gäss online » shiny server with apache proxy

How to install the open source shiny server for R and use an apache server as proxy. Use TLS/HTTPS for your shiny apps without any need for the pro version. I’m using debian linux, but the config is pretty much independent of the linux flavour.

Getting R packages

These are the packages, that you need in any case:

sudo apt --no-install-recommends install r-base 
sudo apt --no-install-recommends install r-cran-shiny

Plus any package your apps are using. Many are part of debian and can be installed with apt. If you have to compile packages yourself, you will need a few extra packages and will have to install them from inside R:

sudo apt --no-install-recommends install r-base-dev
sudo R
install.packages('package-name')
q()

Installing shiny server

Get the appropiate server from rstudio.org. The server for corresponding ubuntu should also work on debian. Just try the latest with debian stable, if in doubt. Below are the commands for server version 1.5.21.1021. This most like has changed in the meantime.


wget https://download3.rstudio.org/ubuntu-18.04/x86_64/shiny-server-1.5.21.1012-amd64.deb
sudo apt install ./shiny-server-1.5.21.1012-amd64.deb
sudo systemctl stop shiny-server
sudo systemctl disable shiny-server

Configuring shiny server

create directory for your apps, edit config file for your server.

sudo mkdir /var/www/shiny
sudo editor /etc/shiny-server/shiny-server.conf

The config will listen on localhost only, no connection from outside will be possible. Outside connections will be hanled by the apache proxy. The configuration below will keep all log files, once all your apps are running properly, you could delete „preserve_logs true;“ and „sanitize_errors false;“. PErsonally, I consider this bad practice. Log files don’t use much space and are of great help after any problem, attack or crash.The shiny-server.conf will look as follows:

# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;
preserve_logs true;

# Define a server that listens on port 3838 to local connections only
server {
  listen 3838 127.0.0.1;
  location /app-dir {
    site_dir /var/www/shiny/app-dir;
    log_dir /var/log/shiny-server;
    #define scheduler, with max nr of instances
    simple_scheduler 15;
    #log errors
    sanitize_errors false;
  }
}

Configuring apache proxy

The apache proxy will handle all TLS related stuff. The configuration below forwards one directory to one one shiny app residing in /var/www/shiny/app-dir. You may add more proxy directves for apps in other directories. Then, it provides the files in /var/www/shiny, if the user calls the domain without any app directory. You may put an index.html or index.php inside /var/www/shiny to provide a starting page.

You could also proxy pass to http://localhost:3838/ and let the shiny server list all installed apps. But I like to have under control what I disclose to the public. With the config below, an outside user cannot easily break out of the apps provided by intention.

The proxy config has the problem, that apps are only provided correctly when called with a trailing slash. E.g. as „full.qualifieddomain.name/app-dir/“, but not with the address „full.qualifieddomain.name/app-dir“. It’s a bug in shiny server. You could add a rewrite rule to add a trailing slash. As I’m no pro with rewrite rules, I prefer to provide a index.html in the root director with the proper links.

<IfModule mod_ssl.c>

<VirtualHost *:443>
    ServerName full.qualifieddomain.name
    ServerAdmin mail@adress.global
    ProxyPass "/app-dir"  "http://localhost:3838/app-dir"
    ProxyPassReverse "/app-dir"  "http://localhost:3838/app-dir"

        DocumentRoot /var/www/shiny
        <Directory /var/www/shiny>
                Options Indexes
                AllowOverride None
        </Directory>

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on
        # disable SSL v2, v3
        SSLProtocol All -SSlv2 -SSLv3
        # prefer forward secrecy
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"

        SSLCertificateFile /etc/letsencrypt/live/domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>