Is jupyter notebook server accessible on local area network by default?
Question:
I am having some questions about the configuration of Jupyter notebook, regarding allowing/denying access from LAN.
Firstly, in the case where the file jupyter_notebook_config.py exists, according to the documentation, there is an option called NotebookApp.allow_remote_access(boolean value), and the documentation says that this means: "Allow requests where the Host header doesn’t point to a local server". From my understanding, the host header contains the domain the client want to access (see What is HTTP "Host" header?). But why can we know, by looking at the the domain name the client is sending, whether or not the client is on local network? If we set the host header to localhost when we send request on a different machine, then will jupyter notebook do something to verify that this localhost is not real? Plus, we could access jupyter notebook just by typing the ip address and port (127.0.0.1:8888), without specifying any domain name. So does "host header" mean something different here?
Consider secondly the case where the file jupyter_notebook_config.py has not been created. In this case, when I run the command jupiter notebook, will the notebook server be accessible to some other computer on local area network(LAN)?
I am trying to configure jupyter notebook (version 6.4.12), so that the jupyter server can be accessed only on the computer where we run the server. The aim is to prevent any other device from accessing the jupyter notebook server (and files in current working directory of the server). Does the default behaviour of jupyter notebook (i.e. running only the command jupiter notebook without flags and editing the configuration files) already satisfy what I am trying to achieve?
Answers:
Using this command:
$ jupyter notebook --generate_config
you essentially create a secured configuration where remote access is disabled by default. The IP 127.0.0.1 is used interchangeably with localhost, so there’s no need to worry about someone using that to access your notebook remotely. Any requests from anything other than localhost/127.0.0.1 will be denied.
Also, the default configuration disables root access and will basically refer to the originating directory as the root dir. If you instantiate another notebook in a different directory (possibly even the same directory, I haven’t tried that), you’ll be able to have two simultaneous instances of Jupyter notebook running without issue, as long as you’re not winding up with a data race by editing two files from the same subdirectory if that’s the way you have it set up.
I basically went through this same process not too long ago, that link in the comment above is a really good resource direct from the jupyter docs that goes over how to enable secure remote access, if you’d like. Otherwise, the default is good enough for a single user resource.
If there’s multiple users accessing the server, you may run into issues where another user may be able to send a request to localhost:8888 (or whatever port the notebook is running on) and be able to access the notebook. However, as long as you don’t have root access enabled explicitly, you shouldn’t have to worry about your notebook being an attack vector by default.
Edit:
To be clear, the jupyter_notebook_config.py file that’s generated automatically does not change the default behavior of Jupyter, you’ll have to uncomment the settings that you want to alter before they will take effect. The default behavior of the notebook is to only allow local access to the notebook, but there are other things that you can configure as well, like SSL cert access control, the default hostname, root access from a notebook instance (not recommended), etc.
I am having some questions about the configuration of Jupyter notebook, regarding allowing/denying access from LAN.
Firstly, in the case where the file jupyter_notebook_config.py exists, according to the documentation, there is an option called NotebookApp.allow_remote_access(boolean value), and the documentation says that this means: "Allow requests where the Host header doesn’t point to a local server". From my understanding, the host header contains the domain the client want to access (see What is HTTP "Host" header?). But why can we know, by looking at the the domain name the client is sending, whether or not the client is on local network? If we set the host header to localhost when we send request on a different machine, then will jupyter notebook do something to verify that this localhost is not real? Plus, we could access jupyter notebook just by typing the ip address and port (127.0.0.1:8888), without specifying any domain name. So does "host header" mean something different here?
Consider secondly the case where the file jupyter_notebook_config.py has not been created. In this case, when I run the command jupiter notebook, will the notebook server be accessible to some other computer on local area network(LAN)?
I am trying to configure jupyter notebook (version 6.4.12), so that the jupyter server can be accessed only on the computer where we run the server. The aim is to prevent any other device from accessing the jupyter notebook server (and files in current working directory of the server). Does the default behaviour of jupyter notebook (i.e. running only the command jupiter notebook without flags and editing the configuration files) already satisfy what I am trying to achieve?
Using this command:
$ jupyter notebook --generate_config
you essentially create a secured configuration where remote access is disabled by default. The IP 127.0.0.1 is used interchangeably with localhost, so there’s no need to worry about someone using that to access your notebook remotely. Any requests from anything other than localhost/127.0.0.1 will be denied.
Also, the default configuration disables root access and will basically refer to the originating directory as the root dir. If you instantiate another notebook in a different directory (possibly even the same directory, I haven’t tried that), you’ll be able to have two simultaneous instances of Jupyter notebook running without issue, as long as you’re not winding up with a data race by editing two files from the same subdirectory if that’s the way you have it set up.
I basically went through this same process not too long ago, that link in the comment above is a really good resource direct from the jupyter docs that goes over how to enable secure remote access, if you’d like. Otherwise, the default is good enough for a single user resource.
If there’s multiple users accessing the server, you may run into issues where another user may be able to send a request to localhost:8888 (or whatever port the notebook is running on) and be able to access the notebook. However, as long as you don’t have root access enabled explicitly, you shouldn’t have to worry about your notebook being an attack vector by default.
Edit:
To be clear, the jupyter_notebook_config.py file that’s generated automatically does not change the default behavior of Jupyter, you’ll have to uncomment the settings that you want to alter before they will take effect. The default behavior of the notebook is to only allow local access to the notebook, but there are other things that you can configure as well, like SSL cert access control, the default hostname, root access from a notebook instance (not recommended), etc.