Rstudio Server Daily Build Not Rendering Remotely But Official Release Is

Hi Everyone,

Weird problem here. I'm running Rstudio Server on an Ubuntu 18 VM on a Mac Catalina host in my office on campus. I connect to the server from off campus using Cisco AnyConnect, using a MacBook Pro (2017) also running Catalina. Rstudio Server v1.2.5033 works just fine, meaning that everything renders and runs in my web browser (Chrome) on the remote machine. But the daily builds for the last few weeks haven't rendered at home--it produces a blank window within Chrome. And I try each new version of the daily to see if the problem is fixed. I should note that the daily version (most recent as of this writing is v.1.3.700) of Rstudio renders just fine in the Ubuntu VM via Chrome and localhost. So something is happening with remote rendering for the daily build and I can't quite figure out where the problem is.

UPDATE: I ran sudo systemctl status rstudio-server and got the following: ERROR Rejecting request with mismatched originator--seems that might be the problem.

Thanks in advance.

Joe

This isn't a bug and won't change in the official 1.3 release; it's due to additional security features in RStudio Server 1.3. In particular, it now validates the HTTP Origin header. Your home machine is probably sending an Origin that doesn't match the intended host machine due to AnyConnect proxying. Security best practices dictate rejecting these requests. See here for a description of what RStudio 1.3 does:

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers

You can probably make it work the way you want by setting up a reverse proxy that sets the Origin and Forwarded fields appropriately.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

I found a different solution, one that might benefit others. The origin check can be disabled by including the following line in the /etc/rstudio/rserver.conf file:

www-disable-origin-check=1

See this page for more.

Joe

Thanks, Jonathan. Do you mean it's a simple as setting up a reverse proxy, as described here?

Not sure from the link I provided how to set the origin and forwarded fields but will keep looking.

Joe

Yes, that will also do the trick! Obviously we don't recommend disabling this in a production environment since it's a security feature, so if you choose to turn it off please make sure you're aware of the security implications.

Thanks, Jonathan. Yes, I'm aware of the implications, but I'm very pleased to have a running and usable version of the daily build for my work.

Joe