Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.
In a previous post, I explained how to add a custom domain and HTTPS to your ShinyProxy server using Nginx, and how to set up certificate auto-renewals with Certbot. That was a really long post and the setup included many steps.
A while back, I also used Caddy server to secure a Shiny Server instance. That process was quite straightforward with a lot fewer moving parts. Let's see if we can do the same for ShinyProxy, as it is pictured below.
Prerequisites
Start a Ubuntu 20.04 virtual machine and follow instructions from the introductory ShinyProxy post to have the server available on http://$HOST:8080
with the two demo applications.
For a Let's Encrypt certificate, you need a fully registered domain name and an email address. I use the example.com
domain here, you have to substitute your domain name. Add an A
record with example.com
pointing to your server's public IP address.
Install Caddy
Add some keys and update the apt
sources, then install Caddy:
apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo apt-key add - curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy
Add Caddyfile /etc/caddy/Caddyfile
with the following content, replace your email in the global configuration block (some challenges and Let's Encrypt notifications require the email, but this block is optional):
{ email your.name@example.com } example.com { reverse_proxy 127.0.0.1:8080 }
Restart Caddy with systemctl reload caddy
.
Set the firewall
You can firewall off everything except for the SSH, HTTP, and HTTPS ports:
ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow http ufw allow https ufw --force enable
That is it. Now you can visit https://$HOST
to see the ShinyProxy login page with the secure lock icon:
If you decide to destroy your virtual machine, do not forget to remove the DNS record for your custom domain to prevent a hostile subdomain takeover.
Conclusions
The brevity of this post should be convincing enough that adding a custom domain and HTTPS with Caddy is easy as a breeze. Caddy will take care of the certificate renewals.
Remember that it is your job to make sure your app is not exposing sensitive information and that you follow Docker best practices to minimize risk to your users.
Further reading
- ShinyProxy documentation: security
- ShinyProxy configuration examples
- Caddy server documentation
- Should you use HTTPS?
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.