Support

Shiny Server Quick Start: Host a secure Shiny Server (Pro only)

Follow

This article is adapted from the Shiny Server Administrator's Guide for version 1.4.2.


 

Since SSL is being used in this scenario, this configuration is only valid for Shiny Server Professional installations.

Shiny Server Professional is able to serve Shiny applications using SSL/TLS, an encrypted channel between your server and your clients.

The configuration in use here expects your SSL key and certificate to be available in /etc/shiny-server/server.key and /etc/shiny-server/server.cert, respectively. If you have an existing SSL certificate stored elsewhere, you can update the configuration file below to point to the appropriate files.

If you do not have an SSL certificate available, you can setup a "self-signed" certificate for the purposes of this example. This certificate will allow you to encrypt traffic between your clients and server, but will not be "trusted" by most browsers. Thus, when a user visits a page secured via a self-signed certificate, the user will get a warning advising them not to proceed.

We recommend that you to obtain a certificate from an established Certificate Authority if you implement this in a production environment; however, for illustrative purposes, we will describe how to create a self-signed certificate and integrate it into Shiny Server. The process of creating and signing SSL certificates is outside the scope of this guide, but example commands below are provided for your convenience.

To create a certificate, you must have the openssl library installed on your server. You can then create an SSL key using the following command:

sudo openssl genrsa -out /etc/shiny-server/server.key 1024

You will then generate a certificate signing request (CSR) using the following command:

sudo openssl req -new -key /etc/shiny-server/server.key \
  -out /etc/shiny-server/server.csr

(Where a command includes a \ you can either enter that literally as it appears in this document, or you can omit it and enter the whole command on a single line.) This command will ask you for information about your organization, which you can omit if you plan to sign this certificate yourself.

You can then sign that request yourself using this command:

sudo openssl x509 -req -days 3650 \
  -in /etc/shiny-server/server.csr \
  -signkey /etc/shiny-server/server.key \
  -out /etc/shiny-server/server.cert

To reiterate, we do not recommend using self-signed certificates in production, but they can serve as a quick example for the purposes of this guide.

Shiny Server is configured by a file stored at /etc/shiny-server/shiny-server.conf. in this Quick Start guide, we will be using a shiny-server.conf file that contains the following:

# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;

# Specify the authentication method to be used.
# Initially, a flat-file database stored at the path below.
auth_passwd_file /etc/shiny-server/passwd;

# Define a server that listens on port 3939
server {
  listen 3939;

  ssl /etc/shiny-server/server.key /etc/shiny-server/server.cert;

  # Define the location available at the base URL
  location / {
# Host the directory of Shiny Apps stored in this directory site_dir /srv/shiny-server; # Log all Shiny output to files in this directory log_dir /var/log/shiny-server; # When a user visits the base URL rather than a particular application, # an index of the applications available in this directory will be shown. directory_index on; } } # Define a default admin interface to be run on port 4151. admin 4151 { # Restrict the admin interface to the usernames listed here. Currently # just one user named "admin" required_user admin; }

Lines beginning with a # are treated as comments and not parsed when configuring the server.

This configuration specifies that all applications in the site_dir, srv/shiny-server, will be served at the location /.  Therefore, if your SSL key and certificate are valid and available in /etc/shiny-server/server.key and /etc/shiny-server/server.cert, respectively, you would be able to connect to your server from a browser by visiting the URL https://<server-address>:3939/<app-name>, where the application files are stored in srv/shiny-server/app-name. Note that, because of the configuration settings in this example, you must specify the https:// protocol and port 3939 when visiting the page. If you signed the certificate yourself, your browser will likely prompt you about the untrusted certificate. If you instruct your browser to accept the certificate, you will be taken to your application, which now is secured via SSL/TLS encryption.

Comments