Shiny Server is a great tool, but I’ve always found it odd that there was no built-in password authentication. Sure, the Shiny Pro edition has SSL auth., but even for open source projects, I’m not really crazy about just anyone hitting my server whenever they want.
To solve this little problem, I whipped up two work-arounds. One solution uses an Nginx server with basic authentication and the second uses Nginx with SSL auth.
Ubuntu vs. CentOS
From here on out, we’ll be using the same locations and .conf files for both. The one CentOS specific difference is to make sure we disaple SELinux, otherwise our reverse-proxy will go into a bad gateway.
Deploy Shiny Server with Nginx Basic Authorization
The trick is to have Shiny only serve to the localhost and have Nginx listen to localhost and only serve to users with a password. This is fairly straight forward and involves editing the Nginx default.conf as well as the Shiny Server conf.
First, make sure you’ve got Nginx installed.
Nginx uses ufw firewall on Ubuntu, so you’ll have to start ufw and enable the correct ports.
Also, make sure you’ve got Apache2-utils, you’ll use this to store the usernames and passwords.
Before you go on, shut down both Shiny and Nginx
Next, you’ll need to edit the Nginx default.conf file.
Copy and paste the following into your default.conf
Once that’s done, you’ll need to edit Shiny Server’s conf file so it only serves to loaclhost. Otherwise users would be able to creep around your authentication by going to port 3838.
Copy and paste the below to your shiny-server.conf.
Now it’s time to create some usernames and passwords.
Restart Nginx and Shiny.
Ta-da, now you’ve got a password protected Shiny Server! Note, Shiny is now served by port 80 instead of port 3838!
Deploy Shiny Server with Nginx SSL Authorization
This is basically the same as above, but we’re going to direct the reverse-proxy to port 443 with SSL instead of port 80. The only “gotcha” is we’ll need a signed SSL certificate to view the page. There’s two ways to go about this: use a self-signed certificate with IP addresses or to use a trusted certificate with a domain name. Since this is just testing, I’ll use the self-signed method. If you need a trusted certificate, there’s a good tutorial on using letsencrypt to get a free trusted cert.
First we have to create a self-signed certificate. This is going to live in the nginx folder for ease of use.
Now use the same nginx default.conf method as above but add lines to read the SSL cert.
The changes to shiny-server.conf are the same as above.
If everything is working correctly, you should be staring at an ugly error message in your browser telling you that this is an “unsafe website.” This is due to the self-signed certificate. Just ignore that, add an exception and you should be confronted with a login box.
This is purely for testing purposes. This hasn’t been fully tested so don’t go putting it into production. If you really want to take things a step further, I would look into getting a trusted cert with letsencrypt, so you won’t have to deal with the ugly error page.
One more thing, the above is a VERY basic Nginx setup, the full-monty for the Nginx conf file would probably look something like this: