Set Up SSL

Workbench

A secure installation of Posit Workbench encrypts network traffic using SSL. SSL doesn’t come pre-configured since it requires certificates signed by a Certificate Authority (CA) trusted by all parties.

Use SSL for web users

If your configuration of Workbench is accessed directly by end users, see the SSL configuration section, which describes how you can ensure that HTTPS is used when Workbench is accessed via a web browser. Note that this does not apply if you are terminating SSL upstream, for example when you are using nginx or Apache in front of Workbench as described in Running with a Proxy and handling SSL there.

Use SSL for the Job Launcher

Ensure that communication with the Job Launcher is encrypted by setting launcher-use-ssl=1 as follows:

/etc/rstudio/rserver.conf
launcher-use-ssl=1

Note that additional configuration for the Job Launcher is required to make it possible to connect to it over SSL. See Job Launcher Configuration for details. Example Launcher configuration:

/etc/rstudio/launcher.conf
enable-ssl=1
certificate-file=/var/certs/your_domain_name.crt
certificate-key-file=/var/certs/your_domain_name.key

Restrict TLS versions

Posit Workbench supports many different SSL protocols for compatibility with older browsers, but several are no longer considered secure. We recommend disabling support for all SSL protocols except the most recent two, TLS 1.2 and 1.3. See the SSL protocols section for more details.

/etc/rstudio/rserver.conf
ssl-protocols=TLSv1.2 TLSv1.3

Use HTTP Strict Transport Security (HSTS)

When configured with SSL, Posit Workbench uses HTTP Strict Transport Security automatically. This is a security setting that forces the browser to always use HTTPS when connecting to Posit Workbench. We recommend including the maximum age to 1 year, and extending coverage to subdomains.

/etc/rstudio/rserver.conf
ssl-hsts-max-age=31536000
ssl-hsts-include-subdomains=1

This ensures that the browser will not connect via HTTP to the domain running Posit Workbench (and any of its subdomains) for one year.

Using SSL with RStudio Server Open Source

Posit Workbench has built-in SSL and HTTPS controls as described in this section. However, much of the same advice applies if you are securing an installation of the Open Source edition of RStudio Server; you can run RStudio Server behind a reverse proxy such as Nginx and perform SSL termination upstream.