Security¶

For the SPACe-internal, password-protected website

Webpage¶

What users can access on the webpage is only rshiny (on port 3939). It sits behind a reverse proxy which displays only what we have allowed to be sent via this port. So nothing else is accessible. The only things that are displayed is what we allow via the apps and nothing else that sits on the VM. In other words, no shiny app user can actually access the data, which are on the VM.

In addition, the website is locked down so you require username and password to access it. Along with the page itself being locked down to specified IP addresses.

Shiny Proxy Server¶

For the shinyproxy server see https://www.shinyproxy.io/documentation/security/ (To be checked by Elena as of 9^th March 2021).

Secure the underlying infrastructure

"never bind the docker daemon API on 0.0.0.0, only on the loopback interface (127.0.0.1)":

Created /etc/docker/daemon.json

Text Only

{
"debug": true,
"hosts": ["tcp://127.0.0.1:2375", "unix:///var/run/docker.sock"]
}
> sudo systemctl restart docker.service


> netstat -tunlp|grep -in listen
'tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN - '

Secure the communication between ShinyProxy and the LDAP directory

Secure the communication between ShinyProxy and the Docker daemon

Reverse proxy

reverse nginx proxy

Setting the bind-address in the application.yml