Let's encrypt and RStudio/Shiny server


#1

This is not a question, just a memo in case I am hit by a bus. Thanks to sahsanu at community.letsencrypt.org and Till on howtoforge.de

Running RStudio and Shiny server on Ubuntu/Apache2. Using a Proxy to redirect Port 3838 and 8787 to subdomain, and letsencrypt to make it https. For example, I can acces my app with:

https://apps.menne-biomed.de/breathtestshiny/

instead of http://menne-biomed.de/breathtestshiny:3838 . I had used the options below without the .well-known line before. This worked well with the exception of renewal: To renew, I had to remove all options and re-insert these later.

After adding the .well-known line below, automatic renewals work. You can test with

/opt/certbot/certbot-auto renew --force-renew
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPass /.well-known/acme-challenge !
ProxyPass /stats !
RedirectMatch permanent ^/apps/$ /apps/
ProxyPreserveHost Off

ProxyPassMatch ^/(.+)/websocket ws://localhost:3838/$1/websocket keepalive=On
ProxyPass / http://localhost:3838/
ProxyPassReverse / http://localhost:3838/


#2

Nice way to handle a couple of subtle but annoying problems! I’ve set up something similar with Nginx, if there’s any interest I’ll share my /etc/nginx.conf.


#3

I would definitely like to see a similar solution with Nginx.


#4

Yes please do share :slight_smile:


#5

Sure, wow, @daattali I actually used your guides on Digital Ocean (I think? It’s been a minute) to set up my first RStudio server. Thanks for that and your other contributions to the R community!

To pull off an encrypted proxy server from a subdomain with Nginx and painless autorenews, here’s what worked for me,

  1. Add a CNAME entry to redirect the subdomain to the root domain (you may already have a wildcard CNAME entry set up, that works fine too). For example I’ve set up www.inductive.pw (which is empty) and a subdomain rs.inductive.pw to serve RStudio Server.
  2. Configure the virtual server structure within Nginx’s settings. Takes some trial and error.
    • On Ubuntu server, I left /etc/nginx/nginx.conf fairly untouched and created two new configuration files to do the work: one to serve the virtual “root” domain and one to server the subdomain that I’m piping RStudio to
    • Simlink those two .conf files into /etc/nginx/sites-enabled/ for Nginx to find and use them. If there’s a file called default anywhere in that dir, get rid of it.
    • Here’s a gist with those .conf files
      • /ect/nginx/nginx.conf mostly left this alone
      • /etc/nginx/sites-available/inductive-pw.conf to configure root domain server
      • /etc/nginx/sites-available/rs-inductive-pw.conf for subdomain server
  3. Try and get everything setup and working properly on http (port 80) before adding Let’s Encrypt. Certbot auto-adds most of the encryption related bits (“443” or “SSL” or “https”) to the .conf files when you run it.
  4. After all is good on http, initiate Let’s Encrypt in the usual way (eg, sudo certbot --nginx) and it should automatically pick up your entire domain/subdomain structure and modify your .conf files appropriately. If it doesn’t, it’s probably because your Nginx configuration files are wrong somewhere.

Dang, sorry for the wall of text. Hope it helps