How to configure Posit connect with Apache2.4(reverse proxy) and Modsecurity on ubuntu22.04

Fadzali BakarFadzali Bakar
3 min read

Step 1 : Install posit connet without reverse proxy.

Follow step at https://docs.posit.co/connect/admin/getting-started/local-install/manual-install/

After finish installation, the posit config in /etc/rstudio-connect/rstudio-connect.gcfg 

; Posit Connect server configuration file (generated)  
;  
; See the Appendices - Configuration section of the  
; Posit Connect Admin Guide for details on the configuration file format.  

; [ExampleSection]  
; BooleanProperty = true  
; DecimalProperty = 0.217  
; StringProperty1 = "hello"  
; StringProperty2 = "escape \"quotes\" within a value"  
; MultiListProperty = "black"  
; MultiListProperty = "blue"  
; MultiListProperty = "green"  
; DurationProperty = 300s  


[R]  
Enabled = false  

[Python]  
Enabled = false  

[HTTPS]  
Certificate = "/etc/rstudio-connect/tls.crt"  
Key = "/etc/rstudio-connect/tls.key"  
Listen = ":443"  

[HTTP]  
ForceSecure = true  

[Authentication]  
Provider = "password"  

[Server]  
Address = "https://example.com" --change me 
DataDir = "/var/lib/rstudio-connect"  
EmailProvider = "none"  
TempDir = "/tmp"  

[Database]  
Provider = "SQLite"  

[SQLite]  
Dir = "/var/lib/rstudio-connect/db"  

[Logging]  
AccessLog = "/var/log/rstudio/rstudio-connect/rstudio-connect.access.log"  
AccessLogFormat = "COMMON"  
AuditLog = "/var/log/rstudio/rstudio-connect/rstudio-connect.audit.log"  
ServiceLog = "/var/log/rstudio/rstudio-connect/rstudio-connect.log"

if successful, we will see

Step 2 : Install and configure Apache as reverse proxy

sudo apt install apache2

Copy default-ssl.conf and save as posit.conf in /etc/apache2/sites-available/

Edit posit.conf

<IfModule mod_ssl.c>  
<VirtualHost *:443>  
   ServerName example.com      --change me    
   ServerAlias example.com     --change me     
   DocumentRoot /var/www/html  
   DirectoryIndex index.html index.php  
   SSLEngine on  
   SSLCertificateFile /etc/apache2/tls.crt  
   SSLCertificateKeyFile /etc/apache2/tls.key  

   ErrorLog ${APACHE_LOG_DIR}/errorposit.log  
   CustomLog ${APACHE_LOG_DIR}/accessposit.log combined </VirtualHost>  
</IfModule>

Enable apache module for https

a2enmod ssl 
a2enmod rewrite

reload apache

Systemctl reload apache2

if successful, we will see

How to check which posit port is running

So in /etc/apache2/sites-available/posit.conf we need to add :3939 in proxypass

<IfModule mod_ssl.c>  
<VirtualHost *:443>  
   ServerName example.com      --change me    
   ServerAlias example.com     --change me     
   DocumentRoot /var/www/html  
   DirectoryIndex index.html index.php  
   SSLEngine on  
   SSLCertificateFile /etc/apache2/tls.crt  
   SSLCertificateKeyFile /etc/apache2/tls.key  

   ErrorLog ${APACHE_LOG_DIR}/errorposit.log  
   CustomLog ${APACHE_LOG_DIR}/accessposit.log combined  

 RewriteEngine on  

 RewriteRule ^/rsconnect$ /rsconnect/ [R]  
 #restore variable values with dummy rewrite rules  
 RewriteRule . - [E=req_scheme:%{REQUEST_SCHEME}]  
 RewriteRule . - [E=h_host:%{HTTP_HOST}]  
 RewriteRule . - [E=req_uri:%{REQUEST_URI}]  
 # set header with variables  
 RequestHeader set X-RSC-Request "%{req_scheme}e://%{h_host}e%{req_uri}e"  
 RewriteCond %{HTTP:Upgrade} websocket [NC]  
 RewriteCond %{HTTP:Connection} upgrade [NC]  
 RewriteRule /rsconnect/(.*) "ws://localhost:3939/$1" [P,L]  

 <Location /rsconnect/>  
 <Location />  
   ProxyPass http://localhost:3939/ connectiontimeout=5  
   ProxyPassReverse /rsconnect/  
   ProxyPassReverse /  
 </Location>  

</VirtualHost>  
</IfModule>

Step 3: Reconfigure posit config in /etc/rstudio-connect/rstudio-connect.gcfg

Comment all [https] element

Add listen = :3939 under [http] element

restart services

sudo systemctl restart rstudio-connect 
sudo systemctl restart apache2

Type https://example.com/rsconnect/ and we will see apache as a reverse proxy is work

Step 4: install and configure modsecurity 

apt install libapache2-mod-security2 –y 
a2enmod security2 
systemctl restart apache2 
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.con

Change SecRuleEngine DetectionOnly to ON

nano /etc/modsecurity/modsecurity.conf 

  GNU nano 6.2                                                                                          /etc/modsecurity/modsecurity.conf                                                                                                   
# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
 SecRuleEngine On


# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
#SecRequestBodyAccess off

Define the path of CRS

nano /etc/apache2/mods-enabled/security2.conf 

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf

        # Include OWASP ModSecurity CRS rules if installed
        IncludeOptional /usr/share/modsecurity-crs/*.load
</IfModule>

 systemctl restart apache2

Verify Modsecurity

Result

That all.Gd luck

0
Subscribe to my newsletter

Read articles from Fadzali Bakar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Tutorialsysadminapachemodsecurity

Written by

Fadzali Bakar
Fadzali Bakar