Reverse-proxy authentication for App Platform app

Question

Looking for advice on best practice and feasibility. I want to put a pre-existing custom app (Shiny/R-based) behind a reverse proxy for authentication (password-protection) purposes, using oauth2_proxy, nginx or ShinyProxy.

I don’t want to spend lots of time on infrastructure as this is not my main job – I’d like the convenience of the App Platform to update and manage the app itself, but how best to integrate a reverse proxy? Most of the online tutorials I’ve found (some examples below) suggest using docker-compose.yml to launch the multiple services (which is not applicable to DO App Platform as far as I can tell).

Is it better to integrate installation of the proxy into the app’s DOCKERFILE, or is there some more sensible way to run a reverse proxy to protect the app behind authentication? Droplet? Or do I need to look into Kubernetes instead of App Platform?

Bobby · Answer

Hi there,

Indeed, the App Platform does not support this out of the box, but this should be achievable.

1. Integrating the Reverse Proxy into your existing Dockerfile

If you prefer to stick with the App Platform and avoid additional infrastructure, you can integrate the reverse proxy directly into your app’s Dockerfile. This approach involves setting up the reverse proxy (like nginx with OAuth2 Proxy) within the same container as your Shiny app.

Example Dockerfile

Here’s an example Dockerfile snippet that shows how you might set this up:

# Base image for Shiny app
FROM rocker/shiny

# Install necessary packages for oauth2_proxy and nginx
RUN apt-get update && apt-get install -y nginx wget

# Download and install oauth2_proxy
RUN wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.2.0/oauth2-proxy-v7.2.0.linux-amd64.go1.15.6.tar.gz \
    && tar -xvzf oauth2-proxy-v7.2.0.linux-amd64.go1.15.6.tar.gz \
    && mv oauth2-proxy-v7.2.0.linux-amd64.go1.15.6/oauth2-proxy /usr/local/bin/

# Configure nginx
COPY nginx.conf /etc/nginx/nginx.conf

# Configure oauth2_proxy
COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg

# Copy your Shiny app to the container
COPY shiny-app/ /srv/shiny-server/

# Expose the necessary ports
EXPOSE 80

# Start nginx and Shiny server
CMD service nginx start && shiny-server

nginx.conf Example

An example nginx.conf for reverse proxying might look like this:

server {
    listen 80;

    location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        proxy_pass http://localhost:3838;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location = /oauth2/auth {
        proxy_pass http://localhost:4180/oauth2/auth;
    }

    location /oauth2/ {
        proxy_pass http://localhost:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

2. Using DigitalOcean Droplet for Reverse Proxy

If you find integrating the proxy into the Dockerfile too complex, you can run the reverse proxy on a separate DigitalOcean Droplet. The Droplet would handle authentication and proxy requests to your Shiny app running on the App Platform.

Steps:

Create a Droplet: Set up a new Droplet with Ubuntu or your preferred OS.
Install nginx and OAuth2 Proxy: Configure nginx and OAuth2 Proxy on the Droplet.
Proxy Configuration: Set up nginx to forward authenticated requests to your App Platform URL.

I’ve seen a similar question in the past regarding the same setup, here is the discussion that covers some of the blockers that you might hit along the way:

https://www.digitalocean.com/community/questions/nginx-proxy-server-to-app-platform-app-is-getting-a-403-access-denied-cloudflare-error

An alternative option here would be to use a Managed Kubernetes cluster instead of the App Platform: