Https for Self-Hosted R Studio and R Shiny Apps

One of the wonderful things about R Studio (and R Shiny) is that you can host them on your own Linux server (together with Lime Survey, for example). This allows you to access these resources from different locations, let’s you run them for hours or days in the background, and let’s you share them with others; all essentially for free.

However the R Studio server installation is typically only accessible from port 8787 (R Shiny from port 3838), which cannot be secured using SSL services like Let’s Encrypt (which give you the https in the URL).

Let’s Encrypt only works on port 80, the “normal” web surfing port. So should you just accept an unencrypted connection to your R installation? Certainly not!

Especially because an unencrypted connection is much easier to hack (including stealing your login and password), and if you download data from your R server, that would be unencrypted too. It’s a risk you probably shouldn’t take, especially if you’re dealing with sensitive data, like personal information.

To use Let’s Encrypt, first setup a virtual host (learn more about that here for Apache). Just as you can setup virtual host for a normal website, you can do the same for R Studio, but with some adjustment. An example of the virtual host code (your.subdomain.here) is shown below. Just replace with your subdomain, and on an Apache webserver (running on Ubuntu 20 in my case), it should work just fine.

<VirtualHost *:80>
    ServerName your.subdomain.here

# Specify path for Logs
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on

# Rewrite the url supplied to ensure https is applied
    RewriteCond %{SERVER_NAME} =your.subdomain.here

# Following lines should open rstudio directly from the url
    RewriteCond %{HTTP:Upgrade} =websocket
    RewriteRule /(.*) ws://localhost:8787/$1 [P,L]
    RewriteCond %{HTTP:Upgrade}     !=websocket
    RewriteRule /(.*) http://localhost:8787/$1 [P,L]
    ProxyPass /     http://localhost:8787/
    ProxyPassReverse / http://localhost:8787/

    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

For a Shiny server you should replace the 8787 port in the virtual host code above with 3838. If you do face issues, maybe also check here.

Once you’ve succeeded setting up the virtual server, enable it…

sudo a2ensite your.subdomain.here

And then check to make sure it is properly installed with:

sudo apache2ctl configtest

It is possible that after this step, you receive an error about the “RewriteEngine”-part of the code. In this case, be sure the enable the rewrite-function in Apache using:

sudo a2enmod rewrite

After that there should be no more errors. Finally, run Let’s Encrypt (assuming it’s already installed, else see here how and what you should install).

sudo certbot --apache

Follow the brief questions, and that’s it! Well done, your connection to your R Studio server installation is now encrypted. Safe surfing everyone!

(Note: this post was updated on 10 July 2022. Some corrections were made to the code and need to activate Apache rewrite plugin.)

Leave a Reply

Your email address will not be published.