Secure Shinydocs Dashboards and Control Center Access with IIS Reverse Proxy

This guide assumes you are using Windows Server edition. If you are using Windows 10 or 11, use Turn Windows features on or off.

Using this configuration will provide an authentication gate to access the platforms, once authenticated, configured users will have access to all content in the respective platform.

This guide covers configuring an IIS reverse proxy to configure which AD users and groups can access Shinydocs Dashboards or Control Center. You can set up both with this method, but you must set them to different physical paths and ports.

Preconditions

Hold up!

Before you proceed, you will need to think about which ports you will use. You cannot use the same port (443) for each.

Have Shinydocs Pro installed
Have IIS installed along with the URL Rewrite & Application Request Routing modules
(Dashboards only) A service account (or user account) that will be used to authenticate the connection between Shinydocs Pro and Dashboards
- This process will enable Windows Authentication when accessing Dashboards, therefore account credentials are needed to make the Dashboard links work in Shinydocs Pro

IIS Installation and Configuration

Install IIS - Windows Server

Open Server Manager
Click Manage → Add Roles and Features
Click Next until Server Roles
Check Web Server (IIS)
In the pop-up, click Add Features
Click Next until Role Services
Ensure these are checked:
- Web Server → Security → Windows Authentication
- Web Server → Security → URL Authorization
Click Next, then Install

Install IIS - Windows 11

Press Windows + R, type: optionalfeatures, press Enter
Check:
- Internet Information Services
- Expand:
  - Web Management Tools
  - World Wide Web Services → Security → check Windows Authentication
  - World Wide Web Services → Security → check URL Authorization
Click OK to install

Download and Install Additional IIS Modules

Download and install the following:

They will be automatically added to IIS (you may need to close IIS and re-open for URL Rewrite to appear).

Control Center Guide

Prepare

In order to have IIS control access to the Shinydocs Control Center, you will need to disable negotiate authentication in Shindydocs Control Center, as that is now being handled by IIS.
1. Go to Settings in Shinydocs Control Center
2. Click on the Access settings
3. Change Negotiate to None
4. Save changes and allow the service to restart

Step 1: Add Your Website

Open IIS Manager.
Right-click Sites and select Add Website.
Fill out the following fields using your values:
- Site name: The name of your site as it will appear in IIS
  - Suggestions:
    - Shinydocs Pro Control Center
- Physical path: C:\inetpub\wwwroot\ControlCenter
  - You can choose any physical path you like, it will create the web.config file for IIS in this directory.
- Type: HTTPS
- IP address: All Unassigned
- Port: 443
  - 🛑 Ensure that this port is not currently in use
  - You can use any port you would like that is available
- Host name: Your hostname
- SSL certificate: Select your certificate (e.g., my self-signed certificate JARVIS)
  - For more information, please see How to Set Up SSL on IIS 7 or later | Microsoft Learn
Click OK to create the site.

Step 2: Configure the Reverse Proxy

Select your website in IIS Manager, then click URL Rewrite.
In the Actions panel, click Add Rules.
Select Reverse Proxy and click OK.
Enable Rewriting of domain names under Outbound Rules.
Set the inbound rules and the outbound rule.
1. For Inbound rules:
  1. Shinydocs Control Center: localhost:9701
2. For Outbound rules
  1. From: localhost:9701
  2. To: your machine hostname
Click OK to save the settings.
Edit the Inbound Rule you just made
In the Rewrite URL, make the “http” string “https”
Click Apply

Step 3: Configure User Authentication

Select your site in IIS Manager and click Authentication.
Disable Anonymous Authentication and enable Windows Authentication.
Go back to the main IIS screen and select .NET Authorization Rules or Authorization Rules (whichever is available on your computer).
Delete the default Allow All Users rule.
Choose one of the following options based on your needs:
1. All users: Allows everyone to access the web content. Use this only if there are no security concerns about unrestricted access.
2. All anonymous users: Not recommended.
3. Specified roles or user groups: Restricts access to specific user groups. Use this option only when you want users in certain groups, such as administrators, to have access.
4. Specified users: Limits access to specific individuals. Use this for precise control over who can access the content.

Your Shinydocs Pro site should now be accessible securely and configured with user authentication. Try right-clicking on the site in IIS Manager > Manage Website > Browse. If you experience any issues, review the steps and ensure all configurations match the guide.

