxy_to_app;

    }       

    

    location @proxy_to_app {

              proxy_pass http://flask_siti;

              proxy_set_header Upgrade $http_upgrade;

              proxy_set_header Connection "upgrade";

              proxy_http_version 1.1;

              proxy_set_header X-Forwarded-Proto $scheme;

              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

              proxy_set_header Host $host:$server_port;

              proxy_buffering off;

    }         

}

here’s the command to run the app:

/opt/envs/virtual/bin/bokeh serve allegation.py --allow-websocket-origin=sghrayeb.com:5006 --allow-websocket-origin=www.sghrayeb.com:5006 --use-xheaders

Hi,

You would need to run the Bokeh server on a different instance (or perhaps in a container, though it's not an area of expertise) that is not accessible to the public. The Bokeh server should only be visible to the Nginx server (i.e. behind a firewall that Nginx is in front of, or perhaps across a VPN). If you run the Bokeh server on a publicly accessibly server, then it is accessible to the public, by definition. There is no way to secure it in such a configuration.

Thanks,

Bryan

···

On Dec 26, 2018, at 20:45, [email protected] wrote:

I followed the discussion (link to thread below). regarding reverse-proxying a bokeh app server on Nginx and I got it to work. However, as I get the app link (http://sghrayeb.com:5006/allegation) to work it's showing as "NOT SECURE". How do I get it to secure?

/etc/nginx/sites-available/default
upstream flask_siti {
        server 127.0.0.1:8118 fail_timeout=0;
}
upstream bokeh_siti {
        server 127.0.0.1:5006 fail_timeout=0;
}

server {
        root /var/www/wordpress/;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name sghrayeb.com www.sghrayeb.com;

        location / {
# try_files $uri $uri/ =404;
           try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        }

        location ~ /\.ht {
                deny all;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/xxx.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/xxxx.pem; # managed by Certbot
    include /etc/letsencrypt/xxxxx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/xxxxx.pem; # managed by Certbot

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }

}
server {
    if ($host = www.sghrayeb.com) {
        return 301 http://$host$request_uri;
    } # managed by Certbot

    if ($host = sghrayeb.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
# listen 80;
        listen 80 default_server;
        server_name sghrayeb.com www.sghrayeb.com;
        return 404; # managed by Certbot
        
       client_max_body_size 75M;
       access_log /var/www/logs/nginx.access.log;
       error_log /var/www/logs/nginx.log.error;
       
       location /opt/webapps/bokehflask/ {
                  proxy_pass http://bokeh_siti;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
                  proxy_http_version 1.1;
                  proxy_set_header X-Forwarded-Proto $scheme;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header Host $host:$server_port;
                  proxy_buffering off;
        }
        
        location / {
                # checks for static file, if not found proxy to the app
                try_files $uri @proxy_to_app;
        }
        
        location @proxy_to_app {
                  proxy_pass http://flask_siti;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
                  proxy_http_version 1.1;
                  proxy_set_header X-Forwarded-Proto $scheme;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header Host $host:$server_port;
                  proxy_buffering off;
        }
        
}

here's the command to run the app:

/opt/envs/virtual/bin/bokeh serve allegation.py --allow-websocket-origin=sghrayeb.com:5006 --allow-websocket-origin=www.sghrayeb.com:5006 --use-xheaders

--
You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/f625884a-97ee-496b-8731-0c1f44247190%40continuum.io.
For more options, visit https://groups.google.com/a/continuum.io/d/optout.

Thank you Bryan. How exactly do I go about running a Bokeh server “not accessible to the public”?

···

On Thursday, December 27, 2018 at 1:04:33 AM UTC-5, Bryan Van de ven wrote:

Hi,

You would need to run the Bokeh server on a different instance (or perhaps in a container, though it’s not an area of expertise) that is not accessible to the public. The Bokeh server should only be visible to the Nginx server (i.e. behind a firewall that Nginx is in front of, or perhaps across a VPN). If you run the Bokeh server on a publicly accessibly server, then it is accessible to the public, by definition. There is no way to secure it in such a configuration.

Thanks,

Bryan

On Dec 26, 2018, at 20:45, [email protected] wrote:

I followed the discussion (link to thread below). regarding reverse-proxying a bokeh app server on Nginx and I got it to work. However, as I get the app link (http://sghrayeb.com:5006/allegation) to work it’s showing as “NOT SECURE”. How do I get it to secure?

