Securing ShinyProxy with Caddy Server
In a previous post, I explained how to add a custom domain and HTTPS to your ShinyProxy server using Nginx, and how to set up certificate auto-renewals with Certbot. That was a really long post and the setup included many steps.
A while back, I also used Caddy server to secure a Shiny Server instance. That process was quite straightforward with a lot fewer moving parts. Let's see if we can do the same for ShinyProxy, as it is pictured below.
Prerequisites
Start a Ubuntu 20.04 virtual machine and follow instructions from the introductory ShinyProxy post to have the server available on http://$HOST:8080
with the two demo applications.
For a Let's Encrypt certificate, you need a fully registered domain name and an email address. I use the example.com
domain here, you have to substitute your domain name. Add an A
record with example.com
pointing to your server's public IP address.
Install Caddy
Add some keys and update the apt
sources, then install Caddy:
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo apt-key add -
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
Add Caddyfile /etc/caddy/Caddyfile
with the following content, replace your email in the global configuration block (some challenges and Let's Encrypt notifications require the email, but this block is optional):
{
email your.name@example.com
}
example.com {
reverse_proxy 127.0.0.1:8080
}
Restart Caddy with systemctl reload caddy
.
Set the firewall
You can firewall off everything except for the SSH, HTTP, and HTTPS ports:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https
ufw --force enable
That is it. Now you can visit https://$HOST
to see the ShinyProxy login page with the secure lock icon:
If you decide to destroy your virtual machine, do not forget to remove the DNS record for your custom domain to prevent a hostile subdomain takeover.
Conclusions
The brevity of this post should be convincing enough that adding a custom domain and HTTPS with Caddy is easy as a breeze. Caddy will take care of the certificate renewals.
Remember that it is your job to make sure your app is not exposing sensitive information and that you follow Docker best practices to minimize risk to your users.