I have an instance of RStudio server working on a local network at work. However, as more people can access that network, I would like to find a way of stopping some from sniffing the networks and finding my login password to the RStudio web access.
I thought about just installing an SSL certificate and so on, but most tutorials I find online include only either SSL certificates which don't work for bare IP addresses, or are simply aimed for external connections.
Is there a tutorial somewhere on how to configure this on a local network?
I believe that to enable SSL on an RStudio Server, you either need to be using RStudio Server Pro (if terminating SSL at the server) or a proxy in front of the server (if terminating SSL at the proxy).
Can you share a bit more about your server and your current setup? Does your local network have a certificate authority? (i.e. could ask IT, or do you have a VPN, are there other sites on your network that use HTTPS only on the local network, etc.)
It's a network at the university. The server is just a computer with Ubuntu, connected to that same network. However, the network is not visible from the external "world", only local. But as there are a couple of computers connected to that network, mainly from users I don't trust, I know that it is possible to easily get the username and password I'm using for Rstudio.
I thought indeed of a proxy with nginx or so, but I couldn't find a proper tutorial on how to configure it with SSL on a local network. Tried several times but it never happens.
My main goal is that whenever I connect to RStudio Server, that it is impossible for someone to sniff the password.
Ahh interesting. Just out of curiosity, is the server just used for private work, research, or for teaching? https://rstudio.cloud would definitely be something to keep in mind if resource constraints are not an issue.
In any case, SSL is definitely the path you want to go down. So I would recommend setting up an nginx server on the same computer (listening on 80 and 443), proxying RStudio Server at 8787 or wherever you like, and only opening ports 80/443 in your firewall (depending on if you want to allow "upgrading" the protocol from http to https).
The way SSL works on a local network like that is you either need a Certificate Authority that says "yep, this is legit." Depending on the size of the local network, this may or may not exist. If it does not exist, then you probably will want to just use a self-signed certificate and then host the key on any computer that needs to connect securely. (In the absence of a Certificate Authority, the client has to have the key to be able to encrypt / connect securely).
I intend at some point to write up an article on SSL (hopefully I will get to it someday)
Until that point, maybe these articles would be helpful?
@cole That article on SSL sounds really useful and I hope that you will get to it one day (nudge nudge).
I've just created a droplet on Digital Ocean with a self signed signature, restrict IP access on http/https, port all traffic to https in Nginx but I have no clue when enough is enough and Chrome is complaining about my signature.
Yes, I read about the problem with self signed signature. As I understand it I can't use letsencrypt when I don't have a domain, so I considered it the best temp solution for SSL until I get a domain, and as long as I restrict IP.