Support

Using SSL with RStudio Workbench

Follow

It's possible to use an SSL certificate with the launcher in RStudio Workbench. This may seem appealing, but what does this mean and how does it affect the interactions with RStudio Workbench?

 

Can I use the same SSL for my RStudio Workbench server, for the launcher?

Unfortunately not, the Launcher certificates must be different certificates from those used for RStudio Server.

 

Launcher with SSL Explained

Consider the following diagram:

                 (a)           (b)
Browser (User) <------> RSP <------> Launcher
^
| (c)
                         v
                     R Session                         
  • (a) represents the communication between the Browser and RStudio Server itself.
  • (b) represents the communication between RStudio Server and the RStudio Job Launcher.
  • (c) represents the communication between the RSession and the RStudio Job Launcher. (Note: The Launcher starts the session in the backend, such as Slurm or Kubernetes, but does not communicate with the session directly.)

All three lines of communication are over HTTP/S. The R Session communicates with RStudio Server (c) the same way that a browser communicates with RStudio Server (a). The R Session discovers the address with which to communicate with the server via the launcher-sessions-callback-address​ setting, which is why the setting needs to be exactly the same as what you would enter into the browser.

The settings that pertain to the encryption of (a) and (c) are as follows, that is, enabling HTTPS for communication with RStudio Server:

/etc/rstudio/rserver.conf:
ssl-enabled=1
ssl-certificate=</path/to/server/cert.pem> 
ssl-certificate-key=</path/to/server/key.pem>

Additionally, the following settings are relevant to the configuration of HTTPS for (a) and (c), but not strictly required for enabling it:

/etc/rstudio/rserver.conf:
www-address=<my-org.rsp-hostname.com>
www-port=<port#, default 443 if ssl-enabled=1>
launcher-session-callback-address=<https://my-org.rsp-hostname.com[:port#]>

In addition to the requirement that certificates defined in rserver.conf​ are added to the trusted certificate store of the host, they must have been generated with the correct Common Name​ (or CN​) matching the hostname of RSP (most likely the same value as the www-address​), and the files must have restrictive permissions (root:root 400​). Additionally, the CA root must be trusted by any machines within your network that will access RSW. For example, a user's machines as well as Slurm compute nodes that will run R sessions. 

The settings that pertain to the encryption of (b) are as follows (i.e. to enable HTTPS for communication between RStudio Server and the Launcher):

/etc/rstudio/rserver.conf:
launcher-use-ssl=1
launcher-address=<launcher hostname or IP>
launcher-port=<port#>

/etc/rstudio/launcher.conf:
enable-ssl=[0|1]
certificate-file=</path/to/launcher/cert.pem>
certificate-key-file=</path/to/launcher/key.pem>
address=<launcher hostname or IP>
port=<port#>


Note that the values of launcher-use-ssl​, launcher-address​, and launcher-port​ in rserver.conf​ should match the values of enable-ssl​, address​, and port​ in launcher.conf​ respectively. Also, note the lack of http://​ or https://​ in front of the launcher-address​ value. The protocol for communication is determined by the value of launcher-use-ssl​.

The Launcher certificates must be different certificates from those used for RStudio Server. The correct CN​for the Launcher's certificates is the value of address​ in launcher.conf​. If RStudio Server and the Launcher will be running on the same machine, localhost​ may be used. Another difference from the RStudio Server certificates is that the Launcher certificates should be owned by the server-user​ and admin-group​and defined in launcher.conf​. For example, if those values were left as they are on installation (both rstudio-server​) then the certificate files for the Launcher should have the permissions rstudio-server:rstudio-server 400​.

 

More information on SSL configuration options can be found here:

https://docs.rstudio.com/ide/server-pro/access_and_security/secure_sockets.html

 

Support Ticket

If you still have issues after completing the above, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here:

https://support.rstudio.com/hc/en-us/requests/new

Comments