rserver.conf

The following is a list of available options that can be specified in the rserver.conf configuration file, which controls behavior of Workbench’s rserver process, allowing you to tune HTTP, authorization options, and other settings that broadly affect Posit Workbench.

verify Settings

verify-installation

Runs verification mode to verify the current installation.

Type: bool
Default: 0

verify-user

Workbench

Specifies the run-as user for additional Job Launcher verification.

Type: string
Default: <empty string>

verify-test

Workbench

Specifies the verify-installation test to run. Leave empty to run all tests.

Type: string
Default: <empty string>

server Settings

server-working-dir

The default working directory of the rserver process.

Type: string
Default: /

server-user

The user account of the rserver process.

Type: string
Default: rstudio-server

server-daemonize

Indicates whether or not the rserver process should run as a daemon.

Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).

server-pid-file

The path to a file where the rserver daemon’s pid is written.

Type: string
Default: /var/run/rstudio-server.pid

server-set-umask

If enabled, sets the rserver process umask to 022 on startup, which causes new files to have rw-r--r-- permissions.

Type: bool
Default: 1

server-data-dir

Path to the data directory where Posit Workbench will write run-time state.

Type: string
Default: /var/run/rstudio-server

server-add-header

Adds a header to all responses from Posit Workbench. This option can be specified multiple times to add multiple headers.

Type: string
Default: <empty string>

server-db-migrate-path

Workbench

The relative path from the RStudio installation directory, or absolute path where the Workbench Database migration program binary is located.

Type: string
Default: bin/workbench-database-migrate

server-nginx-path

Workbench

The relative path from the RStudio installation directory, or absolute path where the NGINX binary is located.

Type: string
Default: bin/rserver-http

server-nginx-conf-template-path

Workbench

The relative path from the RStudio installation directory, or absolute path where the NGINX config file templates are located.

Type: string
Default: conf

server-nginx-conf-path

Workbench

Specifies the path to the NGINX config files.

Type: string
Default: /var/lib/rstudio-server/conf

server-nginx-ld-library-path

Workbench

Specifies the LD_LIBRARY_PATH for the NGINX executable.

Type: string
Default: <empty string>

server-access-log

Workbench

Indicates whether or not to write HTTP access logs to /var/log/rstudio/rstudio-server.

Type: bool
Default: 0

nginx-error-log-level

Workbench

Specifies one of crit, error, warn, info, debug (note: debug level requires a debug build of rserver-http - the bundled NGINX executable)

Type: string
Default: warn

server-nginx-http-directives-path

Workbench

Specifies the path to custom NGINX http directives.

Type: string
Default: The first nginx.http.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.http.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-server-directives-path

Workbench

Specifies the path to custom NGINX server directives.

Type: string
Default: The first nginx.server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.server.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-site-directives-path

Workbench

Specifies the path to custom NGINX site directives.

Type: string
Default: The first nginx.site.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.site.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-worker-connections-path

Workbench

Specifies the path to custom NGINX worker directives that replace the default options for # of file descriptors, worker_connections, and worker_processes.

Type: string
Default: The first nginx.worker.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.worker.conf if no XDG_CONFIG_DIRS are specified. If no nginx.worker.conf exists, default values of 1 worker_process, 2048 worker_connections, and 4096 for the nofile rlimit are used.

server-nginx-static-directives-path

Workbench

Specifies the path to custom NGINX static directives file that replaces the default optimization for offloading static file serving from rserver and rworkspaces.

Type: string
Default: The first nginx.static.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.static.conf if no XDG_CONFIG_DIRS are specified. If no nginx.static.conf exists, directives are included so that the local NGINX server handles most static file resource without proxying them to rserver.

server-health-check-enabled

Workbench

Indicates whether or not to allow access to the server health check URL.

Type: bool
Default: 0

server-license-type

Workbench

Specifies whether to use remote (floating) or local (activation) licensing.

Type: string
Default: local

license-retry-seconds

Workbench

Specifies the number of seconds to wait between floating license retries.

Type: int
Default:

license-warning-days

Workbench

Specifies the number of days before the license expiration during which a warning will be shown to the user; set to 0 to disable license warnings.

