Securing Access with HTTPS

By the end of this lesson, you will be able to:

• Explain why HTTPS is essential for a production Package Manager deployment
• Describe the role TLS certificates and private keys play in securing access
• Identify where certificates should live and how they should be permissioned
• Recognize the configuration changes Package Manager needs to serve traffic over HTTPS

Introduction

By default, Package Manager serves traffic over unencrypted HTTP. For any deployment beyond initial testing, you need to configure HTTPS so traffic between clients and the server, including credentials and the packages your users download, is encrypted and cannot be intercepted or tampered with.

Understanding HTTPS configuration using TLS certificates is essential for any production Package Manager deployment. This lesson explains the concepts behind securing Package Manager with HTTPS. The accompanying lab walks you through placing certificates correctly, setting their permissions, and configuring Package Manager to use them.

NoteTimings for this chapter

• Reading time: 10 minutes
• Documentation reading time: 10 minutes
• Hands-on exercise time: 10 minutes

TipRequired Reading

• Networking and SSL configuration

What TLS Provides

TLS (Transport Layer Security) secures the connection between a client and a server using two related files: a certificate and a private key.

The certificate is presented to clients and identifies your server. It is not secret: it is meant to be shared, which is why it can be readable by others. The private key, by contrast, is the secret that proves the server owns that certificate. If the private key is exposed, the security of the connection is compromised, so it must be readable only by the account that runs Package Manager. This asymmetry is the reason the certificate and private key have different permission settings.

Certificate Placement and Permissions

Posit recommends storing the certificate and private key alongside the other Package Manager configuration files, in /etc/rstudio-pm/. Keeping them with the rest of the configuration makes the deployment easier to reason about and back up.

Both files must be owned by the rstudio-pm service account so that Package Manager can read them. Their modes differ to reflect their sensitivity: the certificate can be world-readable (mode 644), while the private key must be readable only by its owner (mode 600). Getting these permissions wrong is a common cause of Package Manager failing to start after a TLS change.

Certificates must also be in PEM format, and the file should contain the full certificate chain. Private keys cannot be protected with a passphrase.

How Package Manager Serves HTTPS

Enabling HTTPS requires three things:

1. First, Package Manager must be told where the certificate and key live and which port to listen on for HTTPS, which is configured in the [HTTPS] section of rstudio-pm.gcfg.
2. Second, because HTTPS uses the privileged port 443, the Package Manager binary must be granted permission to bind to a privileged port.
3. Third, the service must be restarted to apply the changes.

Once configured, users reach Package Manager over https://, and the web interface displays the instance URL so you can confirm the new endpoint is working.