Warning
Work in progress/needs updating
Security¶
For the SPACe-internal, password-protected website
Webpage¶
What users can access on the webpage is only rshiny (on port 3939). It sits behind a reverse proxy which displays only what we have allowed to be sent via this port. So nothing else is accessible. The only things that are displayed is what we allow via the apps and nothing else that sits on the VM. In other words, no shiny app user can actually access the data, which are on the VM.
In addition, the website is locked down so you require username and password to access it. Along with the page itself being locked down to specified IP addresses.
Shiny Proxy Server¶
For the shinyproxy server see https://www.shinyproxy.io/documentation/security/ (To be checked by Elena as of 9th March 2021).
Secure the underlying infrastructure
-
"never bind the docker daemon API on 0.0.0.0, only on the loopback interface (127.0.0.1)":
Created /etc/docker/daemon.json
{
"debug": true,
"hosts": ["tcp://127.0.0.1:2375", "unix:///var/run/docker.sock"]
}
> sudo systemctl restart docker.service
> netstat -tunlp|grep -in listen
'tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN - '
Secure the communication between ShinyProxy and the LDAP directory
Secure the communication between ShinyProxy and the Docker daemon
Reverse proxy
reverse nginx proxy
Setting the bind-address in the application.yml