Hi this is more question of code security, rather than a question about a directly coding related problem. But I was wondering is it possible to see the code in ui.R and the server.R and that generates the app web browser page?
e.g. Although I'm sure I could just ask Garrett to see the code...is it possible, without authorisation, to somehow see the code related to this URL http://glimmer.rstudio.com/gsee/TFX/ which is running the a shinny app? As this might be a problem if putting up sensitive data/code etc.
Is there a way to add a secure username and password to shinny apps? so that only selected users can access the app?
I know obviously you can see code that run shinny apps from gists, but was more curious about glimmer apps.
P.S. Garrett (if you see this), im just using your app as a good app example...as it uses glimmer..., and in my opinion its attractive code.
As you talk about shiny applications that run on glimmer.rstudio.com, you talk about applications that run on shiny server (in contrary to applications run locally via a call to runApp).
A such, both ui.R and server.R are located on the server, and they are not downloaded to your computer when you run it. Moreover, they seem to be protected by shiny, as if you try to access them via an URL, such as http://shinyserver.example.com/app/server.R, all you will get is an HTTP 404 error.
So, in the same way that it is not possible to access the PHP or Ruby files that power a website or web applications, you can't, for obvious security reasons, access the R files behind a shiny application.
As for protecting access to a shiny application, I'm not sure it is a builtin feature in shiny server yet, but if you run it behind an Apache or Nginx proxy it should be possible to use HTTP authentication for that.
Note : I'm not a shiny expert at all, so this answer could be partially wrong. I just hope not totally :)
Right now, do not put up sensitive code or data on the glimmer server! It is not secure and any user of the server can access the code/data of other users. A bug report has been submitted and the developers are working on it, to my surprise the server is still online though.
Username/passwords are not going to help with this bug. If you want security, host Shiny Server yourself as the glimmer server is not secure.
Related
I am currently thinking about the best way to deploy my RShiny app. After trying to host my app on a dedicated server via Shinyproxy, Docker and Nginx - but this solution was (surprise!) not really scalable. The RAM requirement per user was too high for that.
I'm currently considering hosting the app via a Docker image in AWS Fargate, where RAM resources scale up and down as needed.
I'm now wondering about security, though.
Brief background:
My goal is to add my app as a tool to an online store. Here it can and will (hopefully) happen that several users will use the tool at the same time. It's important that users can't mess with each other's data - that's why I thought of ShinyProxy, so that each user gets their "own R session".
Now I am wondering what this looks like with AWS Fargate. Could it be that if multiple users are active in the tool at the same time, there can be mutual interference?
If so, does anyone have any ideas on how to prevent this? Unfortunately, publishing ShinyProxy via Fargate is not possible as far as I know.
I hope I could formulate my question understandably and someone of you can help me.
Thank you and have a nice day!
Brief background: My goal is to add my app as a tool to an online
store. Here it can and will (hopefully) happen that several users will
use the tool at the same time. It's important that users can't mess
with each other's data - that's why I thought of ShinyProxy, so that
each user gets their "own R session".
Probably depends on what you need for your use case.
Shiny actually has no user management per default - in the sense of limiting access to your application for certain groups and requiring authentication (can be done by hosting with Shinyapps.io and others).
But you probably do not really need this anyway - your problem sounds more like a scoping issue.
(you should read this information about it)
Sure, there might only be one R process, but it actually supports multiple client connections (sessions). You can define, what objects these sessions share. This is totally independent from where you host your app.
Everything you put into the shinyServer() function in the server.R file will only be visible within the user session. (every user has it's own session)
If you need to share variables between sessions, you have to put them in the server.R file, but outside of the shinyServer() function.
I'm trying to develop an internal Shiny app for my organization as a test run. The IT department is requiring the app to be safe from Directory Traversal Attacks. Unfortunately, I have to deploy the Shiny app in a Windows machine. (currently using runApp).
I have searched but not found a way to implement the different recommendations of avoiding Directory Traversal Attacks. Can anyone help me out?
Protecting from a traversal attack is two fold. Once in the application and once in the system.
For the application, you will need to make sure that you are cleaning any inputs that point to a hosted file. For example, if your application allows a user to call images/supercool.png youll need to verify that the path is not being changed to something like ../../../../etc/psswd.
