Securing ShinyProxy App / NGINX - SSL - Firewall Configurations

Ekrem_Bayar · January 30, 2023, 8:21am

Hello everyone,

I’m not familiar at securing the applications, ssl certificates, firewall etc.

I’m developing some Shiny applications for the company. Those applications will be deployed with ShinyProxy on my Ubuntu machine.

This app is running on x.x.x.x:8080 and in the following image, the application is not secured because of I don’t know how to configure it.

First of all, when I enable the firewall by using the following codes and restart shinyproxy I can’t access to my app.

ufw enable
ufw allow 80
ufw allow 443
sudo ufw allow http
sudo ufw allow https
ufw status

Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

Also, IT department gave me some ssl files and certificates to secure my application. In the shinyproxy documentation, their example is like this how to use ssl and secure the applications.

server {
  listen                80;
  server_name           shinyproxy.yourdomain.com;
  rewrite     ^(.*)     https://$server_name$1 permanent;
}

server {
  listen                443;
  server_name           shinyproxy.yourdomain.com;
  access_log            /var/log/nginx/shinyproxy.access.log;
  error_log             /var/log/nginx/shinyproxy.error.log error;

  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate       /etc/ssl/certs/yourdomain.com.crt;
  ssl_certificate_key   /etc/ssl/private/yourdomain.com.key;

   location / {
       proxy_pass          http://127.0.0.1:8080/;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host              $http_host;
       proxy_set_header  X-Real-IP         $remote_addr;
       proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Proto $scheme;
     }

}

There an nginx file in this path /etc/nginx/sites-enabled as called default. I changed ssl_certificate and ssl_certificate_key with my ssl files. After I save the file, I restart nginx and shinyproxy. However, it does not work.

sudo systemctl restart nginx
sudo systemctl restart shinyproxy

In order to access the app, I should disable the firewall (ufw disable). How can I secure and configure the app?

Thanks.

ancan · January 31, 2023, 3:59pm

First glance says you didn’t open port 8080 in the firewall, which is what Shiny Proxy listens to by default.

So try “ufw allow 8080” as well.

Ekrem_Bayar · February 6, 2023, 10:09pm

Thanks “ufw allow 8080” works, but I also need secured access. I defined ssl_certificates but the connection is not safe.

How can I secure the app?

Ekrem_Bayar · February 22, 2023, 8:57am

Is there anyone or a documentation to explain shinyproxy security stuff step by step for beginners?

After installation shinyproxy and deploying your app, as you know that there is no SSL certificate to secure your IP:8080. How we are getting ssl certificate, using nginx reverse proxy etc?

P_Kh · February 23, 2023, 1:39am

This worked for me:

Ekrem_Bayar · February 23, 2023, 9:08am

Thanks a lot. It makes more sense right now.

Also, there is an alternative way from the author who you shared his article. It can be helpful for others.