Lab 3 – Setting up HTTPS

In this hands-on lab, we will install the SSL certificates, and configure Connect to use them. This will ensure that the connection between the users of Connect and the server that hosts it uses HTTPS.

NoteTimings for this chapter

• Reading time: 10 minutes
• Documentation reading time: 5 minutes
• Hands-on exercise time: 15-30 minutes

TipRequired Reading

• Configuring SSL Certificates in Posit Connect

Moving the certificate to the correct location

The certificate and its key are located in a folder called certs inside the ubuntu home folder in your virtual machine. For Connect, we recommend putting these files in the same folder as the other configuration files, in /etc/rstudio-connect/. Move the files from the certs folder in your home directory, to /etc/rstudio-connect/.

Setting up the permissions

Once they are in the Connect folder, make sure you set the correct permissions for these two files. Ensure that the files have both the appropriate owner and mode using the chown and chmod commands.

TipInspecting the certificate

To check the content of your certificate file, and to ensure that the full certificate chain is present in your file, you can run:

openssl x509 -text -noout -in <path_to_certificate_file.crt>  

This command will also check that the certificate is in the PEM format, which is required by Connect. The documentation provides commands to use to convert certificates in other formats to PEM.

As indicated in our documentation, the private key cannot be protected with a passphrase. If there is one, you can remove it with this command:

openssl rsa -in [original.key] -out [new.key]

Editing the configuration file

You can now edit your Connect configuration file to:

1. use https for the URL of your Connect installation
2. point to the location of your certificate and its key
3. ensure that only HTTPS is used
4. set up HTTP to HTTPS redirection

To do this, you will need to edit or set the following variables:

• Server.Address: use https:// in front of the URL (As a reminder, you can get the URL of your Connect installation with: echo https://$HOSTNAME.$_SANDBOX_ID.instruqt.io.)
• HTTPS.Listen: set to :443 (the default port used for HTTPS communications)
• HTTPS.Certificate and HTTPS.Key: set to the full path for the SSL certificate and its key
• HTTPS.Permanent: set to true (to only allow the HTTPS protocol)
• HTTPRedirect.Listen: set to :80 (to set up the HTTP to HTTPS redirects)

TipConfiguration syntax

The notation Server.Address is used to refer to the setting Address within the Server section.

Restart Connect and check that you can now access your instance using HTTPS. The “Posit Connect” tab inside Instruqt is set up to use HTTPS for this lab, if you see Connect there, you set it up correctly. Alternatively, visit the address you used in your configuration file. You can now click the “Check” button to verify that you completed all the steps for this lab.

Check Your Understanding

Before moving on, test your knowledge of HTTPS configuration in Posit Connect:

1. File Permissions: What are the two key commands you need to use to set proper ownership and permissions for SSL certificate files in Connect? Why is this important for security?

2. Configuration Settings: Name three configuration variables that must be modified in the Connect configuration file to enable HTTPS, and briefly explain what each one does.

TipAnswers

Based on the lab content and the SSL certificates documentation, here are the answers to the “Check Your Understanding” questions:

1. The two key commands needed to set proper ownership and permissions for SSL certificate files in Connect are:

   1. chown - Sets the correct ownership of the certificate files to the Connect service account
   2. chmod - Sets the appropriate file permissions (typically 600 for private keys and 644 for certificates)

   Why this is important for security:

   • Restricts access: Only the Connect service and authorized users can read the certificate files
   • Protects private keys: The private key file should only be readable by the Connect service account to prevent unauthorized access
   • Prevents tampering: Proper permissions ensure that certificate files cannot be modified by unauthorized users

2. Three configuration variables that must be modified in the Connect configuration file to enable HTTPS are:

   1. Server.Address: Sets the base URL for Connect to use HTTPS protocol (e.g., https://your-connect-server.com)

   2. HTTPS.Certificate: Specifies the full path to the SSL certificate file that contains the public key and certificate chain

   3. HTTPS.Key: Specifies the full path to the private key file corresponding to the SSL certificate

   Additional important variables mentioned in the lab:

   • HTTPS.Listen: Sets the port for HTTPS connections (typically :443)
   • HTTPS.Permanent: When set to true, forces Connect to only accept HTTPS connections
   • HTTPRedirect.Listen: Sets up HTTP to HTTPS redirection (typically :80)

   These settings work together to ensure that Connect operates securely over HTTPS and properly redirects any HTTP traffic to the secure HTTPS endpoint.

Looking Back, Planning Ahead

Based on what you learned in this lab, prepare the installation of Connect on your infrastructure:

• Do you know where you will get the SSL/TLS certificates you will need?
• Plan to check that the full certificate chain is available in your certificate
• Make sure that the private key is not protected with a passphrase

Next steps

Next, you are going to practice connecting an authentication system to your Connect installation. For the purpose of this training, we will use the OIDC protocol, but the configuration steps are for other systems are documented in the Admin Guide.