Dashboards Guide

Step 1: Add Your Website

Open IIS Manager.
Right-click Sites and select Add Website.
Fill out the following fields using your values:
- Site name: The name of your site as it will appear in IIS
  - Suggestions:
    - Shinydocs Pro Control Center
    - Shinydocs Pro Dashboards
- Physical path: C:\inetpub\wwwroot\ShinydocsPro
  - You can choose any physical path you like, it will create the web.config file for IIS in this directory.
- Type: HTTPS
- IP address: All Unassigned
- Port: 444 (you can use 443 if you are not using it for Shinydocs Control Center)
  - 🛑Ensure that this port is not currently in use
  - You can use any port you would like that is available
- Host name: Your hostname
- SSL certificate: Select your certificate (e.g., my self-signed certificate JARVIS)
  - For more information, please see How to Set Up SSL on IIS 7 or later | Microsoft Learn
Click OK to create the site.

Step 2: Configure the Reverse Proxy

Select your website in IIS Manager, then click URL Rewrite.
In the Actions panel, click Add Rules.
Select Reverse Proxy and click OK.
Enable Rewriting of domain names under Outbound Rules
Set the inbound URL and the outbound URL.
1. For inbound rules:
  1. Dashboards: localhost:5601
2. For Outbound rules
  1. From: localhost:5601
  2. To: your machine hostname
Click OK to save the settings.

Step 3: Configure Server Variables

With your site selected, go to URL Rewrite and click View Server Variables.
Add these variables:
- HTTP_ACCEPT_ENCODING
- HTTP_X_ORIGINAL_ACCEPT_ENCODING
Go back, select the Inbound Rule in URL Rewrite and click Edit.
- Under Server Variables
  - Add HTTP_X_ORIGINAL_ACCEPT_ENCODING to {HTTP_ACCEPT_ENCODING}.
  - Add HTTP_ACCEPT_ENCODING with a placeholder value (e.g., abc).
Click Apply (top-right) to save the configuration.
Edit the web.config file in your site's directory (C:\inetpub\wwwroot\ShinydocsPro):
- Replace the placeholder value (abc) with an empty string.
- Add the following under <configuration>:
  CODE
```
<system.web>
    <httpRuntime requestPathInvalidCharacters="" relaxedUrlToFileSystemMapping="true" />
</system.web>
```
Save the file.
Go to URL Rewrite and click Add Rules. Choose Blank Rule under Outbound Rules
Name the rule RestoreAcceptEncoding. In the settings, choose <Create New Precondition…>.
Name the rule NeedsRestoringAcceptEncoding, check Using is set to Regular Expressions and Logical grouping is set to Match All.
Add a condition to the precondition:
- For Condition input, type {HTTP_X_ORIGINAL_ACCEPT_ENCODING} (include the curly braces).
- For Pattern, type .+.
- Click OK twice to close the condition setup.
Back in the rule settings, go to Match and set Matching Scope to Server Variable.
- For Variable name, type HTTP_ACCEPT_ENCODING.
- For Pattern, type ^(.*).
In the Action section, do the following:
- Set Action type to Rewrite.
- For Value, type {HTTP_X_ORIGINAL_ACCEPT_ENCODING} (include the curly braces).
Click Apply to save the rule.

Step 5: Configure User Authentication

Select your site in IIS Manager and click Authentication.
Disable Anonymous Authentication and enable Windows Authentication.
Go back to the main IIS screen and select .NET Authorization Rules or Authorization Rules (whichever is available on your computer).
Delete the default Allow All Users rule.
Choose one of the following options based on your needs:
1. All users: Allows everyone to access the web content. Use this only if there are no security concerns about unrestricted access.
2. All anonymous users: Not recommended.
3. Specified roles or user groups: Restricts access to specific user groups. Use this option only when you want users in certain groups, such as administrators, to have access.
4. Specified users: Limits access to specific individuals. Use this for precise control over who can access the content.
Add an allow rule for the service account (or user account) that will be used to authenticate the connection between Shinydocs Pro and Dashboards
1. Add Allow Rule.
2. Select Specified users.
3. Enter the name of the account (ex. svcshinydocs).
4. Click OK to add the rule.
Configure the service account (or user account) in Shinydocs Pro
1. In Shinydocs Pro Control Center (https://localhost:9701) go to Settings.
2. Go to the Services setting page.
3. Under Search dashboards:
  1. Set the URL to the reverse proxy URL (ie. https://servername:443/)
  2. Click on the key icon under Search dashboards.
  3. Enter the username and password for the Service account (or user account) used in Step 6.
  4. Check Allow invalidated certificates.
4. Click Save changes.

Your Shinydocs Pro site should now be accessible securely and configured with user authentication. Try right-clicking on the site in IIS Manager > Manage Website > Browse. If you experience any issues, review the steps and ensure all configurations match the guide.