Shinyproxy: Digitalocean app platform deployment

Hi

I don't think we have any experience with this platform. But, I think if the Kubernetes API is available to the applications running it, it should be possible to use ShinyProxy on it.

Were you able to try this out in the mean time? Of course, we are very curious whether you had success with using ShinyProxy on this platform.

I ended up moving everything to AWS - but I have another testing project that I am going to try it out. I will post the updates here. Thank you for the reply!

@fmmattioni you can use your Dockerfile and follow this template: https://github.com/digitalocean/sample-dockerfile it is pretty straightforward.

Yeah, I was more wondering which one of these configs would be more appropriate:

• https://github.com/openanalytics/shinyproxy-config-examples/tree/master/02-containerized-docker-engine
• https://github.com/openanalytics/shinyproxy-config-examples/tree/master/03-containerized-kubernetes

Hi @fmmattioni

If possible I would always advise to use our official Docker image. This image has some security enhancements (i.e. running ShinyProxy under a non-root user).

Hmm, good point! I didn't know that! Thanks for the heads up!

Just a question: I have been using an older version of shinyproxy, because the latest release does not work with AWS Cognito authentication. Can I simply grab this older version through the tag in there too - or do these security enhancements only exist in the latest version?

Hi @fmmattioni

The security enhancements are included in any version.

You mentioned that the latest version of ShinyProxy does not work with AWS Cognito. We are not aware of any problems with OIDC in the latest version (2.4.3). Could you open a new issue with more details about this? (e.g. what behavior you experience, any errors logged etc). We really want ShinyProxy to seamlessly work with any Auth provider, so if there is a bug we really want to solve it.

Just to make sure I get it, this is what I should have in my Dockerfile, correct?

FROM openanalytics/shinyproxy:latest

COPY application.yml /opt/shinyproxy/application.yml

WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]

As for the issue with AWS Cognito, I remember that last time I was setting it up, the logs mentioned that the server.useForwardHeaders option was still not working in the latest version. I do not remember whether this was 2.4.3, though. Let me run a quick test, and I will let you know.

Thanks for the replies!

Yes that's a proper Docker file to use with ShinyProxy, although you can even make it shorter:

FROM openanalytics/shinyproxy:latest

COPY application.yml /etc/shinyproxy/application.yml

If you don't specify the WORKDIR or CMD directives, Docker will take them from the base image. Our base image specifies /etc/shinyproxy as working directory, so you can place the config file there.

Regarding the server.useForwardHeaders property. You probably got the following warning message:

WARNING: Using server.use-forward-headers will not work in this ShinyProxy release. See https://shinyproxy.io/documentation/security/#https-ssl--tls on how to change your configuration.

So starting from 2.4.0, the property that configures the forwarding headers has changed, but the forwarding headers still works. You only need to use the following config:

server:
  forward-headers-strategy: native

instead of the old property.
I noticed the warning message should actually point to https://shinyproxy.io/documentation/security/#forward-headers . I'll change that for the next release.

That is exactly the warning I was getting!

I am sorry, I didn't even bother to read the page more carefully... I am going to test it again - if I have any issues I will let you guys know!

Thank you!

Quick update: the server.forward-headers-strategy property is indeed working properly with AWS Cognito! Thanks a lot for pointing me in the right direction!

Hey @LEDfan, while setting up my new config as suggested with the openanalytics/shinyproxy docker image, I noticed that I always get the following error:

This is my Dockerfile:

FROM openanalytics/shinyproxy:latest

COPY application.yml /etc/shinyproxy/application.yml

However, when I change my Dockerfile to:

FROM openjdk:8-jre

RUN mkdir -p /opt/shinyproxy/
RUN wget https://www.shinyproxy.io/downloads/shinyproxy-2.4.3.jar -O /opt/shinyproxy/shinyproxy.jar
COPY application.yml /opt/shinyproxy/application.yml

WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "/opt/shinyproxy/shinyproxy.jar"]

everything works as expected.

Is there anything I should change in the application.yml or modify a specific setting in nginx when using the first Dockerfile?

Let me know if I should open a new issue or provide more detail.

Hi @fmmattioni

I forgot to mention that, since our image is using a non-root user, it doesn't have access to the docker socket by default.
You'll have to run the ShinyProxy docker image using the following command:

docker run  -v /var/run/docker.sock:/var/run/docker.sock:ro --group-add $(getent group docker | cut -d: -f3) -p 8080:8080 openanalytics/shinyproxy

The $(getent group docker | cut -d: -f3) part determines the group-id of docker. The --group-add parameter ensures that the user running inside the ShinyProxy docker container is part of that group (i.e. the docker group) and as a result the ShinyProxy docker container has access to the docker socket.

Also please make sure you don't have set the proxy.docker.url attribute. Only if you don't provide it, ShinyProxy will access the docker socket and not some docker HTTP port.

Good luck!

Sweet! Thanks a lot for the detailed info! I can confirm that this is working now.

Thank you!