Rstudio Server Daily Build Not Rendering Remotely But Official Release Is

bbjonz · January 2, 2020, 6:33pm

Hi Everyone,

Weird problem here. I'm running Rstudio Server on an Ubuntu 18 VM on a Mac Catalina host in my office on campus. I connect to the server from off campus using Cisco AnyConnect, using a MacBook Pro (2017) also running Catalina. Rstudio Server v1.2.5033 works just fine, meaning that everything renders and runs in my web browser (Chrome) on the remote machine. But the daily builds for the last few weeks haven't rendered at home--it produces a blank window within Chrome. And I try each new version of the daily to see if the problem is fixed. I should note that the daily version (most recent as of this writing is v.1.3.700) of Rstudio renders just fine in the Ubuntu VM via Chrome and localhost. So something is happening with remote rendering for the daily build and I can't quite figure out where the problem is.

UPDATE: I ran sudo systemctl status rstudio-server and got the following: ERROR Rejecting request with mismatched originator--seems that might be the problem.

Thanks in advance.

Joe

jonathan · January 2, 2020, 8:07pm

This isn't a bug and won't change in the official 1.3 release; it's due to additional security features in RStudio Server 1.3. In particular, it now validates the HTTP Origin header. Your home machine is probably sending an Origin that doesn't match the intended host machine due to AnyConnect proxying. Security best practices dictate rejecting these requests. See here for a description of what RStudio 1.3 does:

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers

You can probably make it work the way you want by setting up a reverse proxy that sets the Origin and Forwarded fields appropriately.

bbjonz · March 21, 2021, 1:21am

Thanks, Jonathan. Do you mean it's a simple as setting up a reverse proxy, as described here?

Not sure from the link I provided how to set the origin and forwarded fields but will keep looking.

Joe

bbjonz · December 3, 2020, 5:45am

I found a different solution, one that might benefit others. The origin check can be disabled by including the following line in the /etc/rstudio/rserver.conf file:

www-disable-origin-check=1

See this page for more.

Joe

jonathan · November 19, 2020, 7:27pm

Yes, that will also do the trick! Obviously we don't recommend disabling this in a production environment since it's a security feature, so if you choose to turn it off please make sure you're aware of the security implications.

bbjonz · November 24, 2020, 9:43pm

Thanks, Jonathan. Yes, I'm aware of the implications, but I'm very pleased to have a running and usable version of the daily build for my work.

Joe

system · January 24, 2020, 9:51pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.