Updated on | #rstudio, #pam, #sssd | 2 User comments

RStudio - RStudio Server and Shiny

RStudio is an integrated development environment (IDE) for R. It includes a console, syntax-highlighting editor that supports direct code execution, as well as tools for plotting, history, debugging and workspace management. With Shiny it is possible to build interactive web applications by using R, or it can be written directly in HTML, CSS, and JavaScript for more flexibility. Here you can find some tips and tricks about RStudio Server and Shiny.

System Security Services Daemon (SSSD)

SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through PAM and NSS modules. If you are using the Rstudio-Server Open Source Edition, it is not intended to use LDAP function via Samba4. By using SSSD in combination with PAM you are able to link Samba4 accounts with RStudio-Server in the Open Source Edition.

At first you need to check if SSSD is running successfully:

  1. id <username>
uid=3139(thomas) gid=2513(domain users)

So, if this is working you are able to create a PAM configuration file. Create /etc/pam.d/rstudio and insert the following content.

  1. nano /etc/pam.d/rstudio
#%PAM-1.0
auth        optional      pam_faildelay.so  delay=3000000
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_env.so readenv=1
session     required      pam_env.so readenv=1 envfile=/etc/default/locale
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore module_unknown=ignore default=bad] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

auth       optional   pam_group.so
session    required   pam_limits.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional   pam_motd.so
session    optional   pam_mail.so standard

After this, log into your Rstudio-Server on 127.0.0.1:8787 with the Samba4 username and password. The output in /var/log/auth.log should look like this:

  1. Aug 15 16:24:01 mediaserver CRON[27561]: pam_unix(cron:session): session opened for user www-data by (uid=0)
  2. Aug 15 16:24:01 mediaserver CRON[27561]: pam_unix(cron:session): session closed for user www-data

In order to use shiny server you don't need to create a new configuration file for PAM. Use SymLink to create the file:

  1. ln -s /etc/pam.d/rstudio /etc/pam.d/shiny-server

HAProxy for RStudio-Server with SSL

HAProxy is a very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. If you want to use RStudio-Server and Shiny together with SSL, HAProxy is a great solution. In principle it is working like this:

HAPROXY (Port 443) -> Identify Rstudio-Server Request -> Forward to 127.0.0.1:8787

HAPROXY (Port 443) -> Identify Shiny Request -> Forward to 127.0.0.1:3838

In my case, I want to use a subdomain together with a folder path in the URL:

https://subdomain.domain.tld/rstudio

This is not so easy to solve in the community edition, because there is no option for a subdomain or a special path name (or it is not official).

Rstudio-Server and Shiny Frontend

At first, you need to configure the frontend, where you can use your existent SSL frontent on port 443.

  1. sudo nano /etc/haproxy/haproxy.cfg
frontend ssl_server_443

    ...

    # Cloud Apps
    acl rstudio_server ssl_fc_sni -i SUBDOMAIN.DOMAIN.TLD

    acl rstudio_path url_beg /rstudio/
    acl rstudio_signin_path1 url_beg /auth-sign-in
    acl rstudio_signin_path2 url_beg /rstudio/auth-sign-in

    acl shiny_path url_beg /shiny/

    # Rstudio and Shiny
    redirect location https://SUBDOMAIN.DOMAIN.TLD/rstudio/auth-sign-in?appUri=rstudio/ if rstudio_signin_path1 !rstudio_signin_path2
    use_backend bk_rstudioHAProxyId_8787 if rstudio_server rstudio_path !shiny_path
    use_backend bk_shinyHAProxyId_3838 if rstudio_server shiny_path

    ...
    default_backend bk_apacheHAProxyId_62080 check

It is working like this:

  1. You go to https://subdomain.domain.tld/rstudio/
  2. Rstudio is fowarding you to https://subdomain.domain.tld/auth-sign-in to the login page. Yes, there is no rstudio in the path!
  3. HaProxy is checking this and forward you to https://subdomain.domain.tld/rstudio/auth-sign-in
  4. After a successful login it is only using https://subdomain.domain.tld/rstudio/

RStudio-Server Backend

The RStudio-Server backend receives forwarded requests from the SSL-frontend.

  1. sudo nano /etc/haproxy/haproxy.cfg
backend bk_rstudioHAProxyId_8787
        mode http
        option forwardfor
        option httpclose
        option redispatch
        option originalto
        option  http-pretend-keepalive
        option  http-server-close

        # replace "/rstudio/" with "/" at the beginning of any request path:
        reqrep ^([^\ :]*)\ /rstudio/(.*)     \1\ /\2
        reqadd X-Script-Name:\ /rstudio
        reqadd X-RStudio-Username:\ %[ssl_c_s_dn(cn)]

        server srv_rstudioHAProxyId 127.0.0.1:8787 check

Shiny Backend

The Shiny backend receives forwarded requests from the SSL-frontend.

  1. sudo nano /etc/haproxy/haproxy.cfg
backend bk_shinyHAProxyId_3838
        mode http
        option forwardfor

        # Fake connection:close, required in this setup.
        option http-server-close
        option http-pretend-keepalive

        balance uri depth 2

        server srv_shinyHAProxyId 127.0.0.1:3838 check

Well, what do you think?

gmat said
Hi,
did you update your server to the 0.99.896 version ? The last version I use is the 0.99.484. If I do the update I am not able to connect any more. I use a different rstudio pam.d file than your but even with your I get the same issue.
Thks
Thomas Ludwig said
Hi gmat,

nope, still using Version 0.99.467. Good to know, that it would be good to change a little bit later :-)

Cheers,

Thomas
Comments powered by LudwigDisqus for ModX