Configure Nginx as a reverse proxy for Rstudio server
There has been a guide on how to set up Nginx as a reverse proxy for Rstudio server here. This guide attempts to go further, by making sure that Rstudio server is accessible via https. This guide was tested on Ubuntu 16.04 LTS and Ubuntu 20.04, so make sure you adapt the commands accordingly to your system.
Assuming that your machine already has Nginx and Rstudio server up and running. After any change in the configuration, you may restart the servers using these commands.
sudo systemctl restart nginx.service
sudo systemctl restart rstudio-server.serviceAlternatively, if systemctl is not available on your system for any reason (for example, Ubuntu running on WSL as of this writing), the services can be restarted using /etc/init.d
sudo /etc/init.d/nginx restart
sudo /etc/init.d/rstudio-server restartPre-requisites
- R and Rstudio server installed, up and running
- Nginx server installed, up and running
If you know what you’re doing, the commands below provide a quick shortcut for Ubuntu 20.04 LTS system. Otherwise, please follow the links above for proper downloads and instructions.
# Install R 4.0
sudo add-apt-repository -y "deb https://cloud.r-project.org/bin/linux/ubuntu focal-cran40/"
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E298A3A825C0D65DFD57CBB651716619E084DAB9
sudo apt-get update
sudo apt-get install -y r-base
# Install Rstudio server
sudo apt-get install gdebi-core
wget https://download2.rstudio.org/server/bionic/amd64/rstudio-server-1.3.1056-amd64.deb
sudo gdebi rstudio-server-1.3.1056-amd64.deb
# Install nginx
sudo apt-get install -y nginxRoad map
At a high-level, the configurations below attempt to
- Restrict access to Rstudio server to allow only local connection (i.e. from Nginx)
- Configure Nginx server to:
- Act as a reverse proxy for Rstudio server
- Allow access to Rstudio server by the address
/rstudioinstead of the port:8787 - Re-direct HTTP requests to HTTPS, using an SSL certificate
Note that if Ubuntu resides on a Windows system, some ports need to be allowed by Windows firewall, and forwarded properly. In this case, port 8787 should be forwarded during the configuration (to test whether your Rstudio server installation works). Eventually, port 80 and 443 should be forwarded to make sure connections can arrive at Nginx.
Steps that work on Ubuntu 16.04 LTS and Ubuntu 20.04 LTS
Configure Rstudio server
Once your Rstudio server is online, you can go to the browser and put YOUR.SERVER.ADDRESS:8787 in the address to be directed to the log in page.
Now edit the Rstudio configuration file /etc/rstudio/rserver.conf to restrict access to local connection only
# Make sure rstudio-server is only accessible from the local network
www-address=127.0.0.1Now if you go to the browser again and put YOUR.SERVER.ADDRESS:8787, there should be nothing (or some error).
Generate SSL certificate
If your machine is accessible from the internet, you can obtain an SSL certificate for free from Let’s Encrypt. Otherwise, you can generate a certificate for internal use. Note that with a self-signed certificate generated in the following way, you’ll need to override browser’s warning about “Untrusted authority”.
Create a config file openssl-req.cnf with the content as below, replace the details as needed
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = CA
L = Los Angeles
O = TheBananaCompany
OU = Department of Seeds
CN = www.banana.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.banana.com
DNS.2 = banana.comRun openssl with this config file to generate cert.key and cert.crt. Here the public and private key are stored in /etc/nginx. If you keep them in another place, take note of the path.
sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt -config /path/to/the/file/openssl-req.cnf -sha256Configure Nginx server
In your /etc/nginx/nginx.conf, look for the http section and add these lines
http {
##
# Basic Settings
##
# ...
## ADD THESE LINES
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
}If it doesn’t exist yet, create a file at /etc/nginx/conf.d/rstudio.conf, and add these lines. Replace the your.server.name accordingly, and the path to SSL certificates, if necessary.
## redirecting http to https
server {
listen 80;
server_name your.server.name;
return 301 https://$host$request_uri;
}
## Serving rstudio via https
server {
listen 443 ssl;
# REPLACE THE PATH IF NECESSARY
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
# make rstudio accessible at the address
# https://your.server.name/rstudio instead of
# https://your.server.name:8787/
rewrite ^/rstudio$ $scheme://$http_host/rstudio/ permanent;
location /rstudio/ {
rewrite ^/rstudio/(.*)$ /$1 break;
proxy_pass http://localhost:8787;
proxy_redirect http://localhost:8787/ $scheme://$http_host/rstudio/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
}Restart servers and test
Make sure your changes are effective by restarting the servers
sudo /etc/init.d/nginx restart
sudo /etc/init.d/rstudio-server restartNow if you put YOUR.SERVER.NAME/rstudio in the browser, it should automatically re-direct you to https://YOUR.SERVER.NAME/rstudio.
Handy commands
If things don’t go as expected, below are a few handy commands to help you track the problem down.
# List the ports that are actively listening
lsof -i -P -n | grep LISTEN
# Test if the port is accessible locally - on the server
curl -i localhost:8787
# Test if the port is accessible from the internet - on a client with either netcat (nc), or telnet
nc -vz www.amazon.com 80
nc -vz your.server.name 80
