Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Bhanu enhancments for Rstudio #9

Open
wants to merge 6 commits into
base: byon-main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
193 changes: 97 additions & 96 deletions RStudio/machine-images/config/infra/files/rstudio/nginx.conf
Original file line number Diff line number Diff line change
@@ -1,96 +1,97 @@
user nginx;
worker_processes auto;
pid /run/nginx.pid;


events {
worker_connections 1024;
}


http {

server_tokens off;
server_name_in_redirect off;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include mime.types;
default_type application/octet-stream;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

map $request_method $proxy_body {
POST $request_body;
GET $query_string;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
listen 80;
return 301 https://$host$request_uri;
}

server {

listen 443 ssl http2;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_session_tickets off;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_trusted_certificate cert.pem;

add_header Referrer-Policy same-origin always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';" always;

proxy_http_version 1.1;
proxy_read_timeout 20d;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Health check url
location /health {
return 200 'OK';
add_header Content-Type text/plain;
}

location / {
proxy_pass http://localhost:8787;
}

location /auth-do-sign-in {
proxy_pass http://localhost:8787;
proxy_set_header Cookie "csrf-token=$request_id";
proxy_method POST;
proxy_set_header Content-Type application/x-www-form-urlencoded;
proxy_set_body $proxy_body&csrf-token=$request_id;
}

location /auth-sign-in {
return 403;
}

}

}
user nginx;
worker_processes auto;
pid /run/nginx.pid;


events {
worker_connections 1024;
}


http {

server_tokens off;
server_name_in_redirect off;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include mime.types;
default_type application/octet-stream;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

map $request_method $proxy_body {
POST $request_body;
GET $query_string;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
listen 80;
return 301 https://$host$request_uri;
}

server {

listen 443 ssl http2;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_session_tickets off;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_trusted_certificate cert.pem;

add_header Referrer-Policy same-origin always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';" always;

proxy_http_version 1.1;
proxy_read_timeout 20d;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Health check url
location /health {
return 200 'OK';
add_header Content-Type text/plain;
}

location / {
proxy_pass http://localhost:8787;
}

location /auth-do-sign-in {
proxy_pass http://localhost:8787;
proxy_redirect https://localhost:8787/ https://$host/;
proxy_set_header Cookie "csrf-token=$request_id";
proxy_method POST;
proxy_set_header Content-Type application/x-www-form-urlencoded;
proxy_set_body $proxy_body&csrf-token=$request_id;
}

location /auth-sign-in {
return 403;
}

}

}
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@
# Retrieving instance metadata information from within the EC2 instance
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

instance_id=$(curl -s "http://169.254.169.254/latest/meta-data/instance-id")
instance_id=$(curl -H "X-aws-ec2-metadata-token: $(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" -s "http://169.254.169.254/latest/meta-data/instance-id")
secret=$(cat "/root/secret.txt")
password=$(echo -n "${instance_id}${secret}" | sha256sum | awk '{print $1}')
echo "rstudio-user:$password" | /usr/sbin/chpasswd
echo "Set rstudio-user password"

sleep 10
public_key=$(curl http://localhost:8787/auth-public-key)
instance_region=$(curl -s "http://169.254.169.254/latest/meta-data/placement/region")
aws ssm put-parameter --name "/rstudio/publickey/sc-environments/ec2-instance/${instance_id}" --value $public_key --region $instance_region --type SecureString --overwrite
echo "Stored rstudio public key in SSM"
instance_region=$(curl -H "X-aws-ec2-metadata-token: $(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" -s "http://169.254.169.254/latest/meta-data/placement/region")
aws ssm put-parameter --name "/rstudio/publickey/sc-environments/ec2-instance/${instance_id}" --value $public_key --region $instance_region --type SecureString --overwrite
echo "Stored rstudio public key in SSM"
Original file line number Diff line number Diff line change
Expand Up @@ -3,51 +3,73 @@
# Restart RStudio server
sudo systemctl restart rstudio-server

#SELinux stuff
sudo /sbin/selinuxenabled >& /dev/null
if [ $? -eq 0 ]; then
#/tmp context won't allow building packages
export tmpDir="/home/ec2-user/tmp/r-cran"
else
export tmpDir="/tmp/r-cran"
fi

