openanalytics / shinyproxy

ShinyProxy - Open Source Enterprise Deployment for Shiny and data science apps
https://www.shinyproxy.io
Apache License 2.0
525 stars 151 forks source link

SSL Termination with the new ECS backend #499

Open moreauchr opened 5 months ago

moreauchr commented 5 months ago

Hello, so far the documentation said for SSL termination you recommend running an nginx reverse proxy. Our setup so far encompassed EC2 instances running ShinyProxy via Docker and have an additional container running the reverse proxy and routing all ShinyProxy traffic through the loopback interface of the machine without any other network transit.

Now we want to experiment with ECS but are still under the requirement that traffic coming in from the AWS application load balancer to the ShinyProxy ECS task container needs to be encrypted as well. Is there any way to place certificates / chains into the ShinyProxy container and let e.g. SpringBoot handle the SSL termination at application level directly? As far as i know spinning up a side car container in the task of Shinyproxy will still spawn 2 individual containers that communicate over network unencrypted for the part of the way. Is there a way to remedy this to have SSL encrypted traffic in the VPC?

For our tests we are currently using a very minor modified version of the environment that you provide in the 20/21 ecs examples section from your shinyproxy examples repo.

Much thanks and keep up the good work to provide a useful tool for the deployment of shiny apps!

LEDfan commented 5 months ago

Hi

It should be possible to add TLS to ShinyProxy using the Spring Boot configuration, see e.g. https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl and https://docs.spring.io/spring-boot/how-to/webserver.html#howto.webserver.configure-ssl . However, I did not try this yet. An alternative could be to create a custom ShinyProxy container and adding nginx on top. E.g. you start from the ShinyProxy image, install nginx and configure it to use TLS.

sound118 commented 4 months ago

@moreauchr hi, have you successfully implemented the minimal example using ECS as backend provided on shinyproxy github configuration example? I have been experimenting with this many times, but all failed with following issue logs posted in below link:

https://github.com/openanalytics/shinyproxy-config-examples/issues/43

Any one can help with this? Much appreciated!

sound118 commented 4 months ago

@LEDfan I am actually quite puzzled by the Dockerfile posted in 20.ecs minimal example : FROM openanalytics/shinyproxy-snapshot:3.1.1

COPY application.yml /opt/shinyproxy/

when I implement this dockerfile, it actually did not work at all. But if I remove "-snapshot", it will work. But eventually not working on ECS as expected, the issue will show like in above link.

sound118 commented 4 months ago

I actually tried to get openanalytics/shinyproxy-snapshot:3.1.1 docker image from dockerhub, but it said not existing as below: image

sound118 commented 4 months ago

The main issue I encountered is: 2024-06-28T14:54:56.083Z WARN 1 --- [ProxyService-16] e.o.c.backend.ecs.EcsBackend : [user=jack proxyId=c6d684c9-cf19-4296-a379-781e1a2e8771 specId=datadictionary] Not adding ECS tag "openanalytics.eu/sp-http-headers" because it is contains invalid characters (only a-zA-Z0-9 +-=.:/@ allowed) and

2024-06-28T14:55:22.016Z INFO 1 --- [ProxyService-16] e.o.c.backend.ecs.EcsBackend : [user=jack proxyId=c6d684c9-cf19-4296-a379-781e1a2e8771 specId=data_dictionary] ECS Task not ready yet, trying again (20/310) --