Type: int
Default: 15

resolve-load-balancer-nodes

Workbench

Indicates whether or not to resolve IP addresses associated with load balancer nodes; not compatible with SSL unless the IP address is in the CN/SAN.

Type: bool
Default: 0

server-balancer-path

Workbench

The relative path from the RStudio installation directory, or absolute path where the custom load balancing script is located.

Type: string
Default: bin/rserver-balancer

server-multiple-sessions

Workbench

Indicates whether or not to allow multiple sessions per user.

Type: bool
Default: 1

r-versions-multiple

Workbench

Indicates whether or not to allow the use of multiple R versions.

Type: bool
Default: 1

server-project-sharing

Workbench

Indicates whether or not to allow project sharing.

Type: bool
Default: 1

server-project-sharing-root-dir

Workbench

Specifies the root directory for shared projects in addition to users’ own home directories.

Type: string
Default: <empty string>

server-user-home-page

Workbench

Indicates whether or not to show the user home page upon login.

Type: bool
Default: 1

r-versions-scan

Workbench

Indicates whether or not to scan for available R versions on the system.

Type: bool
Default: 1

modules-bin-path

Workbench

Specifies the path to modules sh init binary. This is necessary if you intend to load R versions via modules.

Type: string
Default: <empty string>

admin-enabled

Workbench

Indicates whether or not to allow access to the administration dashboard.

Type: bool
Default: 0

admin-group

Workbench

Limits admin dashboard access to users belonging to the specified group.

Type: string
Default: <empty string>

admin-superuser-group

Workbench

Limits admin superusers to those belonging to the specified group.

Type: string
Default: <empty string>

admin-monitor-log-use-server-time-zone

Workbench

Indicates whether or not to use the server time zone when displaying the monitor log. If disabled, uses UTC.

Type: bool
Default: 0

r-versions-path

Workbench

Specifies the path to the file containing the list of available R Versions in JSON format. This file will be automatically generated by the rserver process after discovering the R versions available on the system. It is strongly recommended not to modify this setting in most cases.

Type: string
Default: /var/lib/rstudio-server/r-versions

launcher-address

Workbench

Specifies the address of the Launcher service (local unix domain socket file or IP address).

Type: string
Default: <empty string>

launcher-port

Workbench

Specifies the port of the Launcher to connect to (if not using a unix domain socket).

Type: string
Default: <empty string>

launcher-use-ssl

Workbench

Indicates whether or not to use SSL connections when connecting to the Launcher (if not using a unix domain socket).

Type: bool
Default: 0

launcher-verify-ssl-certs

Workbench

Indicates whether or not to verify the Launcher certificate(s) when using an SSL connection.

Type: bool
Default: 1

launcher-sessions-enabled

Workbench

Indicates whether or not to use the Launcher for creating sessions.

Type: bool
Default: 0

launcher-default-cluster

Workbench

Specifies the default cluster to launch jobs on when using the Launcher.

Type: string
Default: <empty string>

launcher-sessions-callback-address

Workbench

The callback address (hostname, IP address, or HTTP URL) of rserver for Launcher sessions to communicate back.

Type: string
Default: <empty string>

launcher-sessions-callback-verify-ssl-certs

Workbench

Indicates whether or not to enforce SSL certificate verification of the server when Launcher sessions communicate back via the callback address.

Type: bool
Default: 1

launcher-sessions-callback-timeout

Workbench

The number of seconds to wait before timing out a connection from a Launcher session to the callback address.

Type: int
Default: 10

launcher-sessions-container-image

Workbench

Specifies the default container image to use for Launcher sessions. Only applicable for container-based job systems (e.g. Kubernetes).

Type: string
Default: <empty string>

launcher-sessions-container-run-as-root

Workbench

Indicates whether or not to run the Launcher session containers as root. If not, uses the requesting user’s UID. Only applicable for container-based job systems.

Type: bool
Default: 0

launcher-sessions-create-container-user

Workbench

Indicates whether or not to create a user for the container’s owner when running Launcher session containers. Only applicable for container-based job systems.

Type: bool
Default: 1

launcher-sessions-connection-timeout-seconds

Workbench

Specifies the connection timeout in seconds to use when establishing a connection to a Launcher session.

