Using the general Configuration, it is possible to

  • secure the communication between ShinyProxy and the LDAP directory
  • secure the communication between ShinyProxy and the Docker daemon


From an architectural point of view it is recommended to support the off-loading of SSL certificates to a separate reverse proxy. Nginx works perfectly fine with ShinyProxy and below an example configuration is given:

server {
  listen                80;
  server_name ;
  rewrite     ^(.*)     https://$server_name$1 permanent;

server {
  listen                443;
  server_name ;
  access_log            /var/log/nginx/shinyproxy.access.log;
  error_log             /var/log/nginx/shinyproxy.error.log error;

  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate       /etc/ssl/certs/;
  ssl_certificate_key   /etc/ssl/private/;

   location / {

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host             $http_host;
       proxy_set_header  X-Real-IP        $remote_addr;
       proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Protocol $scheme;


The configuration:

  • redirects http traffic (port 80) to https (port 443)
  • sends all traffic to ShinyProxy which is running on port 8080
  • includes all nginx settings to correctly proxy web socket traffic as required by Shiny apps


If no reverse proxy is put in front of ShinyProxy, the port that needs to be accessible to the outside world is the proxy port specified in the application.yml file (port field) which, by default, will be port 8080. In principle, all other ports can be filtered in the firewall.

ShinyProxy itself will connect to the ports on the docker host that are mapped to the individual containers. By default the ports will start at 20000 for the first container and are incremented for every new container that is spin up (20001 for the second one etc.). This is specified in the application.yml as port-range-start: 20000 as documented here). These ports on the docker host should be available to ShinyProxy, but it is recommended not to make these ports accessible to the outside world using appropriate firewall rules.