Hey everyone,
Has anyone successfully set up Traefik for ShinyProxy in a Kubernetes environment?
I’ve been trying to get it working but keep running into an issue where I get redirected to a /auth-success blank page. So far, I’ve attempted several configurations, including modifying the entryPoints. I know this setup is not secure (just testing), but here’s what I’ve tried:
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
trustedIPs = ["0.0.0.0/0"]
insecure = true
[entryPoints.web.proxyProtocol]
insecure = true
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = ["0.0.0.0/0"]
insecure = true
I also created a middleware to ensure requests include X-Forwarded-Proto = "https":
[http.middlewares.shinyproxy-headers.headers]
[http.middlewares.shinyproxy-headers.headers.customRequestHeaders]
X-Forwarded-Proto = "https"
I was able to redirect HTTP traffic to HTTPS, but every time I try to access the ShinyProxy host, I get redirected to /auth-success, which results in a blank page. I suspect this could be due to misconfigured headers or how Traefik is handling forwarding, but I’m not sure.
Has anyone faced a similar issue with ShinyProxy behind Traefik?
Any insights or working configurations would be greatly appreciated! Thanks in advance. 
Hi,
There is usually an issue with the TLS setup when the redirect after /auth-success is not working.
If you are using self-signed certificates, the browser will block the redirect and there is no other option than properly trusting the cert of using regular/trusted certs.
If it’s not working with a regular certificate, then the issue is usually that ShinyProxy isn’t aware it’s running on HTTPS and therefore redirects to HTTP, which is again blocked by the browser. To fix this, you must enable forward headers in ShinyProxy: Security | ShinyProxy
1 Like
I already tested forward-headers-strategy: native extensively but this is not working.
However, I think I already found a solution. I just have to perform a few more tests and will share it.
I think a found a solution/work-around. I dont love it but it seems to be working.
First, let me explain my setup:
My Traefik instance sits in front of an AWS Network Load Balancer (NLB) (Layer 4). Below are some important configurations for my Traefik service:
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internal
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:iam::<redacted>:server-certificate/my-company.com
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
As you can see SSL termination is handled by the NLB.
To make this work, I had to add the following configuration for Traefik:
[http.routers]
[http.routers.shinyproxy-http]
entryPoints = ["web"]
rule = "Host(`my-company.com`)"
middlewares = ["https-redirect"]
service = "noop@internal"
[http.middlewares]
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.security-headers.headers]
[http.middlewares.security-headers.headers.customRequestHeaders]
X-Forwarded-Proto = "https"
X-Forwarded-Port = 443
[http.middlewares.security-headers.headers.sslProxyHeaders]
X-Forwarded-Proto = "https"
X-Forwarded-Port = 443
Finally, here is my ShinyProxy configuration. Note that I am using the ShinyProxy Operator:
spec:
kubernetesIngressPatches: |
- op: add
path: /metadata/annotations
value:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: security-headers@file
server:
forward-headers-strategy: native
secureCookies: true
frameOptions: sameorigin
I hope this is useful for someone with a similar setup. I would appreciate any suggestions or comments!
1 Like