RStudio Server does not redirect properly when hosted under a subdirectory using a reverse proxy

[jstaf]

When RStudio Server is hosted under a subdirectory using a reverse proxy (https://website.name.com/rstudio, for instance), many of the links will not redirect properly, namely the RStudio root, /auth-sign-in, and /auth-sign-out. Though the /auth-sign-in and /auth-sign-out issues can be solved with extra redirects, a successful sign in on the /auth-sign-in page always redirects the user to https://website.name.com/ instead of https://website.name.com/rstudio like it should.

Been looking to post this issue for a really long time (glad you guys finally have a public issue tracker) - it's confirmed to happen on all recent versions of both RStudio Server Open Source Edition and RStudio Server Pro on CentOS 7.

[aj2duncan]

Just to report that I have the experienced the same issue. RStudio open source (1.1.383) running on Debian 9.2 and using Apache. I have followed the instructions provided on the support site.

The redirect issue is exactly as described by @jstaf.

[jrowen]

I'm also running into this issue with RStudio and Nginx running via Docker Compose. For example, I have RStudio running in its own container on port 8000, and I have Nginx running in a different, linked container listening on port 8080. When I go to www.example.com:8080, RStudio redirects to www.example.com/auth-sign-in, losing the port in the process. Similar to the earlier comments, the sign-in page is not displayed and the app is not accessible.

[jstaf]

@jmcphers - Has there been any progress on this recently? This bug means that running under a subdirectory as described in the RStudio Admin Guide doesn't actually work.

The ideal fix here would be to have a configuration option in /etc/rstudio/rserver.conf to change the RStudio Server base address (to say, /rstudio/), similar to how Jupyterhub works.

[jstaf]

After what feels like a day and a half of what feels like bashing my head against a wall, I think I've found a workaround for the issue using Apache. Using the following Apache conf appears to work in a VM (you can of course add SSL to the proxy using the usual methods). This example hosts RStudio under the example subdirectory /rstudio.

<VirtualHost *:80>

ProxyPreserveHost on

# Some required redirects for rstudio to work under a subdirectory
Redirect /rstudio /rstudio/
Redirect /auth-sign-in /rstudio/auth-sign-in  
Redirect /auth-sign-out /rstudio/auth-sign-out
Redirect /s /rstudio/s
Redirect /admin /rstudio/admin

# Catch RStudio redirecting improperly from the auth-sign-in page
<If "%{HTTP_REFERER} =~ /auth-sign-in/">
  RedirectMatch ^/$	/rstudio/
</If>

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /rstudio/(.*)     ws://localhost:8787/$1  [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /rstudio/(.*)     http://localhost:8787/$1 [P,L]
ProxyPass /rstudio/ http://localhost:8787/
ProxyPassReverse /rstudio/ http://localhost:8787/

</VirtualHost>

How this works is that the Referer header is set when the /auth-sign-in page redirects back to /. The <If> statement uses this header to apply the redirect only to users coming from the auth-sign-in page, which means content under / is unaffected. Seems to work well, the only case it seems to be buggy is logging out from the admin dashboard in RStudio Server Pro, but that seems like a minor issue (since end users won't run into this).

[jeandevops]

Hello, this doesn't work when you're running, for example (in my case), two containers in a Kubernetes pod, where one is the R Studio (rocker/rstudio) and other is an Nginx proxy to make the R respond on a different path (like r.studio.domain/user).

The reason for this is, that I'm trying to run R Studio in a Kubernetes environment at multi-user, putting each user on subpaths like: r.studio.domain/user1, r.studio.domain/user2, etc. (And, of course, nothing on '/', so that workaround doesn't work for me).

As suggested by @jstaf would be great if we had a fix to have a configuration option in /etc/rstudio/rserver.conf to change the RStudio Server base address.

