Appendix H — rserver.conf

The following is a list of available options that can be specified in the rserver.conf configuration file, which controls behavior of the rserver process, allowing you to tune HTTP, authorization options, and other settings that broadly affect RStudio Server.

verify Settings

verify-installation

Runs verification mode to verify the current installation.

Type: bool
Default: 0

verify-user

Specifies the run-as user for additional Job Launcher verification.

Type: string
Default: <empty string>

verify-test

Specifies the verify-installation test to run. Leave empty to run all tests.

Type: string
Default: <empty string>

server Settings

server-working-dir

The default working directory of the rserver process.

Type: string
Default: /

server-user

The user account of the rserver process.

Type: string
Default: rstudio-server

server-daemonize

Indicates whether or not the rserver process should run as a daemon.

Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).

server-pid-file

The path to a file where the rserver daemon’s pid is written.

Type: string
Default: /var/run/rstudio-server.pid

server-set-umask

If enabled, sets the rserver process umask to 022 on startup, which causes new files to have rw-r-r permissions.

Type: bool
Default: 1

server-data-dir

Path to the data directory where RStudio Server will write run-time state.

Type: string
Default: /var/run/rstudio-server

server-add-header

Adds a header to all responses from RStudio Server. This option can be specified multiple times to add multiple headers.

Type: string
Default: <empty string>

server-nginx-path

The relative path from the RStudio installation directory, or absolute path where the nginx binary is located.

Type: string
Default: bin/rserver-http

server-nginx-conf-template-path

The relative path from the RStudio installation directory, or absolute path where the nginx config file templates are located.

Type: string
Default: conf

server-nginx-conf-path

Specifies the path to the nginx config files.

Type: string
Default: /var/lib/rstudio-server/conf

server-nginx-ld-library-path

Specifies the LD_LIBRARY_PATH for the nginx executable.

Type: string
Default: <empty string>

server-access-log

Indicates whether or not to write HTTP access logs to /var/log/rstudio/rstudio-server.

Type: bool
Default: 0

server-nginx-http-directives-path

Specifies the path to custom nginx http directives.

Type: string
Default: The first nginx.http.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.http.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-server-directives-path

Specifies the path to custom nginx server directives.

Type: string
Default: The first nginx.server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.server.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-site-directives-path

Specifies the path to custom nginx site directives.

Type: string
Default: The first nginx.site.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.site.conf if no XDG_CONFIG_DIRS are specified.

server-health-check-enabled

Indicates whether or not to allow access to the server health check URL.

Type: bool
Default: 0

server-license-type

Specifies whether to use remote (floating) or local (activation) licensing.

Type: string
Default: local

license-retry-seconds

Specifies the number of seconds to wait between floating license retries.

Type: int
Default:

license-warning-days

Specifies the number of days before the license expiration during which a warning will be shown to the user; set to 0 to disable license warnings.

Type: int
Default: 15

resolve-load-balancer-nodes

Indicates whether or not to resolve IP addresses associated with load balancer nodes; not compatible with SSL unless the IP address is in the CN/SAN.

Type: bool
Default: 0

server-balancer-path

The relative path from the RStudio installation directory, or absolute path where the custom load balancing script is located.

Type: string
Default: bin/rserver-balancer

server-multiple-sessions

Indicates whether or not to allow multiple sessions per user.

Type: bool
Default: 1

r-versions-multiple

Indicates whether or not to allow the use of multiple R versions.

Type: bool
Default: 1

server-project-sharing

Indicates whether or not to allow project sharing.

Type: bool
Default: 1

server-project-sharing-root-dir

Specifies the root directory for shared projects in addition to users’ own home directories.

Type: string
Default: <empty string>

server-user-home-page

Indicates whether or not to show the user home page upon login.

Type: bool
Default: 1

r-versions-scan

Indicates whether or not to scan for available R versions on the system.

Type: bool
Default: 1

modules-bin-path

Specifies the path to modules sh init binary. This is necessary if you intend to load R versions via modules.

Type: string
Default: <empty string>

admin-enabled

Indicates whether or not to allow access to the administration dashboard.

Type: bool
Default: 0

admin-group

Limits admin dashboard access to users belonging to the specified group.

Type: string
Default: <empty string>

admin-superuser-group

Limits admin superusers to those belonging to the specified group.

Type: string
Default: <empty string>

admin-monitor-log-use-server-time-zone

Indicates whether or not to use the server time zone when displaying the monitor log. If disabled, uses UTC.

Type: bool
Default: 0

r-versions-path

Specifies the path to the file containing the list of available R Versions in JSON format. This file will be automatically generated by the rserver process after discovering the R versions available on the system. It is strongly recommended not to modify this setting in most cases.

Type: string
Default: /var/lib/rstudio-server/r-versions

launcher-address

Specifies the address of the Launcher service (local unix domain socket file or IP address).

Type: string
Default: <empty string>

launcher-port

Specifies the port of the Launcher to connect to (if not using a unix domain socket).

Type: string
Default: <empty string>

launcher-use-ssl

Indicates whether or not to use SSL connections when connecting to the Launcher (if not using a unix domain socket).

Type: bool
Default: 0

launcher-verify-ssl-certs

Indicates whether or not to verify the Launcher certificate(s) when using an SSL connection.

Type: bool
Default: 1

launcher-sessions-enabled

Indicates whether or not to use the Launcher for creating sessions.

Type: bool
Default: 0

launcher-default-cluster

Specifies the default cluster to launch jobs on when using the Launcher.

Type: string
Default: <empty string>

launcher-sessions-callback-address

The callback address (hostname, IP address, or HTTP URL) of rserver for Launcher sessions to communicate back.

Type: string
Default: <empty string>

launcher-sessions-callback-verify-ssl-certs

Indicates whether or not to enforce SSL certificate verification of the server when Launcher sessions communicate back via the callback address.

Type: bool
Default: 1

launcher-sessions-callback-timeout

The number of seconds to wait before timing out a connection from a Launcher session to the callback address.

Type: int
Default: 10

launcher-sessions-container-image

Specifies the default container image to use for Launcher sessions. Only applicable for container-based job systems (e.g. Kubernetes).

Type: string
Default: <empty string>

launcher-sessions-container-run-as-root

Indicates whether or not to run the Launcher session containers as root. If not, uses the requesting user’s UID. Only applicable for container-based job systems.

Type: bool
Default: 0

launcher-sessions-create-container-user

Indicates whether or not to create a user for the container’s owner when running Launcher session containers. Only applicable for container-based job systems.

Type: bool
Default: 1

launcher-sessions-connection-timeout-seconds

Specifies the connection timeout in seconds to use when establishing a connection to a Launcher session.

Type: int
Default: 3

launcher-sessions-clusters

Specifies a comma-separated list of available clusters for launching interactive sessions (or all Launcher clusters if empty).

Type: string
Default: <empty string>

launcher-adhoc-clusters

Specifies a comma-separated list of available clusters for launching ad hoc jobs (or all Launcher clusters if empty).

Type: string
Default: <empty string>

launcher-sessions-container-images

Specifies a comma-separated list of available container images for launching interactive sessions (or all cluster images if empty). Only applicable for container-based job systems.

Type: string
Default: <empty string>

launcher-adhoc-container-images

Specifies a comma-separated list of available container images for launching ad hoc jobs (or all cluster images if empty). Only applicable for container-based job systems.

Type: string
Default: <empty string>

launcher-sessions-forward-container-environment

Indicates whether or not to forward the existing container environment variables to the session. Only applicable for container-based job systems.

Type: bool
Default: 1

launcher-sessions-container-forward-groups

Indicates whether or not to forward the user’s supplemental groups to the container. Only applicable for container-based job systems.

Type: bool
Default: 1

www Settings

www-address

The network address that RStudio Server will listen on for incoming connections.