/etc/nginx/sites-available/default

upstream flask_siti {

    server [127.0.0.1:8118](http://127.0.0.1:8118) fail_timeout=0;

}

upstream bokeh_siti {

    server [127.0.0.1:5006](http://127.0.0.1:5006) fail_timeout=0;

}

server {

    root /var/www/wordpress/;
    index index.php index.html index.htm index.nginx-debian.html;
    server_name [sghrayeb.com](http://sghrayeb.com) [www.sghrayeb.com](http://www.sghrayeb.com);
    location / {

try_files $uri $uri/ =404;

       try_files $uri $uri/ /index.php$is_args$args;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    }
    location ~ /\.ht {
            deny all;
    }
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/xxx.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/xxxx.pem; # managed by Certbot
include /etc/letsencrypt/xxxxx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/xxxxx.pem; # managed by Certbot
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
    expires max;
    log_not_found off;
}

}

server {

if ($host = [www.sghrayeb.com](http://www.sghrayeb.com)) {
    return 301 http://$host$request_uri;
} # managed by Certbot
if ($host = [sghrayeb.com](http://sghrayeb.com)) {
    return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;

    listen 80 default_server;
    server_name [sghrayeb.com](http://sghrayeb.com) [www.sghrayeb.com](http://www.sghrayeb.com);
    return 404; # managed by Certbot
   client_max_body_size 75M;
   access_log /var/www/logs/nginx.access.log;
   error_log  /var/www/logs/nginx.log.error;
   location /opt/webapps/bokehflask/ {
              proxy_pass [http://bokeh_siti](http://bokeh_siti);
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_http_version 1.1;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $host:$server_port;
              proxy_buffering off;
    }        
   
    location / {
            # checks for static file, if not found proxy to the app
            try_files $uri @proxy_to_app;
    }      
   
    location @proxy_to_app {
              proxy_pass [http://flask_siti](http://flask_siti);
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_http_version 1.1;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $host:$server_port;
              proxy_buffering off;
    }        

}

here’s the command to run the app:

/opt/envs/virtual/bin/bokeh serve allegation.py --allow-websocket-origin=sghrayeb.com:5006 --allow-websocket-origin=www.sghrayeb.com:5006 --use-xheaders


You received this message because you are subscribed to the Google Groups “Bokeh Discussion - Public” group.

To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].

To post to this group, send email to [email protected].

To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/f625884a-97ee-496b-8731-0c1f44247190%40continuum.io.

For more options, visit https://groups.google.com/a/continuum.io/d/optout.

Hi,

This is really a network configuration/topology question outside my expertise (and also depends very much on your specific circumstances), so I can't really offer anything specific beyond the general ideas I alluded to earlier. It's possible someone else here has useful experience and can chime in, but more likely you would fare better posing the question in a venue specifically geared towards helping with network admin/devops questions.

Thanks,

Bryan

···

On Dec 27, 2018, at 13:40, [email protected] wrote:

Thank you Bryan. How exactly do I go about running a Bokeh server "not accessible to the public"?

On Thursday, December 27, 2018 at 1:04:33 AM UTC-5, Bryan Van de ven wrote:
Hi,

You would need to run the Bokeh server on a different instance (or perhaps in a container, though it's not an area of expertise) that is not accessible to the public. The Bokeh server should only be visible to the Nginx server (i.e. behind a firewall that Nginx is in front of, or perhaps across a VPN). If you run the Bokeh server on a publicly accessibly server, then it is accessible to the public, by definition. There is no way to secure it in such a configuration.