Type: int
Default: 3

launcher-sessions-proxy-timeout-seconds

Workbench

Specifies the connection timeout in seconds to use for waiting for a launcher job to be running for a normal proxy request.

Type: int
Default: 5

launcher-sessions-clusters

Workbench

Specifies a comma-separated list of available clusters for launching interactive sessions (or all Launcher clusters if empty).

Type: string
Default: <empty string>

launcher-adhoc-clusters

Workbench

Specifies a comma-separated list of available clusters for launching ad hoc jobs (or all Launcher clusters if empty).

Type: string
Default: <empty string>

launcher-sessions-container-images

Workbench

Specifies a comma-separated list of available container images for launching interactive sessions (or all cluster images if empty). Only applicable for container-based job systems.

Type: string
Default: <empty string>

launcher-adhoc-container-images

Workbench

Specifies a comma-separated list of available container images for launching ad hoc jobs (or all cluster images if empty). Only applicable for container-based job systems.

Type: string
Default: <empty string>

launcher-sessions-forward-container-environment

Workbench

Used in previous versions to forward environment variables from the Kubernetes container spec to the session. Use the more general-purpose launcher-sessions-forward-environment=0 setting to control this behavior instead.
This option is deprecated and should not be used.

Type: bool
Default: 1

launcher-sessions-container-forward-groups

Workbench

Indicates whether or not to forward the user’s supplemental groups to the container. Only applicable for container-based job systems.

Type: bool
Default: 1

rstudio-pro-sessions-enabled

Workbench

Indicates whether or not RStudio Pro Sessions can be started from the homepage.

Type: bool
Default: 1

load-balancing-enabled

Workbench

Set to 1 to enable server load balancing, 0 to disable. When not set, the presence of the load-balancer configuration file enables server load balancing for compatibility (a warning is issued to make this choice explicit).

Type: string
Default: <empty string>

max-streams-per-user

Workbench

Set to limit the number of streaming connections an individual user can have open. The oldest one is closed when the limit is surpassed.

Type: int
Default: 3

streaming-connection-timeout-seconds

Workbench

Specifies a maximum timeout in seconds to allow status stream connections to stay open. Set to 0 to disable stream connection timeout.

Type: int
Default: 300

launcher-sessions-forward-environment

Workbench

Forward environment variables from the parent Launcher job (i.e. Kubernetes container or Slurm job) to the session.

Type: bool
Default: 1

launcher-sessions-auto-update

Workbench

Indicates whether or not to automatically update session components on non-Local clusters. Only supported on Kubenernetes.

Type: bool
Default: 0

session-hooks-enabled

Workbench

Whether or not session hooks are enabled.

Type: bool
Default: 0

session-hooks-path

Workbench

Path to a directory of scripts that can be called by a session hook.

Type: string
Default: <empty string>

session-hooks-start

Workbench

Scripts that should be run when a session starts.

Type: string
Default: <empty string>

session-hooks-stop

Workbench

Scripts that should be run when a session stops.

Type: string
Default: <empty string>

www Settings

www-address

The network address that Posit Workbench will listen on for incoming connections.

Type: string
Default: 0.0.0.0

www-port

The port that Posit Workbench will bind to while listening for incoming connections. If left empty, the port will be automatically determined based on your SSL settings (443 for SSL, 8787 for no SSL).

Type: string
Default: <empty string>

www-socket

The socket that RStudio Server will bind to while listening for incoming connections. If left empty, a port will be used.

Type: string
Default: <empty string>

www-root-path

The path prefix added by a proxy to the incoming RStudio URL. This setting is used so Posit Workbench knows what path it is being served from. If running Posit Workbench behind a path-modifying proxy, this should be changed to match the base Posit Workbench URL.

Type: string
Default: Assume the root path '/' if not defined.

www-thread-pool-size

The size of the threadpool from which requests will be serviced. This needs to have enough threads to avoid bottlenecks due to certain requests that block the request thread (e.g. a login fail might run into a delay caused by the pam configuration). For systems with lots of users a larger value is recommended. For systems with only one or two users, a value of 2 will be slightly more efficient.

