Due to corporate security requirements, I just had to ensure I had TLS both between clients and my load balancer as well as TLS from the load balancer to the back-end application (JupyterHub).
This was a little problematic because I was using a real certificate, so I had intentionally terminated TLS at the load balancer for cost reasons. So, I used a self-signed certificate between the load balancer and the back-end just now.
If you use this GitHub gist right here for your nginx config, and you modify the certificate paths to point to files you generate from this digital-ocean tutorial, it works out just fine. Then you just have to point your load balancer to point 443 on your JuptyerHub host(s) and everything works out great.
Here’s an excerpt of the relevant parts of the digital-ocean tutorial. Once you make the files, you can just update the gist yourselves to use them. The Diffie-Hellman group line is not in the gist; so add that yourself based on the digital-ocean one if you are so inclined.
mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl; sudo chmod 700 /etc/nginx/ssl sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt
Generally fill out all the details for the cert normally, but pay extra attention to common name. This should match your DNS name (e.g. env.yoursite.com). If you deploy to multiple environments and this is an internal app/etc, you may consider *.yoursite.com to avoid needing one per environment).
Once you’re done that, also run the following to create a “strong Diffie-Helman group”. Refer to digital-ocean’s link for this one; I honestly didn’t have the time to look into why this is needed yet.
sudo openssl dhparam -out dhparam.pem 2048