Type: string
Default: 0.0.0.0

www-port

The port that RStudio Server will bind to while listening for incoming connections. If left empty, the port will be automatically determined based on your SSL settings (443 for SSL, 80 for no SSL).

Type: string
Default: <empty string>

www-root-path

The path prefix added by a proxy to the incoming RStudio URL. This setting is used so RStudio Server knows what path it is being served from. If running RStudio Server behind a path-modifying proxy, this should be changed to match the base RStudio Server URL.

Type: string
Default: Assume the root path '/' if not defined.

www-thread-pool-size

The size of the threadpool from which requests will be serviced. This may be increased to enable more concurrency, but should only be done if the underlying hardware has more than 2 cores. It is recommended to use a value that is <= to the number of hardware cores, or <= to two times the number of hardware cores if the hardware utilizes hyperthreading.

Type: int
Default: 2

www-proxy-localhost

Indicates whether or not to proxy requests to localhost ports over the main server port. This should generally be enabled, and is used to proxy HTTP traffic within a session that belongs to code running within the session (e.g. Shiny or Plumber APIs)

Type: bool
Default: 1

www-verify-user-agent

Indicates whether or not to verify connecting browser user agents to ensure they are compatible with RStudio Server.

Type: bool
Default: 1

www-same-site

The value of the ‘SameSite’ attribute on the cookies issued by RStudio Server. Accepted values are ‘none’ or ‘lax’. The value ‘none’ should be used only when RStudio is hosted into an iframe. For compatibility with some browsers (i.e. Safari 12), duplicate cookies will be issued by RStudio Server when ‘none’ is used.

Type: string
Default: <empty string>

www-frame-origin

Specifies the allowed origin for the iframe hosting RStudio if iframe embedding is enabled.

Type: string
Default: none

www-enable-origin-check

If enabled, cause RStudio to enforce that incoming request origins are from the host domain. This can be added for additional security. See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers

Type: bool
Default: 0

www-allow-origin

Specifies an additional origin that requests are allowed from, even if it does not match the host domain. Used if origin checking is enabled. May be specified multiple times for multiple origins.

Type: string
Default: <empty string>

session-use-file-storage

Whether to use the file system to store metadata about the session storage or the internal database. Setting this to false may require special network configuration. See Session Storage for more information.

Type: bool
Default: 1

ssl-enabled

Enables or disables SSL.

Type: bool
Default: 0

ssl-certificate

Specifies the path to the SSL certificate for RStudio Server to use.

Type: string
Default: <empty string>

ssl-certificate-key

Specifies the path to the SSL certificate private key.

Type: string
Default: <empty string>

ssl-protocols

Specifies the list of supported SSL protocols separated by a space.

Type: string
Default: TLSv1 TLSv1.1 TLSv1.2

ssl-redirect-http

Indicates whether or not HTTP requests should automatically be redirected to HTTPS.

Type: bool
Default: 1

ssl-hsts

Indicates whether or not to enable Strict Transport Security when SSL is in use.

Type: bool
Default: 1

ssl-hsts-max-age

Specifies the maximum age for Strict Transport Security.

Type: int
Default: 86400

ssl-hsts-include-subdomains

Indicates whether or not to include subdomains in HSTS protection.

Type: bool
Default: 0

session-ssl-enabled

Set to false (0) to disable use of the SSL protocol when communicating with launcher sessions. By default, certificates are auto-generated.

Type: bool
Default: 1

session-ssl-cert

Disables the use of auto-generated per-job certificates for SSL communication between the server and remote sessions. Provides the path to existing cert file on the session host, which must be accessible to the session user.

Type: string
Default: <empty string>

session-ssl-cert-key

Path to cert key file, the private key for SSL communication between server and remote sessions. Required when using session-ssl-cert and must also be accessible on the session host to the owner of the session.

Type: string
Default: <empty string>

session-ssl-cert-authority

Path to a certificate file in PEM format on server host to use for trusting session certs when using session-ssl-cert. This cert will override the default certificate authority for validating self-signed certs or those from a private CA.

