Post

4 followers Follow
0
Avatar

RStudio behind nginx reverse proxy is failing on auth

I like to run RStudio and a lot of other things behind a reverse proxy through nginx. While accessing RStudio has always been fine, at some point recently I stopped being able to authorize through the proxy. If I load a browser with authentication information cached, it works fine. If I go through a new browser and try to authenticate, it can't find the auth page when it redirects.

I'm sure I'm doing something dumb in my nginx configuration, but I don't know what that is. Any advice is appreciated. Here's the content of the config:

server {
listen 80;
server_name ec2-52-0-153-151.compute-1.amazonaws.com;
return 301 https://$server_name$request_uri;
}

#server {

listen 52.0.153.151:8101;

location / {

proxy_pass http://127.0.0.1:8101/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

#}

server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

root /usr/share/nginx/html;
index index.html index.htm;

# Make site accessible from http://localhost/
server_name localhost;

location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    # Uncomment to enable naxsi on this location
    # include /etc/nginx/naxsi.rules
}

    location /hue/ {
            proxy_pass http://127.0.0.1:8888/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }



location /jupyter/ {
        proxy_pass http://127.0.0.1:8000/jupyter/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }


    location /rstudio/ {
    rewrite ^/rstudio/(.*)$ /$1 break;
            proxy_pass http://127.0.0.1:8787/;
    proxy_redirect http://127.0.0.1:8787/ $scheme://$host/rstudio/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }



    location /shiny/ {
            proxy_pass http://127.0.0.1:3838/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

location ~* (user/[^/]*)/(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? {
       proxy_pass http://localhost:8000;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-NginX-Proxy true;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;

}


    location /zeppelin/ {
            proxy_pass http://127.0.0.1:8100/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location ^~ wss {
            proxy_pass http://127.0.0.1:443/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Connection "upgrade";
    }

    location /api/ {
            proxy_pass http://127.0.0.1:8100/api/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location /assets/ {
            proxy_pass http://127.0.0.1:8100/assets/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location /sparkmaster/ {
            proxy_pass http://127.0.0.1:8080/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location /sparkworker/ {
            proxy_pass http://127.0.0.1:8081/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location /sparkapp/ {
            proxy_pass http://127.0.0.1:4040/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location /cloudera/ {
            proxy_pass http://127.0.0.1:7180/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }
    location /cmf/ {
            proxy_pass http://127.0.0.1:7180/cmf/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

    location /hue/static/ {
    alias /usr/lib/hue/build/static;
    }

location = /flow/ {

proxy_pass http://127.0.0.1:54321/flow/index.html;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

    location /flow/ {
            proxy_pass http://127.0.0.1:54321/flow/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }
    location /3/ {
            proxy_pass http://127.0.0.1:54321/3/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }
    location /99/ {
            proxy_pass http://127.0.0.1:54321/99/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    }

}

Amos Elberg

6 comments

0
Avatar

I am having the same problem.

  • Trying to auth through nginx leads me to an endless loop to the auth page.  Auth is working, it's just looping back to the page (I can tell that auth is working because I'm not getting locked out of my account)
  • Going directly to :8787 works fine
  • Running on debian 7, rstudio compiled from source
  • This error came when upgrading from .491 to .879.  Everything worked fine under .491.
  • nginx set up as per the recommendations in the support article linked by Ian.

nginx snippet:

 location /R/ {
rewrite ^/R/(.*)$ /$1 break;
proxy_pass http://localhost:8787;
proxy_redirect http://localhost:8787/ $scheme://$host/R/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 1000M;
proxy_read_timeout 1200s;
}

 

Alexis 0 votes
0
Avatar

Update -- this seems to occur on Safari (El Capitan), but works fine on Chrome on the same computer.

Alexis 0 votes
0
Avatar

Hi Alexis,

We're not able to reproduce this on our end. Does it happen on any other systems or browsers other than Safari? Can you try checking the network console and see if there are any errors that are being reported?

Thanks,

Ian

Ian Pylvainen 0 votes
0
Avatar

Done some testing:

- Mac/Safari -- going through nginx causes the auth loops

- Mac/Firefox -- same problem as safari

- Mac/Chrome - works fine

- Windows/Firefox -- auth loop

- Windows/IE -- works fine

Are there some cookies I can clear?  I searched but couldn't find any obvious ones. Also, what do you mean by the network console (happy to poke around, but not quite sure where).

Alexis 0 votes
0
Avatar

Hi Amos,

I had the same trouble after an update. I'm running Rstudio together with OpenCPU which does the nginx reverse proxy part.

I tried all sorts of debugging, but clearing cookies for my domain is what finally solved it. If that solves it for you, good. If not, I can try to list my intermediate steps...

Best,
Ruben

Ruben 0 votes