For the system, it is a matter of separating privileges. The accounts given access to the runapp files should not also have access to system files(beyond what is absolutely needed.
I would recommend using shiny server or connect to host the files for you, especially if you do not feel prepared to implement the needed security.
Rstudio has done a lot of work and a great job to make a good product and is continuing to add new features including enhancements around security/access.
We were doing some research on the configuration of Shiny server then we noticed that the config syntax is virtually the same as Nginx? Does anyone have a confirmation on this? If that is true we plan a different stack system architecture.
Shiny Server and Shiny Server Pro are not based on nginx they are using Node.js to provide their web server functionality. Please see the according answer in the RStudio FAQ.
just had a bit of a poke in their github repository and it looks to be pretty custom code and they're just reusing the syntax/variable naming of Nginx.
config parsing seems to be done in lib/router/config-router.js where you can find references to things like 'log_dir'
I'd therefore probably put some sort of proxy between it and the internet (if that's your plan)
I am building a series of interactive shiny web apps for a project that I am considering turning into a Company. My background is in data science and I don't have a lot of experience on the web app / server side of things, but these are important aspects for me to consider with my project. I currently have an Amazon Linux AMI EC2 instance with ShinyServer (free, open-source) installed, and I am currently hosting early versions of my web apps there. So far everything works fine, but I haven't made the links public yet.
My first question is whether anyone knows if there are certain limitations (scalability limitations, integration with database limitations, security / authentication limitations, etc.) that I will inevitably run into using RShiny apps and ShinyServer? I haven't heard of many successful, super-popular web apps being shiny apps hosted on ShinyServer, but rather my feeling is that ShinyServer is mainly used for hosting RShiny apps that are shared amongst only a small number of people (i.e. shared amongst team members at a company.). Per this thread - Does R-Server or Shiny Server create a new R process/instance for each user? - I am particularly concerned that my app won't be able to handle thousands of users simultaneously since only 1 R process is created for the app regardless of the # of concurrent users of the app. Having 10-20 processes through ShinyServer pro probably doesn't solve the issue either if I ever intend to scale greater than the hundreds or thousands of users. I also noticed that ShinyServer Pro would run me a not-so-negligible $10K per year.
My second question is whether RShiny apps can be deployed using other server technologies, such as Heroku. I came across this github page (https://github.com/virtualstaticvoid/heroku-buildpack-r/tree/heroku-16) but haven't dug too deep into it yet. I've been told that heroku makes it easy to update releases to apps whose code is on github (git push heroku:master), amongst other things.
My third question involves certain specific considerations of mine. In particular, I am currently working on a script that queries data from an API and writes that data to a (not-yet-setup) database of mine. This is the data my apps use, and I'd be interested in having the apps update in real time as the database updates, without requiring the user to refresh the webpage. A buddy of mine suggested AJAX for this type of asynchronous behavior, and it looks like this may be possible in R with something like this (https://github.com/daattali/advanced-shiny/tree/master/api-ajax).
Sorry that this is such a loaded question, but I hope it doesn't get closed down as I think it is fairly educational. Any suggestions / sources / pointing me in the right direction would be greatly appreciated on this.
Canovice,
I'd recommend you take a look at the following RStudio / AWS support articles. To scale a shiny server you'll need to look at using a load balancer:
RStudio
https://shiny.rstudio.com/articles/scaling-and-tuning.html
https://support.rstudio.com/hc/en-us/articles/220546267-Scaling-and-Performance-Tuning-Applications-in-Shiny-Server-Pro
https://support.rstudio.com/hc/en-us/articles/217801438-Can-I-load-balance-across-multiple-nodes-running-Shiny-Server-Pro-
AWS
https://aws.amazon.com/blogs/big-data/running-r-on-aws/
Blog Article:
http://mgritts.github.io/2016/07/08/shiny-aws/
Shiny is a great platform, their support is fabulous. I'd recommend you ring them up - they'll be sure to help answer your questions.
That said if your plan is to create a scalable website that will support thousands or hundreds of thousands of people then my sense would be to recommend you also review and consider using D3.js in conjunction with react.js or Angular.js, not forgetting to mention node.js.
