WAF Considerations with Posit Team

Follow

Background

WAF's (Web Application Firewalls) are a popular tool that is used for filtering web traffic between web services. Currently, you may run into intermittent issues when running a WAF with Posit Workbench, Connect, or Package Manager. Formally speaking, this will need to be reviewed by your infrastructure team, as this topic is formally outside of our support! That said, there are some reference points that can be checked if you're running into issues with your WAF & Posit Team implementation.

Identifying where the issue is

A great starting point is to generate a HAR file of the network activity generated when the problem occurs. Often, this is a great tool for identifying failed RPC calls, or redirects that may result in undesired behaviour. Instructions for how to do this in different browsers can be found here: https://support.posit.co/hc/en-us/articles/4413166624279

HTTP Headers

In most instances, WAF's behave similarly to reverse proxies. It's worth reviewing the HTTP headers returned after packets have traversed the WAF to ensure that all of the required headers are still intact. Specifically, the user-agent header is required by Posit, however, there are also product specific headers which can be seen below:

Workbench:

https://docs.posit.co/ide/server-pro/access_and_security/running_with_a_proxy.html

Connect:

https://docs.posit.co/connect/admin/proxy/index.html

Package Manager:

https://docs.posit.co/rspm/admin/proxy/

In most cases, issues caused by WAF's can be narrowed down to incorrect passing of HTTP headers.

Timeouts

WAF's add an additional hop to the network path, as well as increasing the time it takes to process requests due to packet filtering. There are components of Posit Team that use HTTP Long Polling to push information to the browser. It's worth increasing timeouts on any proxies that exist in your environment to ensure that these long polling requests have sufficient time to execute.

Testing

WAF's can be configured in many different ways, so it's worth testing with the WAF enabled/disabled, as well as with different configurations, as each environment is unique and organizational requirements differ.

Support Ticket

Whilst outside of our support, if you still have issues with your WAF and believe that this may be product related, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here:

https://support.rstudio.com/hc/en-us/requests/new

 

 

Comments