Question

Reverse-proxy authentication for App Platform app

Looking for advice on best practice and feasibility. I want to put a pre-existing custom app (Shiny/R-based) behind a reverse proxy for authentication (password-protection) purposes, using oauth2_proxy, nginx or ShinyProxy.

I don’t want to spend lots of time on infrastructure as this is not my main job – I’d like the convenience of the App Platform to update and manage the app itself, but how best to integrate a reverse proxy? Most of the online tutorials I’ve found (some examples below) suggest using docker-compose.yml to launch the multiple services (which is not applicable to DO App Platform as far as I can tell).

Is it better to integrate installation of the proxy into the app’s DOCKERFILE, or is there some more sensible way to run a reverse proxy to protect the app behind authentication? Droplet? Or do I need to look into Kubernetes instead of App Platform?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
July 8, 2024

Hi there,

Indeed, the App Platform does not support this out of the box, but this should be achievable.

1. Integrating the Reverse Proxy into your existing Dockerfile

If you prefer to stick with the App Platform and avoid additional infrastructure, you can integrate the reverse proxy directly into your app’s Dockerfile. This approach involves setting up the reverse proxy (like nginx with OAuth2 Proxy) within the same container as your Shiny app.

Example Dockerfile

Here’s an example Dockerfile snippet that shows how you might set this up:

# Base image for Shiny app
FROM rocker/shiny

# Install necessary packages for oauth2_proxy and nginx
RUN apt-get update && apt-get install -y nginx wget

# Download and install oauth2_proxy
RUN wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.2.0/oauth2-proxy-v7.2.0.linux-amd64.go1.15.6.tar.gz \
    && tar -xvzf oauth2-proxy-v7.2.0.linux-amd64.go1.15.6.tar.gz \
    && mv oauth2-proxy-v7.2.0.linux-amd64.go1.15.6/oauth2-proxy /usr/local/bin/

# Configure nginx
COPY nginx.conf /etc/nginx/nginx.conf

# Configure oauth2_proxy
COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg

# Copy your Shiny app to the container
COPY shiny-app/ /srv/shiny-server/

# Expose the necessary ports
EXPOSE 80

# Start nginx and Shiny server
CMD service nginx start && shiny-server

nginx.conf Example

An example nginx.conf for reverse proxying might look like this:

server {
    listen 80;

    location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        proxy_pass http://localhost:3838;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location = /oauth2/auth {
        proxy_pass http://localhost:4180/oauth2/auth;
    }

    location /oauth2/ {
        proxy_pass http://localhost:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

2. Using DigitalOcean Droplet for Reverse Proxy

If you find integrating the proxy into the Dockerfile too complex, you can run the reverse proxy on a separate DigitalOcean Droplet. The Droplet would handle authentication and proxy requests to your Shiny app running on the App Platform.

Steps:

  1. Create a Droplet: Set up a new Droplet with Ubuntu or your preferred OS.
  2. Install nginx and OAuth2 Proxy: Configure nginx and OAuth2 Proxy on the Droplet.
  3. Proxy Configuration: Set up nginx to forward authenticated requests to your App Platform URL.

I’ve seen a similar question in the past regarding the same setup, here is the discussion that covers some of the blockers that you might hit along the way:

https://www.digitalocean.com/community/questions/nginx-proxy-server-to-app-platform-app-is-getting-a-403-access-denied-cloudflare-error

An alternative option here would be to use a Managed Kubernetes cluster instead of the App Platform:

https://docs.digitalocean.com/products/kubernetes/

-\ Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.