# Create temporary package installation script for R
tmpDir="/tmp/r-cran"
mkdir -p $tmpDir
tmpFile="$tmpDir/packages.R"
sudo cat << END >> "$tmpFile"
# Install additional R Packages
install.packages('tidyverse', version='1.3.2', repos='http://cran.r-project.org/')
install.packages('dplyr', version='1.1.0', repos='http://cran.r-project.org/')
install.packages('tidyr', version='1.3.0', repos='http://cran.r-project.org/')
install.packages('ggplot2', version='3.4.1', repos='http://cran.r-project.org/')
install.packages('data.table', version='1.14.6', repos='http://cran.r-project.org/')
install.packages('kableExtra', version='1.3.4', repos='http://cran.r-project.org/')
install.packages('survival', version='3.5.3', repos='http://cran.r-project.org/')
install.packages('survminer', version='0.4.9', repos='http://cran.r-project.org/')
install.packages('MASS', version='7.3.58.2', repos='http://cran.r-project.org/')
install.packages('quantreg', version='5.94', repos='http://cran.r-project.org/')
install.packages('DescTools', version='0.99.47', repos='http://cran.r-project.org/')
install.packages('rentrez', version='1.2.3', repos='http://cran.r-project.org/')
install.packages('XML', version='3.99.0.13', repos='http://cran.r-project.org/')
install.packages('Matrix', version='1.5.3', repos='http://cran.r-project.org/')
install.packages('irlba', version='2.3.5.1', repos='http://cran.r-project.org/')
install.packages('threejs', version='0.3.3', repos='http://cran.r-project.org/')
install.packages('seqinr', version='4.2.23', repos='http://cran.r-project.org/')
install.packages('urltools', version='1.7.3', repos='http://cran.r-project.org/')
install.packages('bitops', version='1.0.7', repos='http://cran.r-project.org/')
install.packages('maptools', version='1.1.6', repos='http://cran.r-project.org/')
install.packages('randomForest', version='4.7.1.1', repos='http://cran.r-project.org/')
install.packages('RCurl', version='1.98.1.10', repos='http://cran.r-project.org/')
install.packages('arsenal', version='3.6.3', repos='http://cran.r-project.org/')

# Setup Rprofile for default options
echo 'options(repos=c(CRAN="https://cran.rstudio.com"))' | sudo tee -a /root/.Rprofile
echo 'options(Ncpus=parallel::detectCores() * 2)' | sudo tee -a /root/.Rprofile

sudo cat << END >> "$tmpFile"
# Install and load remotes package
install.packages('remotes', version='2.4.2', repos='http://cran.r-project.org/')
install.packages('remotes', version='2.4.2')
library('remotes')

remotes::install_github('YuLab-SMU/ggtree', version='3.7.1.2', dep=TRUE)

# Install repos that need a specific order
remotes::install_github('rstudio/httpuv', version='1.6.9', dep=TRUE)
install.packages('shiny', version='1.7.4', repos='http://cran.r-project.org/') # needs httpuv
install.packages('devtools', version='2.4.5', repos='http://cran.r-project.org/') # needs shiny
install.packages('adegenet', version='2.1.10', repos='http://cran.r-project.org/') # needs devtools
install.packages('shiny', version='1.7.4') # needs httpuv
install.packages('devtools', version='2.4.5') # needs shiny
install.packages('adegenet', version='2.1.10') # needs devtools

packages <- c(
'tidyverse=1.3.2',
'dplyr=1.1.0',
'tidyr=1.3.0',
'ggplot2=3.4.1',
'data.table=1.14.6',
'kableExtra=1.3.4',
'survival=3.5.3',
'survminer=0.4.9',
'MASS=7.3.58.2',
'quantreg=5.94',
'DescTools=0.99.47',
'rentrez=1.2.3',
'XML=3.99.0.13',
'Matrix=1.5.3',
'irlba=2.3.5.1',
'threejs=0.3.3',
'seqinr=4.2.23',
'urltools=1.7.3',
'bitops=1.0.7',
'maptools=1.1.6',
'randomForest=4.7.1.1',
'RCurl=1.98.1.10',
'arsenal=3.6.3'
)

for (pkg in packages) {
pkg_split <- strsplit(pkg, "=")[[1]]
pkg_name <- pkg_split[1]
pkg_version <- pkg_split[2]
devtools::install_version(pkg_name, version = pkg_version, dependencies = TRUE)
}

remotes::install_github('YuLab-SMU/ggtree', version='3.7.1.2', dep=TRUE)

END

# Execute installation script
sudo su - -c "R -e \"source('$tmpFile')\""
sudo su - -c "export TMPDIR=$tmpDir; Rscript $tmpFile"

# Output R library packages
sudo su - -c "R -e \"installed.packages(lib.loc='/usr/local/lib64/R/library')[,'Version']\""
Expand Down
Loading