RStudio with SSL proxy
What are we doing
We have a server hosting RStudio, and we want encrypt the traffic too and from the RStudio service. We also do not want to have to open up port 8787 on the server’s network firewall.
Why would we want this
RStudio server doesn’t come with encryption by default, you need an SSL certificate. This means all input in transit is not encrypted… this includes credentials.
How did we do this
This server already had an SSL certification configured on the Nginx HTTP server running a static site: (see Lets Encrypt).
We want to use this certificate for the RStudio server running on the same machine. We also want it to be available by a <server>/rstudio
route.
This documentation provided the solution on how to setup a reverse proxy at the route <server>/rstudio
(see RStudio with a proxy).
The complete configuration
The configuration file to edit is /etc/nginx/sites-available/default.conf
.
The contents of this configuration file which includes the default Nginx configurations as well as both the Let’s Encrypt and the Rstudio reverse proxy.
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
server {
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name <domain.name>; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
rewrite ^/rstudio$ $scheme://$http_host/rstudio/ permanent;
location /rstudio/ {
rewrite /rstudio/(.*) /$1 break;
proxy_pass http://localhost:8787;
proxy_redirect http://localhost:8787 $scheme://$host/rstudio/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/<domain.name>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/<domain.name>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = <domain.name>) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name <domain.name>;
return 404; # managed by Certbot
}