Thanks,

Bryan

> On Dec 26, 2018, at 20:45, [email protected] wrote:
>
> I followed the discussion (link to thread below). regarding reverse-proxying a bokeh app server on Nginx and I got it to work. However, as I get the app link (http://sghrayeb.com:5006/allegation) to work it's showing as "NOT SECURE". How do I get it to secure?
>
>
>
> /etc/nginx/sites-available/default
> upstream flask_siti {
> server 127.0.0.1:8118 fail_timeout=0;
> }
> upstream bokeh_siti {
> server 127.0.0.1:5006 fail_timeout=0;
> }
>
> server {
> root /var/www/wordpress/;
> index index.php index.html index.htm index.nginx-debian.html;
> server_name sghrayeb.com www.sghrayeb.com;
>
> location / {
> # try_files $uri $uri/ =404;
> try_files $uri $uri/ /index.php$is_args$args;
> }
>
> location ~ \.php$ {
> include snippets/fastcgi-php.conf;
> fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
> }
>
> location ~ /\.ht {
> deny all;
> }
>
> listen 443 ssl; # managed by Certbot
> ssl_certificate /etc/letsencrypt/xxx.pem; # managed by Certbot
> ssl_certificate_key /etc/letsencrypt/xxxx.pem; # managed by Certbot
> include /etc/letsencrypt/xxxxx.conf; # managed by Certbot
> ssl_dhparam /etc/letsencrypt/xxxxx.pem; # managed by Certbot
>
> location = /favicon.ico { log_not_found off; access_log off; }
> location = /robots.txt { log_not_found off; access_log off; allow all; }
> location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
> expires max;
> log_not_found off;
> }
>
>
> }
> server {
> if ($host = www.sghrayeb.com) {
> return 301 http://$host$request_uri;
> } # managed by Certbot
>
>
> if ($host = sghrayeb.com) {
> return 301 https://$host$request_uri;
> } # managed by Certbot
>
>
> # listen 80;
> listen 80 default_server;
> server_name sghrayeb.com www.sghrayeb.com;
> return 404; # managed by Certbot
>
> client_max_body_size 75M;
> access_log /var/www/logs/nginx.access.log;
> error_log /var/www/logs/nginx.log.error;
>
> location /opt/webapps/bokehflask/ {
> proxy_pass http://bokeh_siti;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> proxy_http_version 1.1;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Host $host:$server_port;
> proxy_buffering off;
> }
>
> location / {
> # checks for static file, if not found proxy to the app
> try_files $uri @proxy_to_app;
> }
>
> location @proxy_to_app {
> proxy_pass http://flask_siti;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> proxy_http_version 1.1;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Host $host:$server_port;
> proxy_buffering off;
> }
>
> }
>
> here's the command to run the app:
>
> /opt/envs/virtual/bin/bokeh serve allegation.py --allow-websocket-origin=sghrayeb.com:5006 --allow-websocket-origin=www.sghrayeb.com:5006 --use-xheaders
>
> --
> You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/f625884a-97ee-496b-8731-0c1f44247190%40continuum.io.
> For more options, visit https://groups.google.com/a/continuum.io/d/optout.

--
You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/64454a57-016c-4f40-b339-40a459d0e6fe%40continuum.io.
For more options, visit https://groups.google.com/a/continuum.io/d/optout.

What do you guys do/use for the Bokeh Gallery?

···

On Thu, Dec 27, 2018, 4:46 PM Bryan Van de ven <[email protected] wrote:

Hi,

This is really a network configuration/topology question outside my expertise (and also depends very much on your specific circumstances), so I can’t really offer anything specific beyond the general ideas I alluded to earlier. It’s possible someone else here has useful experience and can chime in, but more likely you would fare better posing the question in a venue specifically geared towards helping with network admin/devops questions.

Thanks,

Bryan

On Dec 27, 2018, at 13:40, [email protected] wrote:

Thank you Bryan. How exactly do I go about running a Bokeh server “not accessible to the public”?

On Thursday, December 27, 2018 at 1:04:33 AM UTC-5, Bryan Van de ven wrote:

Hi,

You would need to run the Bokeh server on a different instance (or perhaps in a container, though it’s not an area of expertise) that is not accessible to the public. The Bokeh server should only be visible to the Nginx server (i.e. behind a firewall that Nginx is in front of, or perhaps across a VPN). If you run the Bokeh server on a publicly accessibly server, then it is accessible to the public, by definition. There is no way to secure it in such a configuration.

Thanks,

Bryan

On Dec 26, 2018, at 20:45, [email protected] wrote:

I followed the discussion (link to thread below). regarding reverse-proxying a bokeh app server on Nginx and I got it to work. However, as I get the app link (http://sghrayeb.com:5006/allegation) to work it’s showing as “NOT SECURE”. How do I get it to secure?

