Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Shiny community server with OAuth on Amazon EC2
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/;
events {
worker_connections 1024;
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
# This server should only run on HTTPS
listen 443 default ssl;
# Replace with your domain name
# You need to have mapped the domain with your DNS
# provider by using either an A record
ssl_certificate /etc/nginx/certificates/cert.bundle;
ssl_certificate_key /etc/nginx/certificates/cert.key;
add_header Strict-Transport-Security max-age=2592000;
location / {
# This is where the second reverse proxy lives
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass_header Upgrade;
proxy_pass_header Connection;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
# Enabled websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# The line below resets the header. It would otherwise
# make oauth2_proxy unhappy for some reason
proxy_set_header Sec-Websocket-Extensions "";
index index.html index.htm;
mkdir -p /etc/nginx/certificates
cat /home/ec2-user/nginx.conf > /etc/nginx/nginx.conf
cp /home/ec2-user/cert.* /etc/nginx/certificates
# If the server is initially stopped, it will look like a failure.
# You can ignore that as long as the server actually start after that
service nginx restart
upstreams = [
# This where the Shiny server lives
request_logging = false
email_domains = [
# All users under this domain will be granted access
# Replace this
# Replace this
client_id = ""
# Replace this
client_secret = "0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d"
# Randomly generate a seed for the cookie secret
# Replace this
cookie_secret = "m7m7m7m7m7m7m7m7m7m7m77m"
yum -y install go
GOPATH="/home/ec2-user/.go" go get # A custom build 2 forks far from the source
cp oauth2_proxy.cfg /home/ec2-user/.go/bin
/home/ec2-user/.go/bin/oauth2_proxy -config /home/ec2-user/.go/bin/oauth2_proxy.cfg

Shiny community server with OAuth on Amazon EC2


This is detailed description of how to set-up a Shiny server (community edition) on an AWS EC2 instance, behind an OAuth2 security layer (Google OAuth2 in this case, but it can be something else).


  • A Google Developer account
  • An Amazon Web Services account
  • a VPC with a public subnet
  • A domain (or subdomain, or wildcard domain) certificate bundle and key files.

Steps you will need to take

EC2 instance
  • Open the Amazon EC2 console at
  • From the Amazon EC2 console dashboard, choose Launch Instance.
  • On the Choose an Amazon Machine Image (AMI) page, choose the Amazon Linux AMI.
  • On the Choose an Instance Type page, select the hardware configuration and size of the instance to launch. Choose something larger than a t2.medium.
  • On the Configure Instance Details page, choose a VPC and a corresponding public subnet. (You have to know in advance which of the subnets is public
  • On the Configure Security Group page, use security groups that allow you at least SSH access to you and world wide access to HTTPS.

Make sure you have access to the private key that is used to connect to the instance. This needs to be loaded in your SSH agent.

Elastic IP
  • Open the Amazon VPC console at
  • In the navigation pane, choose Elastic IPs.
  • Choose Allocate New Address, and then Yes, Allocate.
  • Select the Elastic IP address from the list, choose Actions, and then choose Associate Address.
  • In the dialog box, choose Instance from the Associate with list, and then select your instance from the Instance list. Choose Yes, Associate.

The two certificate files (bundle certificate and private key) need to be placed on the server. Assuming you are in a folder that conatins both of them, you can easily scp them to the future Shiny server. Replace x.x.x.x with the Elastic IP you have previusly created.

  • scp cert.bundle ec2-user@x.x.x.x:
  • scp cert.key ec2-user@x.x.x.x:

nginx is the first reverse proxy used. It is nginx which will redirect all traffic to a second reverse proxy. To execute this step, you will first need to be logged in the EC2 instance via SSH. The user you should be using is ec2-user and you must start from the home folder /home/ec2-user.

  • sudo yum -y install nginx
  • wget
  • Dont' forget to modify the server_name in this file after downloading it, so vim nginx.conf.
  • wget
  • sudo bash

This is why you're here, right?

  • wget
  • Modify Shiny server version if you want. So vim
  • sudo bash

Create an A record with your DNS provider so that you point the domain name to the Elastic IP. If this is done correctly you should be able to see something working when accessing your domain similar to


You now need to setup a Google OAuth2 client. This part of the guide was shamelessly copied from

  • Create a new project:
  • Choose the new project from the top right project dropdown (only if another project is selected)
  • In the project Dashboard center pane, choose "Enable and manage APIs"
  • In the left Nav pane, choose "Credentials"
  • In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
  • In the center pane, choose "Credentials" tab.
  • Open the "New credentials" drop down
  • Choose "OAuth client ID"
  • Choose "Web application"
  • Application name is freeform, choose something appropriate
  • Authorized JavaScript origins is your domain ex:
  • Authorized redirect URIs is the location of oath2/callback ex:
  • Choose "Create"
  • Take note of the Client ID and Client Secret

This is the second reverse proxy to which nginx is communicating with. It is this proxy that ensures security and authentication.

  • wget
  • You will need to edit the oauth2_proxy.cfg by modifying the following:
  • client_id which can be found in Google Cloud Console > API Manager > Credentials > Your OAuth2 ClientID > Client ID
  • client_secret which can be found in Google Cloud Console > API Manager > Credentials > Your OAuth2 ClientID > Client secret
  • cookie_secret something random and decently sized.
  • email_domains this how you restrict access to allow only users having emails under specific domains.
  • wget
  • sudo bash &

That's it, you're done. Open and you should be asked to authenticate. After a successful authentication, you should be able to see a working sample page from the Shiny server. You can of course choose to configure oauth2_proxy with other credential providers, too.

If you have questions, you can always reach me via email.

Other interesting material

Take a look at my other Related gists:

yum -y install R
su - -c "R -e \"install.packages('shiny', repos='')\""
yum -y install --nogpgcheck shiny-server-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment