Getting "Forbidden" Message connecting to Rstudio-Server through F5 Proxy

I have an Rstudio-server open source implementation that has been running fine on an RHEL 8 server. I have been accessing it via our VPN which was working fine until we recently had a successive set of issues which made VPN access unstable. We have an F5 load balancer/proxy that front-ends much of our production IP space, and I'm trying to set up access to Rstudio through the F5. I am reasonably certain that I have appropriately configured the F5 so that it is forwarding the /rstudio URI to the appropriate server on tcp/8787. However, when I attempt to connect I get a simple error page that says "Forbidden". This is not an Apache error, it's not an error message from the F5 from what I can tell, and I can't find anything in any logs that shows an HTTP:403 being served up.

Any help is appreciated.

I’m away from my desktop and don’t recall clearly. Is server set up with an authentication check? Since olden days (1995), I’ve always thought of a 403 as a credentials issue.

I typically log into the Rstudio server environment using my RHEL credentials. It works when I’m VPN’d or otherwise attached to the network it resides on, using :8787. The issue starts when I try to access outside of the network, going through our F5, using /rstudio. When I do that, it doesn't prompt for any credentials, it just goes directly to Forbidden. What's odd is that I know it's getting pointed to tcp:8787 because the apache server is set to simply give the three digit HTTP error code with no other text. If I could find a log entry, I'm sure I could fix it, but /var/log/messages, /var/log/rstudio/rstudio-server/rserver.log, and the other obvious logfile candidates are not showing anything useful. I have reconfigued the logging.conf file under /etc/rstudio to have log-level=info, and even up to "debug" on @rserver but still nothing that gives a clue as to what is causing the Forbidden message to pop up.

Dang. The server is reachable, but clammed up and decides it’s not even going to ask who’s knocking. But only behind the proxy. I wonder if server is looking for an agent identifier that proxy isn’t playing forward?

Okay, I figured out the problem - I have the F5 configured so that when it sees <fqdn>/rstudio, it forwards to :8787. What I didn't account for is that it is sending the uri of "/rstudio" over along with the redirect, which is a folder that (rightly) has restricted access, therefore "Forbidden". Verified by doing <ip>:8787/rstudio and receiving the same Forbidden message. So it's not an Rstudio issue per se, I just need to figure out how to get the F5 to send me to <ip>:8787/ without the URI being passed through.

[ETA] In case anyone else runs into this and gets stumped, the secret is that you have to set up a URI rewrite rule in the F5. I was using an iRule that shoved "/rstudio/" to the applicable IP host, but this left the URI intact. You need a rewrite policy that changes "/rstudio/" (or whatever) back into "http://<ip>:8787/". You may also need to set the X-RStudio-Request header; I did this, but I'm not 100% sure it made a difference. Still, seems like a good idea. I used HTTP::header insert X-RStudio-Request "http://<ip>:8787/rstudio"

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.