/etc/nginx/sites-available/default

upstream flask_siti {

    server [127.0.0.1:8118](http://127.0.0.1:8118) fail_timeout=0;

}

upstream bokeh_siti {

    server [127.0.0.1:5006](http://127.0.0.1:5006) fail_timeout=0;

}

server {

    root /var/www/wordpress/;
    index index.php index.html index.htm index.nginx-debian.html;
    server_name [sghrayeb.com](http://sghrayeb.com) [www.sghrayeb.com](http://www.sghrayeb.com);
    location / {

try_files $uri $uri/ =404;

       try_files $uri $uri/ /index.php$is_args$args;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    }
    location ~ /\.ht {
            deny all;
    }
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/xxx.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/xxxx.pem; # managed by Certbot
include /etc/letsencrypt/xxxxx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/xxxxx.pem; # managed by Certbot
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
    expires max;
    log_not_found off;
}

}

server {

if ($host = [www.sghrayeb.com](http://www.sghrayeb.com)) {
    return 301 http://$host$request_uri;
} # managed by Certbot
if ($host = [sghrayeb.com](http://sghrayeb.com)) {
    return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;

    listen 80 default_server;
    server_name [sghrayeb.com](http://sghrayeb.com) [www.sghrayeb.com](http://www.sghrayeb.com);
    return 404; # managed by Certbot
   client_max_body_size 75M;
   access_log /var/www/logs/nginx.access.log;
   error_log  /var/www/logs/nginx.log.error;
   location /opt/webapps/bokehflask/ {
              proxy_pass [http://bokeh_siti](http://bokeh_siti);
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_http_version 1.1;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $host:$server_port;
              proxy_buffering off;
    }         
    location / {
            # checks for static file, if not found proxy to the app
            try_files $uri @proxy_to_app;
    }       
    location @proxy_to_app {
              proxy_pass [http://flask_siti](http://flask_siti);
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_http_version 1.1;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $host:$server_port;
              proxy_buffering off;
    }         

}

here’s the command to run the app:

/opt/envs/virtual/bin/bokeh serve allegation.py --allow-websocket-origin=sghrayeb.com:5006 --allow-websocket-origin=www.sghrayeb.com:5006 --use-xheaders

You received this message because you are subscribed to the Google Groups “Bokeh Discussion - Public” group.

To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].

To post to this group, send email to [email protected].

To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/f625884a-97ee-496b-8731-0c1f44247190%40continuum.io.

For more options, visit https://groups.google.com/a/continuum.io/d/optout.

You received this message because you are subscribed to the Google Groups “Bokeh Discussion - Public” group.

To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].

To post to this group, send email to [email protected].

To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/64454a57-016c-4f40-b339-40a459d0e6fe%40continuum.io.

For more options, visit https://groups.google.com/a/continuum.io/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Bokeh Discussion - Public” group.

To unsubscribe from this topic, visit https://groups.google.com/a/continuum.io/d/topic/bokeh/NZpzWr1gihY/unsubscribe.

To unsubscribe from this group and all its topics, send an email to [email protected].

To post to this group, send email to [email protected].

To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/2C82A636-4C41-4F2E-90A8-30C91B95F19E%40anaconda.com.

For more options, visit https://groups.google.com/a/continuum.io/d/optout.

Evidently we configure --address so that the Bokeh server only listens on the loopback address (I'd forgotten):

  https://github.com/bokeh/demo.bokehplots.com/blob/master/bokeh/templates/bokeh-server.conf#L12

which, I suppose, might be enough for most purposes.

Thanks,

Bryan

···

On Dec 27, 2018, at 19:17, Shadi Ghrayeb <[email protected]> wrote:

What do you guys do/use for the Bokeh Gallery?

On Thu, Dec 27, 2018, 4:46 PM Bryan Van de ven <[email protected] wrote:
Hi,

This is really a network configuration/topology question outside my expertise (and also depends very much on your specific circumstances), so I can't really offer anything specific beyond the general ideas I alluded to earlier. It's possible someone else here has useful experience and can chime in, but more likely you would fare better posing the question in a venue specifically geared towards helping with network admin/devops questions.

