Setup RStudio Server Over Nginx Https

I have introduced how to install R and RStudio Server before. But free version of RStudio Server lack of many security features, especially SSL.

This post introduces to secure RStudio Server by an Nginx reverse proxy.

RStudio Server logo

Certbot logo

At first, install R and RStudio Server as introduced before.

Let’s assume the domain name of the server is: www.myserver.com.

1 Setup RStudio Server

Edit file /etc/rstudio/rserver.conf, add following content:

# Only listen localhost
www-address=127.0.0.1
# Connection port, default 8787
# Maybe better to modify it
www-port=8787

Then check the configuration:

$ sudo rstudio-server verify-installation

If there were no issues, restart RStudio Server:

$ sudo rstudio-server restart

2 Install Nginx and setup reverse proxy

  1. Install Nginx by using the command:
$ sudo apt install nginx
  1. Next, edit /etc/nginx/nginx.conf and modify the http section:
http {
        # Basic Settings
        # ...

        map $http_upgrade $connection_upgrade {
            default upgrade;
            ''      close;
        }
}
  1. Then create an Nginx site config file rs-server under the directory /etc/nginx/sites-available/:
server {
	listen 80;
	listen [::]:80;

	server_name www.myserver.com;

	root /var/www/html;
	index index.html;

	location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://localhost:8787/;
        proxy_redirect http://localhost:8787/ $scheme://$host/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 20d;
	}
}

Create a symbolic link in directory /etc/nginx/sites-enabled:

$ cd ../sites-enabled
$ ln -s ../sites-available/rs-server .
  1. Check the Nginx configuration:
$ sudo nginx -t

If there were no errors, restart Nginx service:

$ sudo systemctl restart nginx

3 Setup Let’s Encrypt TLS certificate via certbot

  1. Install certbot
# Install snap
$ sudo apt update
$ sudo apt install snapd
$ sudo snap install core; sudo snap refresh core

# Install and config certbot
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
  1. Get & install certificate
$ sudo certbot --nginx

Then test automatic renewal

$ sudo certbot renew --dry-run
  1. Now, the config file rs-server would be like:
server {

	server_name www.myserver.com;

	root /var/www/html;
	index index.html;

	location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://localhost:8787/;
        proxy_redirect http://localhost:8787/ $scheme://$host/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 20d;
	}

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.myserver.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.myserver.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.myserver.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	listen [::]:80;

	server_name www.myserver.com;
    return 404; # managed by Certbot


}

Ok. Let’s visit https://www.myserver.com to access the RStudio Server.

Have fun!

Reference

  1. RStudio Server documentation
  2. How to Deploy RStudio Server Using an NGINX Reverse Proxy
  3. magic-lantern/ngix-config
  4. Certbot