-
Notifications
You must be signed in to change notification settings - Fork 141
ProxifiedSetup
RCloud 1.4 and higher supports a setup where three independent services are used to increase security and stability, in particular in multi-user environments with user switching.
The network-facing process is a proxy that supports HTTP and WebSockets. It handles HTTP requests directly without the use of R and supports more advanced features such as conditional get and serving compressed results. This process can be run as arbitrary user - it only need to have read access to the htdocs directory and access to the socket for other processes (see below).
Second process only serves R scripts in the htdocs directory. Again, it can run with reduced privileges and only needs access to the htdocs directory. It isolates the dynamic content side entirely from RCloud itself.
Third process is the actual RCloud process - it is essentially identical to the process run by conventional RCloud installations, but it only listens on a local socket and thus cannot be attached remotely, and it uses only the QAP protocol, reducing the chances of an attack through WebSockets, HTTP or SSL layers.
To enable proxified setup, the following line is added to rcloud.conf:
rserve.socket: ${ROOT}/run/qap
Then start RCloud as usual.
In addition to the RCloud process you now have to start two additional processes:
export ROOT=<your-rcloud-root-here>
## the script serving process
R CMD Rserve --RS-conf "$ROOT/conf/scripts.conf"
## the proxy itself
# locate the proxy inside the Rserve package (must be from 2015/06/25 or newer!)
proxy=`R --slave -e 'cat(system.file("libs","forward",package="Rserve"))'`
# start the proxy
"$proxy" -p 8080 -s $ROOT/run/qap -r $ROOT/htdocs -u $ROOT/run/ulog -R $ROOT/run/Rscripts
By default all processes output their logs into the same ulog socket.
The proxy will serve compressed gzip files if they exist in the same directory as the source and are newer. Hence it's advisable to compress .js files in the tree. If using gzip don't forget that gzip by default removes the source which you don't want - so use gzip -c foo > foo.gz or alike.
In debug mode the proxy records every single packet passing through it which is very helpful for debugging.