Thanks,

Bryan

> On Dec 27, 2018, at 13:40, [email protected] wrote:
>
> Thank you Bryan. How exactly do I go about running a Bokeh server "not accessible to the public"?
>
> On Thursday, December 27, 2018 at 1:04:33 AM UTC-5, Bryan Van de ven wrote:
> Hi,
>
> You would need to run the Bokeh server on a different instance (or perhaps in a container, though it's not an area of expertise) that is not accessible to the public. The Bokeh server should only be visible to the Nginx server (i.e. behind a firewall that Nginx is in front of, or perhaps across a VPN). If you run the Bokeh server on a publicly accessibly server, then it is accessible to the public, by definition. There is no way to secure it in such a configuration.
>
> Thanks,
>
> Bryan
>
> > On Dec 26, 2018, at 20:45, [email protected] wrote:
> >
> > I followed the discussion (link to thread below). regarding reverse-proxying a bokeh app server on Nginx and I got it to work. However, as I get the app link (http://sghrayeb.com:5006/allegation) to work it's showing as "NOT SECURE". How do I get it to secure?
> >
> >
> >
> > /etc/nginx/sites-available/default
> > upstream flask_siti {
> > server 127.0.0.1:8118 fail_timeout=0;
> > }
> > upstream bokeh_siti {
> > server 127.0.0.1:5006 fail_timeout=0;
> > }
> >
> > server {
> > root /var/www/wordpress/;
> > index index.php index.html index.htm index.nginx-debian.html;
> > server_name sghrayeb.com www.sghrayeb.com;
> >
> > location / {
> > # try_files $uri $uri/ =404;
> > try_files $uri $uri/ /index.php$is_args$args;
> > }
> >
> > location ~ \.php$ {
> > include snippets/fastcgi-php.conf;
> > fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
> > }
> >
> > location ~ /\.ht {
> > deny all;
> > }
> >
> > listen 443 ssl; # managed by Certbot
> > ssl_certificate /etc/letsencrypt/xxx.pem; # managed by Certbot
> > ssl_certificate_key /etc/letsencrypt/xxxx.pem; # managed by Certbot
> > include /etc/letsencrypt/xxxxx.conf; # managed by Certbot
> > ssl_dhparam /etc/letsencrypt/xxxxx.pem; # managed by Certbot
> >
> > location = /favicon.ico { log_not_found off; access_log off; }
> > location = /robots.txt { log_not_found off; access_log off; allow all; }
> > location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
> > expires max;
> > log_not_found off;
> > }
> >
> >
> > }
> > server {
> > if ($host = www.sghrayeb.com) {
> > return 301 http://$host$request_uri;
> > } # managed by Certbot
> >
> >
> > if ($host = sghrayeb.com) {
> > return 301 https://$host$request_uri;
> > } # managed by Certbot
> >
> >
> > # listen 80;
> > listen 80 default_server;
> > server_name sghrayeb.com www.sghrayeb.com;
> > return 404; # managed by Certbot
> >
> > client_max_body_size 75M;
> > access_log /var/www/logs/nginx.access.log;
> > error_log /var/www/logs/nginx.log.error;
> >
> > location /opt/webapps/bokehflask/ {
> > proxy_pass http://bokeh_siti;
> > proxy_set_header Upgrade $http_upgrade;
> > proxy_set_header Connection "upgrade";
> > proxy_http_version 1.1;
> > proxy_set_header X-Forwarded-Proto $scheme;
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header Host $host:$server_port;
> > proxy_buffering off;
> > }
> >
> > location / {
> > # checks for static file, if not found proxy to the app
> > try_files $uri @proxy_to_app;
> > }
> >
> > location @proxy_to_app {
> > proxy_pass http://flask_siti;
> > proxy_set_header Upgrade $http_upgrade;
> > proxy_set_header Connection "upgrade";
> > proxy_http_version 1.1;
> > proxy_set_header X-Forwarded-Proto $scheme;
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header Host $host:$server_port;
> > proxy_buffering off;
> > }
> >
> > }
> >
> > here's the command to run the app:
> >
> > /opt/envs/virtual/bin/bokeh serve allegation.py --allow-websocket-origin=sghrayeb.com:5006 --allow-websocket-origin=www.sghrayeb.com:5006 --use-xheaders
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> > To post to this group, send email to [email protected].
> > To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/f625884a-97ee-496b-8731-0c1f44247190%40continuum.io.
> > For more options, visit https://groups.google.com/a/continuum.io/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/64454a57-016c-4f40-b339-40a459d0e6fe%40continuum.io.
> For more options, visit https://groups.google.com/a/continuum.io/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this topic, visit https://groups.google.com/a/continuum.io/d/topic/bokeh/NZpzWr1gihY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/2C82A636-4C41-4F2E-90A8-30C91B95F19E%40anaconda.com.
For more options, visit https://groups.google.com/a/continuum.io/d/optout.

--
You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/CAHFMESHTFRnnaPAs8HdBDfncOPPREN8rim91RogkHm_ngrF9ZA%40mail.gmail.com.
For more options, visit https://groups.google.com/a/continuum.io/d/optout.