RStudio Server: Running with a Proxy
Overview
If you are running RStudio Server behind a proxy server you need be sure to configure the proxy server so that it correctly handles all traffic to and from RStudio Server.
Beyond the normal reverse proxy configuration you'd apply for any HTTP server application, you also need to to ensure that websockets are forwarded correctly between the proxy server and RStudio Server to ensure that all RStudio functions work correctly.
In particular, they're needed to ensure that Shiny applications run from within the IDE work properly - if not, you may find that Shiny applications "gray out" and close without you being able to interact with them.
This article describes how to correctly configure a reverse proxy with Nginx and Apache. If you are unfamiliar with configuring Nginx or Apache, you may find the Nginx Beginner's Guide or the Apache Getting Started article useful.
Note that this article is about configuring a proxy to control access to RStudio Server. If you are looking to set up a proxy to handle downloads in R and RStudio you should instead check out the article here.
Nginx Configuration
On Debian or Ubuntu a version of Nginx that supports reverse-proxying can be installed using the following command:
sudo apt-get install nginx
On CentOS or Red Hat you can install Nginx using the following command:
sudo yum install nginx
To enable an instance of Nginx running on the same server to act as a front-end proxy to RStudio Server you would add commands like the following to your nginx.conf file. Note that you must add code to proxy websockets in order to correctly display Shiny apps and R Markdown Shiny documents in RStudio Server.
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
location / {
proxy_pass http://localhost:8787;
proxy_redirect http://localhost:8787/ $scheme://$http_host/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
}
}
If you want to serve RStudio Server from a custom path (e.g. /rstudio) you would edit your nginx.conf file as shown below:
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
rewrite ^/rstudio$ $scheme://$http_host/rstudio/ permanent;
location /rstudio/ {
rewrite ^/rstudio/(.*)$ /$1 break;
proxy_pass http://localhost:8787;
proxy_redirect http://localhost:8787/ $scheme://$http_host/rstudio/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
}
}After adding these entries you'll then need to restart Nginx so that the proxy settings take effect:
sudo /etc/init.d/nginx restart
Apache Configuration
To enable an instance of Apache running on the same server to act as a front-end proxy to RStudio Server you need to use the mod_proxy and mod_proxy_wstunnel modules. The steps for enabling this module vary across operating systems so you should consult your distribution's Apache documentation for details.
On Debian and Ubuntu systems Apache can be installed with mod_proxy using the following commands:
sudo apt-get install apache2
sudo apt-get install libapache2-mod-proxy-html
sudo apt-get install libxml2-dev
Then, to update the Apache configuration files to activate mod_proxy you execute the following commands:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_wstunnel
On CentOS and RedHat systems Apache can be installed with mod_proxy and mod_proxy_wstunnel by following the instructions here:
http://httpd.apache.org/docs/2.4/platform/rpm.html
By default with Apache 2.4, mod_proxy and mod_proxy_wstunnel should be enabled. You can check this by opening the file /etc/httpd/conf.modules.d/00-proxy.conf and making sure the following lines are included and not commented out:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
Once you have enabled mod_proxy and mod_proxy_wstunnel in your Apache installation you need to add the required proxy commands to your VirtualHost definition. Note that you will also need to include code to correctly proxy websockets in order to correctly proxy Shiny apps and R Markdown documents within RStudio Server. For example:
<VirtualHost *:80>
<Proxy *>
Allow from localhost
</Proxy>RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://localhost:8787/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://localhost:8787/$1 [P,L]
ProxyPass / http://localhost:8787/
ProxyPassReverse / http://localhost:8787/
ProxyRequests Off
</VirtualHost> Note that if you want to serve RStudio from a custom path (e.g. /rstudio) you would replace the directives described above to:
RedirectMatch permanent ^/rstudio$ /rstudio/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /rstudio/(.*) ws://localhost:8787/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /rstudio/(.*) http://localhost:8787/$1 [P,L]
ProxyPass /rstudio/ http://localhost:8787/
ProxyPassReverse /rstudio/ http://localhost:8787/
ProxyRequests Off
Finally, after you've completed all of the above steps you'll then need to restart Apache so that the proxy settings take effect:
sudo /etc/init.d/apache2 restart
RStudio Configuration
If your RStudio Server and proxy server are running on the same machine you can also change the port RStudio Server listens on from 0.0.0.0 (all remote clients) to 127.0.0.1 (only the localhost). This ensures that the only way to connect to RStudio Server is through the proxy server. You can do this by adding the www-address entry to the /etc/rstudio/rserver.conf file as follows:
www-address=127.0.0.1
Note that you may need to create this config file if it doesn't already exist.
SELinux Configuration
If your Linux server has SELinux enabled and enforcing, you may encounter issues when attempting to proxy the connection from your HTTP daemon to RStudio Server. If you are having trouble, the SELinux property you configure to allow your HTTP daemon to connect to RStudio Server is:
httpd_can_network_relay
For further assistance configuring SELinux Booleans, refer to the SELinux admin guide available from Red Hat here:
Comments