Shiny server series part 3: adding SSL encryption

[This article was first published on Jasper Ginn's blog, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

This guide is part of a series on setting up your own private server running shiny apps. There are many guides with great advice on how to set up an R shiny server and related software. I try to make a comprehensive guide based in part on these resources as well as my own experiences. I always aim to properly attribute information to their respective sources. If you notice an issue, please contact me.

Part 1 of this series is available here Part 2 of this series is available here

In part 1 and part 2 of this series, we set up an ubuntu 16.04 server to host shiny applications. Thus far, we configured shiny server to listen on port 3838 (for public apps) and 4949 (for private apps). In this part, we will set up SSL encryption on the server for additional security.

Resources used for this part

This guide is largely based on this tutorial.

Adding SSL encryption to your server

We’re going to use certbot and Let’s encrypt to set up the SSL certificate.

Log into your server and switch to the Shiny user:

# Log into the server
ssh root@<your-VPS-ip>
# Switch to shiny user
su shiny

Go to the sbin folder on your server and download certbot-auto:

cd /usr/local/sbin
sudo wget

Make the script executable:

sudo chmod a+x /usr/local/sbin/certbot-auto

Now, open up the nginx configuration:

sudo nano /etc/nginx/sites-available/default

Take note of the root location, shown in the image below surrounded by the blue box. For the remainder of this tutorial, I’ll assume that your root location is located at /var/www/html. If it is not, make sure to switch your root location with mine when executing the commands below.

Then, add the contents below to the nginx configuration (surrounded by the red box in the image)

location ~ /.well-known {
    allow all;

Restart nginx:

sudo service nginx restart

Take your root location and your domain name (with www. and without it) and fill them out in the and parts in the command below. Don’t forget to change <.extension> to your extension (e.g. .nl, .com, .eu). Then, execute this command:

certbot-auto certonly -a webroot --webroot-path=/var/www/html -d <your-domain-name>.<extension> -d www.<your-domain-name>.<extension>

Next, we generate a strong Diffie–Hellman group for extra security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

SSL certificates expire every couple of months or so, so it’s a good idea to refresh our certificate regularly. We’ll set up a cron job that does this every week. Access cron by executing the following:

sudo crontab -e

Add the following lines:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

Hit control+x and then Y and enter, and your changes will be saved. Congratulations, you have now successfully set up SSL encryption on your server! Note that SSL encryption is not yet operational; we’ll take care of that in the next part, when we’ll add user authentication to our private shiny server using Auth0

To leave a comment for the author, please follow the link and comment on their blog: Jasper Ginn's blog. offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)