Securing ShinyProxy with Caddy Server

In a previous post, I explained how to add a custom domain and HTTPS to your ShinyProxy server using Nginx, and how to set up certificate auto-renewals with Certbot. That was a really long post and the setup included many steps.

A while back, I also used Caddy server to secure a Shiny Server instance. That process was quite straightforward with a lot fewer moving parts. Let's see if we can do the same for ShinyProxy, as it is pictured below.

ShinyProxy setup with Caddy server.

Prerequisites

Start a Ubuntu 20.04 virtual machine and follow instructions from the introductory ShinyProxy post to have the server available on http://$HOST:8080 with the two demo applications.

For a Let's Encrypt certificate, you need a fully registered domain name and an email address. I use the example.com domain here, you have to substitute your domain name. Add an A record with example.com pointing to your server's public IP address.

Install Caddy

Add some keys and update the apt sources, then install Caddy:

apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo apt-key add -
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo apt update
sudo apt install caddy

Add Caddyfile /etc/caddy/Caddyfile with the following content, replace your email in the global configuration block (some challenges and Let's Encrypt notifications require the email, but this block is optional):

{
    	email your.name@example.com
}

example.com {
        reverse_proxy 127.0.0.1:8080
}

Restart Caddy with systemctl reload caddy.

Set the firewall

You can firewall off everything except for the SSH, HTTP, and HTTPS ports:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https
ufw --force enable

That is it. Now you can visit https://$HOST to see the ShinyProxy login page with the secure lock icon:

If you decide to destroy your virtual machine, do not forget to remove the DNS record for your custom domain to prevent a hostile subdomain takeover.

Conclusions

The brevity of this post should be convincing enough that adding a custom domain and HTTPS with Caddy is easy as a breeze. Caddy will take care of the certificate renewals.

Remember that it is your job to make sure your app is not exposing sensitive information and that you follow Docker best practices to minimize risk to your users.

Further reading