Type: int
Default: 6

www-proxy-localhost

Indicates whether or not to proxy requests to localhost ports over the main server port. This should generally be enabled, and is used to proxy HTTP traffic within a session that belongs to code running within the session (e.g. Shiny or Plumber APIs)

Type: bool
Default: 1

www-verify-user-agent

Indicates whether or not to verify connecting browser user agents to ensure they are compatible with Posit Workbench.

Type: bool
Default: 1

www-same-site

The value of the ‘SameSite’ attribute on the cookies issued by Posit Workbench. Accepted values are ‘none’ or ‘lax’. The value ‘none’ should be used only when RStudio is hosted into an iframe. For compatibility with some browsers (i.e. Safari 12), duplicate cookies will be issued by Posit Workbench when ‘none’ is used.

Type: string
Default: <empty string>

www-frame-origin

Specifies the allowed origin for the iframe hosting RStudio if iframe embedding is enabled.

Type: string
Default: none

www-enable-origin-check

If enabled, cause RStudio to enforce that incoming request origins are from the host domain. This can be added for additional security. See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers

Type: bool
Default: 0

www-allow-origin

Specifies an additional origin that requests are allowed from, even if it does not match the host domain. Used if origin checking is enabled. May be specified multiple times for multiple origins.

Type: string
Default: <empty string>

session-use-file-storage

Whether to use the file system to store metadata about the session storage or the internal database. Setting this to false may require special network configuration. See Session storage for more information.

Type: bool
Default: 1

www-stats-monitor-seconds

The time interval in seconds to log info/debug messages with stats on server performance. Set to 0 to disable.

Type: int
Default: 60

ssl-enabled

Workbench

Enables or disables SSL.

Type: bool
Default: 0

ssl-certificate

Workbench

Specifies the path to the SSL certificate for Posit Workbench to use.

Type: string
Default: <empty string>

ssl-certificate-key

Workbench

Specifies the path to the SSL certificate private key.

Type: string
Default: <empty string>

ssl-protocols

Workbench

Specifies the list of supported SSL protocols separated by a space.

Type: string
Default: TLSv1 TLSv1.1 TLSv1.2

ssl-redirect-http

Workbench

Indicates whether or not HTTP requests should automatically be redirected to HTTPS.

Type: bool
Default: 1

ssl-hsts

Workbench

Indicates whether or not to enable Strict Transport Security when SSL is in use.

Type: bool
Default: 1

ssl-hsts-max-age

Workbench

Specifies the maximum age for Strict Transport Security.

Type: int
Default: 86400

ssl-hsts-include-subdomains

Workbench

Indicates whether or not to include subdomains in HSTS protection.

Type: bool
Default: 0

session-ssl-enabled

Workbench

Set to false (0) to disable use of the SSL protocol when communicating with launcher sessions. By default, certificates are auto-generated.

Type: bool
Default: 1

session-ssl-cert

Workbench

Disables the use of auto-generated per-job certificates for SSL communication between the server and remote sessions. Provides the path to existing cert file on the session host, which must be accessible to the session user.

Type: string
Default: <empty string>

session-ssl-cert-key

Workbench

Path to cert key file, the private key for SSL communication between server and remote sessions. Required when using session-ssl-cert and must also be accessible on the session host to the owner of the session.

Type: string
Default: <empty string>

session-ssl-cert-authority

Workbench

Path to a certificate file in PEM format on server host to use for trusting session certs when using session-ssl-cert. This cert will override the default certificate authority for validating self-signed certs or those from a private CA.

Type: string
Default: <empty string>

session-ssl-verify-certs

Workbench

Set to 0 to disable session cert verification (useful for testing purposes only - do not use in production).

Type: bool
Default: 1

rsession Settings

rsession-which-r

The path to the main R program (e.g. /usr/bin/R). This should be set if no versions are specified in /etc/rstudio/r-versions and the default R installation is not available on the system path.

Type: string
Default: <empty string>

rsession-path

The relative path from the RStudio installation directory, or absolute path to the rsession executable.

Type: string
Default: rsession

rldpath-path

The path to the r-ldpath script which specifies extra library paths for R versions.

Type: string
Default: r-ldpath

rsession-ld-library-path

Specifies additional LD_LIBRARY_PATHs to use for RStudio Pro Sessions.

Type: string
Default: <empty string>

rsession-config-file

If set, overrides the path to the /etc/rstudio/rsession.conf configuration file. The specified path may be a relative path from the RStudio installation directory, or an absolute path.

Type: string
Default: <empty string>

rsession-proxy-max-wait-secs

The maximum time to wait in seconds for a successful response when proxying requests to rsession.

Type: int
Default: 30

rsession-exec-command

Workbench

Specifies the wrapper command used when executing the rsession binary.

Type: string
Default: <empty string>

rsession-no-profile

Workbench

Indicates whether or not to disable user profiles from executing on session start.

Type: bool
Default: 0

rsession-diagnostics-enabled

Workbench

Indicates whether or not session diagnostic data should be collected. This can be used for troubleshooting issues with session starts.

Type: bool
Default: 0

rsession-diagnostics-dir

Workbench

Specifies the directory where session diagnostic data should be written.

Type: string
Default: /tmp

rsession-diagnostics-strace-enabled

Workbench

Indicates whether or not strace data should be included when collecting session diagnostic data.

Type: bool
Default: 0

rsession-diagnostics-libsegfault

Workbench

Specifies the path to libSegFault.so library which is used for dumping stack trace information when session diagnostics are collected.

Type: string
Default: <empty string>

database Settings

database-config-file

If set, overrides the path to the /etc/rstudio/database.conf configuration file.

Type: string
Default: <empty string>

db-connection-timeout

Specifies the number of seconds to wait for making a new db connection

Type: int
Default: 15

auth Settings

auth-none

If set, disables multi-user authentication. Workbench/Pro features may not work in this mode.

Type: bool
Default: 1 (true) if rserver was run without root privilege, otherwise 0 (false).

auth-validate-users

Indicates whether or not to validate that authenticated users exist on the target system. Disabling this option may cause issues to start or to run a session.

Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).

auth-stay-signed-in-days

The number of days to keep a user signed in when using the “Stay Signed In” option. Will only take affect when auth-timeout-minutes is 0 (disabled).

Type: int
Default: 30

auth-timeout-minutes

The number of minutes a user will stay logged in while idle before required to sign in again. Set this to 0 (disabled) to enable legacy timeout auth-stay-signed-in-days.

Type: int
Default: 60

auth-encrypt-password

Indicates whether or not to encrypt the password sent from the login form. For security purposes, we strongly recommend you leave this enabled.

Type: bool
Default: 1

auth-login-page-html

The path to a file containing additional HTML customization for the login page.

Type: string
Default: /etc/rstudio/login.html

auth-rdp-login-page-html

The path to a file containing additional HTML customization for the login page, as seen by RDP users.

Type: string
Default: /etc/rstudio/rdplogin.html

auth-required-user-group

Specifies a group that users must be in to be able to use RStudio.

Type: string
Default: <empty string>

auth-minimum-user-id

Specifies a minimum user id value. Users with a uid lower than this value may not use RStudio.

Type: string
Default: auto

auth-pam-require-password-prompt

Indicates whether or not to require the “Password:” prompt before sending the password via PAM. In most cases, this should be enabled. If using a custom PAM password prompt, you may need to disable this setting if PAM logins do not work correctly.

Type: bool
Default: 1

auth-sign-in-throttle-seconds

The minimum amount of time a user must wait before attempting to sign in again after signing out.

Type: int
Default: 5

auth-revocation-list-dir

If set, overrides the path to the directory which contains the revocation list to be used for storing expired tokens. As of Workbench 1.4, this has been moved to database storage, and so this setting is deprecated, but will be used to port over any existing file-based expired tokens.
This option is deprecated and should not be used.

Type: string
Default: <empty string>

auth-cookies-force-secure

Indicates whether or not auth cookies should be forcefully marked as secure. This should be enabled if running an SSL terminator in front of Posit Workbench. Otherwise, cookies will be marked secure if SSL is configured.

Type: bool
Default: 0

auth-stay-signed-in

Workbench

Indicates whether or not to allow users to stay signed in across browser sessions.

Type: bool
Default: 1

auth-active-timeout-minutes

Workbench

Specifies a maximum number of minutes for the duration of a user session. After this time expires, the user is logged out regardless of whether they have been active or inactive. A value of 0 indicates that no active timeout is enforced.

Type: int
Default: 0

auth-user-rewrite-rule

Workbench

Specifies the default rewrite rule for the authentication provider when using Google OAuth, OpenID, SAML, or proxied authentication. The format of a rewrite rule is a regular expression followed by a space and then a replacement string. The replacement string can reference captured parts of the regular expression using $1, $2, etc.

Type: string
Default: <empty string>

auth-google-accounts

Workbench

Enables/disables authentication via Google accounts.

Type: bool
Default: 0

auth-google-accounts-redirect-base-uri

Workbench

Specifies an override URI to use instead of the redirect URI detected for Google accounts. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-openid

Workbench

Enables/disables authentication via OpenID SSO.

Type: bool
Default: 0

auth-openid-base-uri

Workbench

Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-openid-issuer

Workbench

Specifies the HTTPS URL of the OpenID issuer and the location of ‘/.well-known/open-configuration’

Type: string
Default: <empty string>

auth-openid-scopes

Workbench

Specifies any additional space-separated scopes required by the OpenID OP to return a username claim.

Type: string
Default: <empty string>

auth-openid-username-claim

Workbench

Specifies the name of the OpenID claim used to define the username.

Type: string
Default: preferred_username

auth-openid-email-claim

Workbench

Specifies the name of the OpenID claim used to define the user’s email address. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: email

auth-openid-name-claim

Workbench

Specifies the name of the OpenID claim used to define the user’s display name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: name

auth-openid-posix-id-claim

Workbench

Specifies the name of the OpenID claim used to define the user’s POSIX ID. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-openid-posix-name-claim

Workbench

Specifies the name of the OpenID claim used to define the user’s POSIX name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-openid-homedir-claim

Workbench

Specifies the name of the OpenID claim used to define the user’s home directory path. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml

Workbench

Enables/disables authentication via SAML SSO.

Type: bool
Default: 0

auth-saml-metadata-path

Workbench

Specifies the path to the XML SAML metadata file. Overrides the metadata URL option if present.

Type: string
Default: <empty string>

auth-saml-metadata-url

Workbench

Specifies the location of the XML SAML metadata on the Identity Provider. Requires back-end connectivity.

Type: string
Default: <empty string>

auth-saml-idp-entity-id

Workbench

Specifies the entity identifier (name or URI) of the Identity Provider. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-sso-url

Workbench

Specifies the endpoint that will receive SSO requests on the Identity Provider. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-sign-cert-path

Workbench

Specifies the path to the PEM certificate file for verifying SAML signatures. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-post-binding

Workbench

When enabled, uses HTTP POST for SSO. Otherwise, uses an HTTP redirect. This must match the metadata specification if metadata is defined.

Type: bool
Default: 0

auth-saml-sso-initiation

Workbench

Indicates if only “idp” or “sp” can initiate a SAML SSO sequence. If not defined, both can initiate.

Type: string
Default: <empty string>

auth-saml-sp-base-uri

Workbench

Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-saml-sp-encryption-key-path

Workbench

Specifies the path to the PEM file containing the private key for decrypting SAML responses. Also used for request signing if a signing method is defined.

Type: string
Default: <empty string>

auth-saml-sp-encryption-cert-path

Workbench

Specifies the path to the PEM certificate file for encrypting SAML responses. Also used for request signing if a signing method is defined.

Type: string
Default: <empty string>

auth-saml-sp-signing-key-path

Workbench

Specifies the path to the PEM file containing the private key for signing SAML requests. Not used if an encryption key is defined.

Type: string
Default: <empty string>

auth-saml-sp-signing-cert-path

Workbench

Specifies the path to the PEM certificate file for verifying SAML requests signature. Not used if an encryption certificate is defined.

Type: string
Default: <empty string>

auth-saml-sp-request-signing-method

Workbench

Indicates whether “sha1”, “sha256”, or “sha512” is used to sign SAML requests. If not defined, the SAML requests will not be signed.