My sense is that you are looking at a backend database connected to a logic engine and visualisation front end. If you are looking for a good overview of usage take a look at the following web page and git repo [A little dated but useful]:
https://anmolkoul.wordpress.com/2015/06/05/interactive-data-visualization-using-d3-js-dc-js-nodejs-and-mongodb/
https://github.com/anmolkoul/node-dc-mongo
I hope the above points you in the right direction.
I'd like to provide some notes related to your second question: Yes, you can use the mentioned buildback to deploy shiny applications on heroku.
I was in a similar situation with you (asking myself about possible ways of serving Shiny applications in a scalable manner) and decided to go the "heroku way".
You may find these hints helpful when deploying your app to heroku using the buildpack mentioned above:
Heroku tries to "guess" how to execute your application. But you can also add a special file, named Procfile, to your application to control the process commands you want to execute for your application. In my case I used web: R -f ~/run.R --gui-none --no-save, where this means that a file named run.R is being passed to the R executable for the web server process
The stack on heroku is based on Ubuntu. If you need additional deb-packages, you can create another special file named Aptfile and add the package names therein, heroku will then automatically install these for you (I needed it for RPostgreSQL)
You can add another special file named init.R and install all R packages as necessary just as you are used to, i.e. with install.packages etc. You can also add initial configuration material within this file.
As a running example, here is an example toy application that I wrote for myself to remember how a "full-stack" shiny app may look like, including compability with heroku.
For a large number of concurrent users, use a load balancer like nginx and enable the autoscaling of your app, e.g. through Kubernetes.
You can deploy your app on Heroku. On the paid tiers it includes NoOps autoscaling of your app. See this tutorial on how to deploy a Shiny app in a Docker container on Heroku: https://medium.com/analytics-vidhya/deploying-an-r-shiny-app-on-heroku-free-tier-b31003858b68
You can query the table last update timestamp in the Shiny server logic with reactivePoll() and rerun your db query if it changed. It is not "real-time" but depending on your application close enough if you set the time interval small.
I must say that I am reaching the end of my tether with Flash Builder and Flex. Firstly, I have built this wonderful app that I want to start using but it is data driven meaning that when I built it, I created it on my localhost. The PHP scripts were generated from Flash Builder and I have edited them to make them more secure. I have all my services working 100% and I have this brilliant app, but I can only run it on localhost. I have done everything necessary and installed Zend Framework on both servers, I have configured Zend properly but I cannot work out how to change the mobile app to now read from my remote web server.
To me this is useless as I want to be able to deploy this app to others to use when they are out and about.
Does anyone have any clue whatsoever as to how to change it from looking at a localhost to looking to my remote web host? Any tutorials or anything that you can think of? Any help would be appreciated.
Does anyone have any clue whatsoever as to how to change it from
looking at a localhost to looking to my remote web host?
Usually, I don't have to do anything. It just works. But, for some reason, the "first migration" from localhost to production seems to be hard for every Flex developer. Here are some things I wrote about that frustrated me.
Before moving forward; I'll add that your post is inherently confusing. You talk about running your app on localhost; but you also talk about building mobile apps. Were you building a native mobile app? If so; how are you running it on localhost? Mobile Native Apps don't run on a local web server; they run in an emulator.
The rest of this post assumes you are building a browser based app, but even if not should give you some good debugging tips.
Most likely you did something ignorantly which is preventing things from working. Once you figure it out you'll never have the problem again. So, here are some things to check:
It sounds like you have URLs hard coded somewhere within your app that point to localhost. I'd look for that first.
If you're using AMF with RemoteObject; it may be in your services-config file that is hard coded into your app. Be sure to check that if you are compiling a services-config into your app.
Beyond that, it is possible that your remote server is not configured properly. When using ColdFusion we have a special URL ( localhost/flex2gateway ) that we can check to verify that Flash Remoting is set up properly. I'm not sure about PHP, but I bet it is something similar.
You didn't tell us your specific setup, but if you're using a locahost SWF with services on you remote server, your remote server will need a crossdomain.xml file to allow the "off-server" access.
You didn't tell us your specific error, which makes it hard to provide more information. But, be sure to test your services--outside of the Flex app--to make sure they don't have remote errors. Be sure to check case sensitivity of URLs on your localhost vs your server. Be sure to use a Network Sniffer such as the Flash Builder Network Monitor to or ServiceCapture or Charles to check the traffic being sent from the browser/Flash Player to your server. You may discover errors that way.