Cloud Infrastructure,  Data Science,  System Administration,  R

RStudio with SSL proxy

RStudio with SSL proxy

What are we doing

We have a server hosting RStudio, and we want encrypt the traffic too and from the RStudio service. We also do not want to have to open up port 8787 on the server’s network firewall.

Why would we want this

RStudio server doesn’t come with encryption by default, you need an SSL certificate. This means all input in transit is not encrypted… this includes credentials.

How did we do this

This server already had an SSL certification configured on the Nginx HTTP server running a static site: (see Lets Encrypt).

We want to use this certificate for the RStudio server running on the same machine. We also want it to be available by a <server>/rstudio route.

This documentation provided the solution on how to setup a reverse proxy at the route <server>/rstudio (see RStudio with a proxy).

The complete configuration

The configuration file to edit is /etc/nginx/sites-available/default.conf.

The contents of this configuration file which includes the default Nginx configurations as well as both the Let’s Encrypt and the Rstudio reverse proxy.

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  root /var/www/html;

  index index.html index.htm index.nginx-debian.html;
  server_name _;

  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
  }
}

server {
  root /var/www/html;

  # Add index.php to the list if you are using PHP
  index index.html index.htm index.nginx-debian.html;
  server_name <domain.name>; # managed by Certbot

  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
  }

  rewrite ^/rstudio$ $scheme://$http_host/rstudio/ permanent;

  location /rstudio/ {
    rewrite /rstudio/(.*) /$1 break;
    proxy_pass http://localhost:8787;
    proxy_redirect http://localhost:8787 $scheme://$host/rstudio/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_read_timeout 20d;
  }

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/<domain.name>/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/<domain.name>/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
  if ($host = <domain.name>) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80 ;
  listen [::]:80 ;
  server_name <domain.name>;
  return 404; # managed by Certbot
}