Opening RStudio using AWS' SSL certificate

silvano.junior · January 31, 2019, 7:26am

Output for the curl -I -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36' http://myurl.com/rstudio/

HTTP/1.1 302 Moved Temporarily
Content-Length: 49
Content-Type: text/html; charset=UTF-8
Date: Thu, 31 Jan 2019 07:12:59 GMT
Location: http://myurl.com/rstudio/auth-sign-in
Server: RStudio
Connection: keep-alive

Output for the curl -I -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36' https://myurl.com/rstudio/

HTTP/1.1 302 Moved Temporarily
Content-Length: 50
Content-Type: text/html; charset=UTF-8
Date: Thu, 31 Jan 2019 07:15:08 GMT
Location: https://localhost:8787/auth-sign-in
Server: RStudio
Connection: keep-alive

This is what I have before logging in (no auth-do-sign-in, only auth-sign-in)

And this is what I have after trying to log in:

(before this picture, during the log in attempt, it appeared on the screen the auth-public-key, auth-do-sign-in and localhost endpoints, but 2 seconds later the localhost turns red and this picture above appears)

So I barely had time to take a screenshot, but I took a picture of the auth-do-sign-in as fast as I could:

(sorry for the terrible picture )

This is what I got from the localhost endpoint that turned red:

cole · January 31, 2019, 11:14am

Voila! That's the ticket! Well done with the clutch screen-shotting! I know that had to be a pain

To save yourself the trouble in the future, there is a "Preserve Logs" option near the top middle-right-ish that will keep the information around when redirects happen Sorry for not mentioning that!

So did you notice the problem? auth-do-sign-in is not matching your redirect because the redirect is being fired to https://localhost:8787 (which Apache does not know how to escape). The protocol is being preserved there..., interesting!

Adding a line like ProxyPassReverse /rstudio/ localhost:8787/ or ProxyPassReverse /rstudio/ https://localhost:8787/ (or both?) will resolve your issue, I would guess... but I would be more interested in figuring out why that redirect is getting missed. Maybe trying those two lines will give us some insight?

Again, Apache is looking for http://localhost:8787/ to rewrite it to myurl.com/rstudio... but it isn't finding http://localhost:8787/ so it is not rewriting it. The two lines above are meant to match whatever RStudio is sending back. Do you mind sharing your RStudio Server configuration?

EDIT: One other note. You may want to change how Apache refers to itself (setting the ServerName), since that may be where Apache gets its notion of "what URL should I be sending back" in certain cases... I have to admit, I don't actually know for sure

This would explain why the redirect works fine when you are using http though, because THEN it is matching http://localhost:8787/. But when navigating to https, you're not matching https://localhost:8787/ in the proxy config...

silvano.junior · January 31, 2019, 8:08pm

Hi Cole,

The ProxyPassReverse /rstudio/ https://localhost:8787/ worked!

But I'm worried about something: every time I write https://myurl.com/rstudio I'm redirected to the http version, and then if I click enter again, I can see the https page. Do you understand why?

And now, after the log in phase, my url is http://myurl.com/rstudio and I can see my Shiny app's code.
But shouldn't it be https://myurl.com/rstudio ?
Should I be worried about this?

My RStudio Server configuration file (rserver.conf) is empty
(the file is in /etc/rstudio/rserver.conf. It's this one you want, right? It's empty).

About your comment "You may want to change how Apache refers to itself": I don't know how to do that

Thanks a lot for all your help, Cole!

EDIT: now my virtual host looks like this:

<VirtualHost *:80>

  <Proxy *>
    Allow from localhost
  </Proxy>

RedirectMatch permanent ^/rstudio$ /rstudio/
  
  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} =websocket
  RewriteRule /rstudio/(.*)     ws://localhost:8787/$1  [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket
  RewriteRule /rstudio/(.*)     http://localhost:8787/$1 [P,L]
  ProxyPass /rstudio/ http://localhost:8787/
  ProxyPassReverse /rstudio/ http://localhost:8787/
  #ProxyPassReverse /rstudio/ localhost:8787/ #the line below is enough.
  ProxyPassReverse /rstudio/ https://localhost:8787/
  ProxyRequests Off

#For redirecting to https:
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

</VirtualHost>

cole · February 3, 2019, 10:23pm

These are good questions! Glad to hear things are working for the most part!! I don’t have exact syntax in hand at the moment, but are you testing this with an Incognito browser or after clearing browser history? These redirects are the type of thing that the browsers can cache and give some inexplicable behavior.

The ideal approach would honestly be to turn off HTTP completely once you have HTTPS working. But you do want to be sure that there is no cross-up happening that would prevent HTTPS working by itself. Do you mind confirming that the browser cache is not the problem by clearing history / using incognito mode?

silvano.junior · February 4, 2019, 7:01am

I was already in Incognito mode when I checked this behavior

How can I be sure that there is no cross-up happening that would prevent HTTPS working by itself and then turn off HTTP completely?

cole · February 9, 2019, 7:47pm

Sorry for the late reply here. I haven't had a chance to dig into the config for this, but basically you would want either your AWS ELB or your Apache proxy to redirect everything that hits 80 to 443, so nothing is permitted on port 80 and everything with straight HTTP gets redirected to https. There is decent documentation out there on the web for doing this with Apache (I usually just find a tutorial that talks about it), and there may be something related for AWS ELB. I'm definitely curious to hear what you come up with!

silvano.junior · February 13, 2019, 7:52pm

Hi Cole,

I'll look into it and I'll post it here if I find something useful

system · March 6, 2019, 8:01pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.

cole · March 30, 2019, 2:34am

Following up on this with a few interesting tidbits! I'm not sure what type of AWS Load balancer you are using (Classic Load Balancer, Application Load Balancer, etc.), and this advice will differ based on that result. However, most AWS Load Balancers can actually FORCE HTTPS traffic, this means redirect HTTP traffic to HTTPS.

Some documentation on this topic that might be useful:

https://aws.amazon.com/about-aws/whats-new/2018/07/elastic-load-balancing-announces-support-for-redirects-and-fixed-responses-for-application-load-balancer/
https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/
https://aws.amazon.com/elasticloadbalancing/features/#Details_for_Elastic_Load_Balancing_Products
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html