Type: string
Default: <empty string>

auth-saml-sp-name-id-format

Workbench

Requests that the NameID Format be one of “unspecified”, “emailAddress”, “persistent” or “transient”. This must match the metadata specification if metadata is defined.

Type: string
Default: <empty string>

auth-saml-sp-attribute-username

Workbench

Specifies the name of the attribute in the SAML assertion used to define the username.

Type: string
Default: Username

auth-saml-sp-attribute-email

Workbench

Specifies the name of the attribute in the SAML assertion used to define the user’s email address. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-name

Workbench

Specifies the name of the attribute in the SAML assertion used to define the user’s display name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-posix-id

Workbench

Specifies the name of the attribute in the SAML assertion used to define the user’s POSIX ID. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-posix-name

Workbench

Specifies the name of the attribute in the SAML assertion used to define the user’s POSIX name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-homedir

Workbench

Specifies the name of the attribute in the SAML assertion used to define the user’s home directory path. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-proxy

Workbench

Enables/disables authentication via proxy by using a special header field.

Type: bool
Default: 0

auth-proxy-sign-in-url

Workbench

Specifies the URL of the sign in page for proxied authentication.

Type: string
Default: <empty string>

auth-proxy-sign-out-url

Workbench

Specifies the optional URL of the sign out page for proxied authentication.

Type: string
Default: <empty string>

auth-proxy-sign-in-delay

Workbench

Specifies the delay in seconds to show user sign in info when redirecting from the proxy sign in page.

Type: int
Default: 0

auth-proxy-user-header

Workbench

Specifies the name of the HTTP header that RStudio should read the proxied user identity from.

Type: string
Default: X-RStudio-Username

auth-proxy-user-header-rewrite

Workbench

Specifies the re-write rule for the auth-proxy-user-header. The format of a re-write rule is a regular expression followed by a space and then a replacement string. The replacement string can reference captured parts of the regular expression using $1, $2, etc.

Type: string
Default: <empty string>

auth-pam-sessions-enabled

Workbench

Enables or disables PAM sessions when new sessions are started. To enable PAM sessions with launcher-sessions-enabled=1, set auth-pam-sessions-enabled=1 explicitly. In that case, either the auth-pam-sessions-use-password=1 setting must also be enabled or pam_rootok must be available on the session node so workbench can perform the equivalent of the unix command su to start a session. See the PAM Sessions section of the guide for more info.

Type: bool
Default: 1 - enabled by default unless launcher-sessions-enabled=1

auth-pam-sessions-profile

Workbench

Specifies the profile to use for PAM sessions.

Type: string
Default: su

auth-pam-sessions-use-password

Workbench

Indicates whether or not to use passwords when creating PAM sessions. Requires storing of user passwords in memory, though we use industry best-practices for keeping the passwords secure.

Type: bool
Default: 0

auth-pam-sessions-close

Workbench

Indicates whether or not to close the PAM session when the RStudio Pro Session exits.

Type: bool
Default: 0

workbench-api-enabled

Workbench

Enable use of the workbench API - that allows user specific api-tokens to enable additional apis to manage that user’s sessions (preview feature - see doc for details).

Type: bool
Default: 0

workbench-api-admin-enabled

Workbench

Enables used of the workbench API with admin-level tokens. These permit read-only access to user information but do not allow launching of sessions or impersonation of users to modify their information (preview feature - see doc for details).

Type: bool
Default: 0

workbench-api-super-admin-enabled

Workbench

Enables used of the workbench API with super-admin-level tokens that do permit api tokens that start sessions on the user’s behalf (preview feature - see doc for details)

Type: bool
Default: 0

monitor Settings

monitor-interval-seconds

The interval in seconds at which the monitor is probed for new data.

Type: int
Default: 60

monitor-stderr-enabled

Workbench

Indicates whether or not to log metrics to stderr.

Type: bool
Default: 0

monitor-rrd-enabled

Workbench

Indicates whether or not to enable logging of metrics to RRD.

Type: bool
Default: 1

monitor-data-path

Workbench

Specifies the path where monitor logs and RRD databases should be written.