Type: string
Default: <empty string>

session-ssl-verify-certs

Set to 0 to disable session cert verification (useful for testing purposes only - do not use in production).

Type: bool
Default: 1

rsession Settings

rsession-which-r

The path to the main R program (e.g. /usr/bin/R). This should be set if no versions are specified in /etc/rstudio/r-versions and the default R installation is not available on the system path.

Type: string
Default: <empty string>

rsession-path

The relative path from the RStudio installation directory, or absolute path to the rsession executable.

Type: string
Default: rsession

rldpath-path

The path to the r-ldpath script which specifies extra library paths for R versions.

Type: string
Default: r-ldpath

rsession-ld-library-path

Specifies additional LD_LIBRARY_PATHs to use for R sessions.

Type: string
Default: <empty string>

rsession-config-file

If set, overrides the path to the /etc/rstudio/rsession.conf configuration file. The specified path may be a relative path from the RStudio installation directory, or an absolute path.

Type: string
Default: <empty string>

rsession-proxy-max-wait-secs

The maximum time to wait in seconds for a successful response when proxying requests to rsession.

Type: int
Default: 10

rsession-exec-command

Specifies the wrapper command used when executing the rsession binary.

Type: string
Default: <empty string>

rsession-no-profile

Indicates whether or not to disable user profiles from executing on session start.

Type: bool
Default: 0

rsession-diagnostics-enabled

Indicates whether or not session diagnostic data should be collected. This can be used for troubleshooting issues with session starts.

Type: bool
Default: 0

rsession-diagnostics-dir

Specifies the directory where session diagnostic data should be written.

Type: string
Default: /tmp

rsession-diagnostics-strace-enabled

Indicates whether or not strace data should be included when collecting session diagnostic data.

Type: bool
Default: 0

rsession-diagnostics-libsegfault

Specifies the path to libSegFault.so library which is used for dumping stack trace information when session diagnostics are collected.

Type: string
Default: <empty string>

database Settings

database-config-file

If set, overrides the path to the /etc/rstudio/database.conf configuration file.

Type: string
Default: <empty string>

db-connection-timeout

Specifies the number of seconds to wait for making a new db connection

Type: int
Default: 15

auth Settings

auth-none

If set, disables multi-user authentication. Workbench/Pro features may not work in this mode.

Type: bool
Default: 1 (true) if rserver was run without root privilege, otherwise 0 (false).

auth-validate-users

Indicates whether or not to validate that authenticated users exist on the target system. Disabling this option may cause issues to start or to run a session.

Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).

auth-stay-signed-in-days

The number of days to keep a user signed in when using the “Stay Signed In” option. Will only take affect when auth-timeout-minutes is 0 (disabled).

Type: int
Default: 30

auth-timeout-minutes

The number of minutes a user will stay logged in while idle before required to sign in again. Set this to 0 (disabled) to enable legacy timeout auth-stay-signed-in-days.

Type: int
Default: 60

auth-encrypt-password

Indicates whether or not to encrypt the password sent from the login form. For security purposes, we strongly recommend you leave this enabled.

Type: bool
Default: 1

auth-login-page-html

The path to a file containing additional HTML customization for the login page.

Type: string
Default: /etc/rstudio/login.html

auth-rdp-login-page-html

The path to a file containing additional HTML customization for the login page, as seen by RDP users.

Type: string
Default: /etc/rstudio/rdplogin.html

auth-required-user-group

Specifies a group that users must be in to be able to use RStudio.

Type: string
Default: <empty string>

auth-minimum-user-id

Specifies a minimum user id value. Users with a uid lower than this value may not use RStudio.

Type: string
Default: auto

auth-pam-require-password-prompt

Indicates whether or not to require the “Password:” prompt before sending the password via PAM. In most cases, this should be enabled. If using a custom PAM password prompt, you may need to disable this setting if PAM logins do not work correctly.

Type: bool
Default: 1

auth-sign-in-throttle-seconds

The minimum amount of time a user must wait before attempting to sign in again after signing out.

