I’ve been experimenting with running a Jupyter server inside an LXC container, and making it publicly accessible in a controlled way, via a reverse-proxy setup in Apache. This way, the web server handles all the authentication access, the Jupyter server doesn’t need to impose any restrictions. And being isolated inside a container should help to minimize the impact of a security breach. I found some related documentation here <https://jupyterhub.readthedocs.io/en/stable/howto/configuration/config-proxy.html>, though it talks about JupyterHub, not Jupyter. This part matched what I initially tried (but didn’t fully work on its own): ProxyPreserveHost on ProxyPass http://«container-host»:«port»/ ProxyPassReverse http://«container-host»:«port»/ This line was not something I did, so I’m not sure it’s really needed: RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} However, this whole rewrite business I found to be quite unnecessary: RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) ws://«container-host»:«port»/$1 [P,L] Because the same effect can be achieved much more simply, by one small change to those initial three lines: ProxyPreserveHost on ProxyPass http://«container-host»:«port»/ upgrade=websocket ProxyPassReverse http://«container-host»:«port»/ Notice that “upgrade=websocket” bit? That’s all it took to get the proxying to work.