Type: string
Default: /var/lib/rstudio-server/monitor

monitor-rstudio-session-metrics

Workbench

Indicates whether or not to collect metrics about session utilization per user.

Type: bool
Default: 1

monitor-rrd-rrdtool-binary

Workbench

Specifies the path to the rrdtool binary.

Type: string
Default: /usr/bin/rrdtool

monitor-graphite-enabled

Workbench

Enables/disables logging of metrics to graphite.

Type: bool
Default: 0

monitor-graphite-host

Workbench

Specifies the host to send graphite metrics to.

Type: string
Default: 127.0.0.1

monitor-graphite-port

Workbench

Specifies the port to send graphite metrics to.

Type: int
Default: 2003

monitor-graphite-client-id

Workbench

Specifies the optional client id to include along with graphite metrics.

Type: string
Default: <empty string>

audit-data-path

Workbench

Specifies the path to where audit data should be stored.

Type: string
Default: /var/lib/rstudio-server/audit

audit-r-console

Workbench

Specifies the level of console activity that should be audited (none, input, or all).

Type: string
Default: none

audit-r-console-user-limit-months

Workbench

Specifies the number of months of user console data to retain within the audit directory.

Type: int
Default: 0

audit-r-console-user-limit-mb

Workbench

Specifies the limit in megabytes on user console actions to retain in the audit log.

Type: int
Default: 50

audit-r-console-compress

Workbench

Indicates whether or not to compress console audit logs using gzip compression.

Type: bool
Default: 0

audit-r-console-format

Workbench

Specifies the format to use for the console audit log (csv or json).

Type: string
Default: csv

audit-r-sessions

Workbench

Indicates whether or not to audit RStudio Pro Session activity.

Type: bool
Default: Enabled if using named user licensing. Disabled otherwise.

audit-r-sessions-limit-months

Workbench

Specifies the number of months of session action data to retain within the audit directory.

Type: int
Default: 13

audit-r-sessions-limit-mb

Workbench

Specifies the limit in megabytes on session actions to retain in the audit log.

Type: int
Default: 1024

audit-r-sessions-format

Workbench

Specifies the format to use for the session audit log (csv or json).

Type: string
Default: csv

server-shared-storage-path

Workbench

Specifies the path to the shared storage directory.

Type: string
Default: /var/lib/rstudio-server/shared-storage

metrics Settings

metrics-enabled

Workbench

Indicates whether or not to enable the prometheus metrics endpoint.

Type: bool
Default: 0

metrics-port

Workbench

Specifies the port to use for the prometheus metrics endpoint.

Type: int
Default: 8989

metrics-address

Workbench

Specifies the address to use for the prometheus metrics endpoint. When not present, the value of www-address will be used.

Type: string
Default: <empty string>

metrics-nginx-directives-path

Workbench

Specifies the path to custom NGINX metrics server directives.

Type: string
Default: The first nginx.metrics-server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.metrics-server.conf if no XDG_CONFIG_DIRS are specified.

databricks Settings

databricks-enabled

Workbench

Whether to enable Databricks integrations, either 1 or 0. The default is ‘auto’, which enables the integrations if there are a non-zero number of Databricks workspaces configured.

Type: string
Default: auto

userProvisioning Settings

user-provisioning-enabled

Workbench

Enables or disables the auto user provisioning feature of Workbench.

Type: string
Default: 0

user-homedir-path

Workbench

When user provisioning is enabled, this path will serve as the parent for user home directories.

Type: string
Default: /home

user-provisioning-start-uid

Workbench

Specifies the minimum value to use when assigning UIDs to newly provisioned users. To avoid conflicts with system user accounts, this value must be greater than or equal to 1000.

Type: int
Default: 1000

user-provisioning-register-on-first-login

Workbench

When enabled, users are automatically provisioned the first time they log in. Otherwise, users must be provisioned through the SCIM API before they can log in. Requires user-provisioning-enabled=1. Not supported by all authentication methods.

Type: bool
Default: 0

snowflake Settings

allow-refresh-snowflake-roles

Workbench

When enabled, allows Workbench to automatically refresh the list of Snowflake roles for a user when they log in.

Type: bool
Default: 1

Back to top