Server validation fails with RStudio Connect running behind reverse proxy

I set up Connect to be accessed via a nginx reverse proxy. This works to access the control panel and content through Connect. But I can not use the proxy address to connect RStudio IDE to the Connect Server. I just get a 'Server Validation failed' error. Using the direct connection over port 3939 would work, but is not suitable for the setup.

Is this a missing feature with RStudio Server or what might be the problem? Not sure how to troubleshoot this as the reverse proxy is totally fine outside of the RStudio IDE

Hey @draic and welcome to RStudio Community!

Can you say a bit more about the way you have implemented your reverse proxy? Is it rewriting paths (i.e. hosting Connect at /rsc/)? Is it doing authentication? Can you share the configuration here? Have you seen the doc guidance below?

https://docs.rstudio.com/connect/admin/proxy/

What is basically happening is that the IDE does a "health check" on the RStudio Connect server, so that request is getting broken somehow. We can probably replicate the request with curl -i (either from your local computer or from the RStudio Server node itself) - the requests themselves will be shown if you execute the following in your R console before publishing:

options(rsconnect.http.verbose = TRUE)
options(rsconnect.http.trace.json = TRUE)

Yes, I am rewriting a path. Using the settings in nginx that are recommended by the setup guide:

location /rsc/ {
      rewrite ^/rsc/(.*)$ /$1 break;
      proxy_set_header X-RSC-Request $scheme://$http_host$request_uri;
      proxy_pass http://localhost:3939;
      proxy_redirect / /rsc/;
      proxy_set_header Connection "upgrade";
      proxy_set_header Upgrade $http_upgrade;
      proxy_http_version 1.1;
    }

Only the proxy_set_header Connection $connection_upgrade; has been altered.

Using the options to see what is happening is a great idea. RStudio seems to have an issue with getting the CA:

* Hostname in DNS cache was stale, zapped
*   Trying xxx.xxx.xxx.xxx:443...
* TCP_NODELAY set
* Connected to foo.bar (xxx.xxx.xxx.xxx) port 443 (#14)
* found 392 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: none CRLfile: none
* Closing connection 14
Timing stopped at: 0.028 0 0.028

obviously this is not a problem I encounter when accessing the URL in a browser. The cert is working fine

Ahhh interesting! So that means that the RStudio Server does not trust the RStudio Connect Certificate Authority. Resolving that trust issue will likely resolve the problem! (You want to add the Certificate Authority to the RStudio Server's trust store. I suspect your browser is already configured to trust the CA, which explains why the trust works fine there.)

It's worth noting that you probably need to configure Connect to trust the CA as well! That way things like pins or using the RStudio Connect Server API from Connect will not also run into certificate trust issues.

To test, you can use the rsconnect.check.certificate option discussed here:
https://rdrr.io/cran/rsconnect/man/options.html

You can also test that this is the case easily from the terminal:

# should fail
curl -i https://connect-server-url.com

# should succeed
curl -i -k https://connect-server-url.com