[nwbhatia]

Very late to the party but for for anyone using an nginx reverse proxy that is still looking for a fix: the rstudio proxy setup described in https://support.rstudio.com/hc/en-us/articles/200552326-Running-RStudio-Server-with-a-Proxy should work with the following edit:

Change proxy_redirect http://localhost:8787/ $scheme://$host/rstudio/; to proxy_redirect https://localhost:8787/ $scheme://$host/rstudio/; as the internal Rstudio redirects are https not http.

My use case is identical to @jeandevops's and this worked for me.

[DrMaphuse]

Another year later, and I'm still running into this issue on nginx. I can manually enter the paths /rstudio/auth-sign-in before signing in and /rstudio after signing in. But the redirects ignore the subdirectory. I have tried following the manual, with and without @nikhilwbhatia 's suggestion, and I played around with the settings on my own, but I could not get it to work. I also scoured the web for more solutions, but without success. Any other ideas/solutions? I still think a base_path setting would be very useful.

[jeffvroom]

Apologies for this problem. Here's a similar example that I tested that works where Apache is listening on https and using a /rstudio path prefix. Note that when you set X-RStudio-Root-Path and X-Forwarded-Proto, you no longer need the rewrite rules since RStudio will be generating the correct external URLs in the first place. Make sure to change example.com with the external domain of your proxy server..

  ProxyPreserveHost On

   <Proxy *>
     Allow from localhost
   </Proxy>

   ProxyPass /rstudio/ http://localhost:8787/
   RequestHeader set Host "example.com:443"
   RequestHeader set X-RStudio-Root-Path "/rstudio"
   RequestHeader set X-Forwarded-Proto https
   ProxyRequests Off

[DrMaphuse]

@jeffvroom thank you, this did the trick! I suppose this is a new header option? I also noticed that the server option www-root-path was added in v2021.09.1+372. I haven't tried it out, but according to https://docs.rstudio.com/ide/server-pro/1.4.1043-2/access-and-security.html#nginx-configuration it would do the same thing as the header X-RStudio-Root-Path. I suppose they do essentially the same as base_path in other applications. For those looking for documentation, the above link describes the up-to-date instructions for RStudio Server (free as well as pro). Personally, I have had success by removing all rewrites and setting the following location block in nginx sites-enabled:

    location /rstudio/ {
        # proxy config
        proxy_pass http://localhost:8787/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host "example.com:443";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-RStudio-Root-Path "/rstudio";

        proxy_redirect http://localhost:8787/ $scheme://$host/rstudio/;

        # websocket headers
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 20d;
    }

[jeffvroom]

Glad that worked! Yes, www-root-path does the same thing as X-RStudio-Root-Path. We have a documentation update coming in the next release that will remove all of the guidance on using those directives to rewrite the location headers and cookie paths. Both options exist in 1.4 - Juliet Rose as well, and I think go back even a little further.

[davidhunterwalsh]

@jeffvroom Looks to me like it's been a while and the docs aren't updated, e.g. https://docs.posit.co/ide/server-pro/access_and_security/running_with_a_proxy.html#nginx-configuration and https://docs.posit.co/ide/server-pro/1.4.1043-2/access-and-security.html#nginx-configuration - I just struggled for quite a while trying to rely on those, and only had success because of your rewrite-less solution here, as adapted to nginx by @DrMaphuse.

[jeffvroom]

@davidhunterwalsh - thanks for mentioning this. I only meant we planned to eliminate the RewriteRule that nginx/apache use to modify the response headers, like the Location header in a redirect. It is easier and more maintainable in my opinion when rstudio always generates the correct URLs for the browser, when it knows the root-path to use. The docs do still use the rewrite rule to modify the request URI before proxying to the rserver which is how our test suites are written. I do see the example above to use the proxy_redirect directive to avoid the need for that. I'm not familiar with how that works so let me look into that!

[behrica]

I am in the same situation using kubernetes + nginx ingress + rstudio.
I am a newbie in proxy configuration, so if somebody could paste a yaml snippet with the correct ingress configuraton, that would be nice.