Shiny community server with OAuth on Amazon EC2
This is detailed description of how to set-up a Shiny server (community edition) on an AWS EC2 instance, behind an OAuth2 security layer (Google OAuth2 in this case, but it can be something else).
- A Google Developer account
- An Amazon Web Services account
- a VPC with a public subnet
- A domain (or subdomain, or wildcard domain) certificate bundle and key files.
Steps you will need to take
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- From the Amazon EC2 console dashboard, choose Launch Instance.
- On the Choose an Amazon Machine Image (AMI) page, choose the Amazon Linux AMI.
- On the Choose an Instance Type page, select the hardware configuration and size of the instance to launch. Choose something larger than a t2.medium.
- On the Configure Instance Details page, choose a VPC and a corresponding public subnet. (You have to know in advance which of the subnets is public http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html#vpc-public-ip-addresses)
- On the Configure Security Group page, use security groups that allow you at least SSH access to you and world wide access to HTTPS.
Make sure you have access to the private key that is used to connect to the instance. This needs to be loaded in your SSH agent.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Elastic IPs.
- Choose Allocate New Address, and then Yes, Allocate.
- Select the Elastic IP address from the list, choose Actions, and then choose Associate Address.
- In the dialog box, choose Instance from the Associate with list, and then select your instance from the Instance list. Choose Yes, Associate.
The two certificate files (bundle certificate and private key) need to be placed on the server. Assuming you are in a folder that conatins both of them, you can easily
scp them to the future Shiny server. Replace
x.x.x.x with the Elastic IP you have previusly created.
scp cert.bundle email@example.com:
scp cert.key firstname.lastname@example.org:
nginx is the first reverse proxy used. It is nginx which will redirect all traffic to a second reverse proxy.
To execute this step, you will first need to be logged in the EC2 instance via
SSH. The user you should be using is ec2-user and you must start from the home folder
sudo yum -y install nginx
- Dont' forget to modify the
server_name shiny.example.comin this file after downloading it, so
sudo bash nginx.sh
This is why you're here, right?
- Modify Shiny server version if you want. So
sudo bash shiny.sh
Create an A record with your DNS provider so that you point the domain name to the Elastic IP. If this is done correctly you should be able to see something working when accessing your domain similar to https://shiny.example.com.
You now need to setup a Google OAuth2 client. This part of the guide was shamelessly copied from https://github.com/bitly/oauth2_proxy#google-auth-provider.
- Create a new project: https://console.developers.google.com/project
- Choose the new project from the top right project dropdown (only if another project is selected)
- In the project Dashboard center pane, choose "Enable and manage APIs"
- In the left Nav pane, choose "Credentials"
- In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
- In the center pane, choose "Credentials" tab.
- Open the "New credentials" drop down
- Choose "OAuth client ID"
- Choose "Web application"
- Application name is freeform, choose something appropriate
- Authorized redirect URIs is the location of oath2/callback ex: https://shiny.example.com/oauth2/callback
- Choose "Create"
- Take note of the Client ID and Client Secret
This is the second reverse proxy to which nginx is communicating with. It is this proxy that ensures security and authentication.
- You will need to edit the
oauth2_proxy.cfgby modifying the following:
client_idwhich can be found in Google Cloud Console > API Manager > Credentials > Your OAuth2 ClientID > Client ID
client_secretwhich can be found in Google Cloud Console > API Manager > Credentials > Your OAuth2 ClientID > Client secret
cookie_secretsomething random and decently sized.
email_domainsthis how you restrict access to allow only users having emails under specific domains.
sudo bash oauth2_proxy.sh &
That's it, you're done. Open https://shiny.example.com and you should be asked to authenticate. After a successful authentication, you should be able to see a working sample page from the Shiny server. You can of course choose to configure oauth2_proxy with other credential providers, too.
If you have questions, you can always reach me via email.
Other interesting material
Take a look at my other