Type: int
Default: 5

auth-revocation-list-dir

If set, overrides the path to the directory which contains the revocation list to be used for storing expired tokens. As of RStudio Server 1.4, this has been moved to database storage, and so this setting is deprecated, but will be used to port over any existing file-based expired tokens.
This option is deprecated and should not be used.

Type: string
Default: <empty string>

auth-cookies-force-secure

Indicates whether or not auth cookies should be forcefully marked as secure. This should be enabled if running an SSL terminator in front of RStudio Server. Otherwise, cookies will be marked secure if SSL is configured.

Type: bool
Default: 0

auth-stay-signed-in

Indicates whether or not to allow users to stay signed in across browser sessions.

Type: bool
Default: 1

auth-google-accounts

Enables/disables authentication via Google accounts.

Type: bool
Default: 0

auth-google-accounts-redirect-base-uri

Specifies an override URI to use instead of the redirect URI detected for Google accounts. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-openid

Enables/disables authentication via OpenID SSO.

Type: bool
Default: 0

auth-openid-base-uri

Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-openid-issuer

Specifies the HTTPS URL of the OpenID issuer and the location of ‘/.well-known/open-configuration’

Type: string
Default: <empty string>

auth-openid-scopes

Specifies any additional space-separated scopes required by the OpenID OP to return a username claim.

Type: string
Default: <empty string>

auth-openid-username-claim

Specifies the name of the OpenID claim used to define the username.

Type: string
Default: preferred_username

auth-saml

Enables/disables authentication via SAML SSO.

Type: bool
Default: 0

auth-saml-metadata-path

Specifies the path to the XML SAML metadata file. Overrides the metadata URL option if present.

Type: string
Default: <empty string>

auth-saml-metadata-url

Specifies the location of the XML SAML metadata on the Identity Provider. Requires back-end connectivity.

Type: string
Default: <empty string>

auth-saml-idp-entity-id

Specifies the entity identifier (name or URI) of the Identity Provider. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-sso-url

Specifies the endpoint that will receive SSO requests on the Identity Provider. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-sign-cert-path

Specifies the path to the PEM certificate file for verifying SAML signatures. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-post-binding

When enabled, uses HTTP POST for SSO. Otherwise, uses an HTTP redirect. This must match the metadata specification if metadata is defined.

Type: bool
Default: 0

auth-saml-sso-initiation

Indicates if only “idp” or “sp” can initiate a SAML SSO sequence. If not defined, both can initiate.

Type: string
Default: <empty string>

auth-saml-sp-base-uri

Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-saml-sp-encryption-key-path

Specifies the path to the PEM file containing the private key for decrypting SAML responses. Also used for request signing if a signing method is defined.

Type: string
Default: <empty string>

auth-saml-sp-encryption-cert-path

Specifies the path to the PEM certificate file for encrypting SAML responses. Also used for request signing if a signing method is defined.

Type: string
Default: <empty string>

auth-saml-sp-signing-key-path

Specifies the path to the PEM file containing the private key for signing SAML requests. Not used if an encryption key is defined.

Type: string
Default: <empty string>

auth-saml-sp-signing-cert-path

Specifies the path to the PEM certificate file for verifying SAML requests signature. Not used if an encryption certificate is defined.

Type: string
Default: <empty string>

auth-saml-sp-request-signing-method

Indicates whether “sha1”, “sha256”, or “sha512” is used to sign SAML requests. If not defined, the SAML requests will not be signed.

Type: string
Default: <empty string>

auth-saml-sp-name-id-format

Requests that the NameID Format be one of “unspecified”, “emailAddress”, “persistent” or “transient”. This must match the metadata specification if metadata is defined.

Type: string
Default: <empty string>

auth-saml-sp-attribute-username

Specifies the name of the attribute in the SAML assertion used to define the username.

Type: string
Default: Username

auth-proxy

Enables/disables authentication via proxy by using a special header field.

Type: bool
Default: 0

auth-proxy-sign-in-url

Specifies the URL of the sign in page for proxied authentication.

Type: string
Default: <empty string>

auth-proxy-sign-out-url

Specifies the optional URL of the sign out page for proxied authentication.

Type: string
Default: <empty string>

auth-proxy-sign-in-delay

Specifies the delay in seconds to show user sign in info when redirecting from the proxy sign in page.

Type: int
Default: 0

auth-proxy-user-header

Specifies the name of the HTTP header that RStudio should read the proxied user identity from.

Type: string
Default: X-RStudio-Username

auth-proxy-user-header-rewrite

Specifies the re-write rule for the auth-proxy-user-header. The format of a re-write rule is a regular expression followed by a space and then a replacement string. The replacement string can reference captured parts of the regular expression using $1, $2, etc.

Type: string
Default: <empty string>

auth-pam-sessions-enabled

Enables or disables PAM sessions when new sessions are started.

Type: bool
Default: Disabled if using Launcher sessions. Enabled otherwise.

auth-pam-sessions-profile

Specifies the profile to use for PAM sessions.

Type: string
Default: su

auth-pam-sessions-use-password

Indicates whether or not to use passwords when creating PAM sessions. Requires storing of user passwords in memory, though we use industry best-practices for keeping the passwords secure.

Type: bool
Default: 0

auth-pam-sessions-close

Indicates whether or not to close the PAM session when the R session exits.

Type: bool
Default: 0

monitor Settings

monitor-interval-seconds

The interval in seconds at which the monitor is probed for new data.

Type: int
Default: 60

monitor-stderr-enabled

Indicates whether or not to log metrics to stderr.

Type: bool
Default: 0

monitor-rrd-enabled

Indicates whether or not to enable logging of metrics to RRD.

Type: bool
Default: 1

monitor-data-path

Specifies the path where monitor logs and RRD databases should be written.

Type: string
Default: /var/lib/rstudio-server/monitor

monitor-rstudio-session-metrics

Indicates whether or not to collect metrics about session utilization per user.

Type: bool
Default: 1

monitor-rrd-rrdtool-binary

Specifies the path to the rrdtool binary.

Type: string
Default: /usr/bin/rrdtool

monitor-graphite-enabled

Enables/disables logging of metrics to graphite.

Type: bool
Default: 0

monitor-graphite-host

Specifies the host to send graphite metrics to.

Type: string
Default: 127.0.0.1

monitor-graphite-port

Specifies the port to send graphite metrics to.

Type: int
Default: 2003

monitor-graphite-client-id

Specifies the optional client id to include along with graphite metrics.

Type: string
Default: <empty string>

audit-data-path

Specifies the path to where audit data should be stored.

Type: string
Default: /var/lib/rstudio-server/audit

audit-r-console

Specifies the level of console activity that should be audited (none, input, or all).

Type: string
Default: none

audit-r-console-user-limit-months

Specifies the number of months of user console data to retain within the audit directory.

Type: int
Default: 0

audit-r-console-user-limit-mb

Specifies the limit in megabytes on user console actions to retain in the audit log.

Type: int
Default: 50

audit-r-console-compress

Indicates whether or not to compress console audit logs using gzip compression.

Type: bool
Default: 0

audit-r-console-format

Specifies the format to use for the console audit log (csv or json).

Type: string
Default: csv

audit-r-sessions

Indicates whether or not to audit R session activity.

Type: bool
Default: Enabled if using named user licensing. Disabled otherwise.

audit-r-sessions-limit-months

Specifies the number of months of session action data to retain within the audit directory.

Type: int
Default: 13

audit-r-sessions-limit-mb

Specifies the limit in megabytes on session actions to retain in the audit log.

Type: int
Default: 1024

audit-r-sessions-format

Specifies the format to use for the session audit log (csv or json).

Type: string
Default: csv

server-shared-storage-path

Specifies the path to the shared storage directory.

Type: string
Default: /var/lib/rstudio-server/shared-storage