Released on 20 June 2024.

Release notes

  • update dependencies
  • improve performance of fetching proxies owned by a user
  • add API endpoint to replace pre-initialized and shared containers
  • when opening an app that has an external-app configured, redirect to this URL when starting the app
  • allow specifying client-authentication-method in OpenID configuration, (see docs), contributed by @MohamedAnouar
  • Fix: stop containers started using container pre-initialization and sharing when ShinyProxy stops
  • Fix: add workaround for authentication issue when opening a link to ShinyProxy from a MS Office application
  • Fix: retry (proxied) request to app when the app closes the TCP connection (fixes issues with loading assets of Shiny apps)
  • Fix: throw error on startup when app recovery is used together with container pre-initialization and sharing
  • Fix: force apps to not use compression on HTML responses such that the iframe script can be injected
  • Fix: allow admin to stop apps of other users again
  • Fix: avoid Thymeleaf warning
  • Fix: issue when using Datatables and SAML
  • Fix: do not load demo config when using spring.config.location
  • Fix: ensure Docker port is only released when container has been stopped


Released on 7 May 2024.

Release notes

We want to thank all contributors that made this release possible. The “pre-initialization” feature was developed in cooperation with UCLouvain and NPL Markets. We would also like to thank AWS for contributing an initial version of the ECS backend. See the support page if your organization wants to sponsor a specific feature in ShinyProxy.

  • update to JDK 17

  • update to Spring Boot 3.2

  • add support for pre-initializing containers (see docs)

  • add support for sharing a container among multiple users (see docs)

  • add support for autoscaling number of pre-initializer or shared containers (see docs)

  • add AWS ECS backend, for running containers on AWS ECS Fargate, (see backend docs and app docs )

  • add option to show notification (a.k.a message of the day) to all users (see docs), contributed by @ziyunxiao

  • allow to use request and response objects in templates (e.g. to check the status code), see example

  • allow to use the list of apps and template groups in any template, contributed by @nickmelis

  • replace in-memory caches by Caffeine library to reduce chance of memory leaks

  • cache whether a user is an admin

  • cache the maximum number of instances a user can start

  • cache proxyId for common endpoints

  • cache (app) favicons and logos

  • various performance improvements

  • support YAML array notation in proxy.kubernetes.image-pull-secrets property

  • allow configuring OpenID connect JWKS algorithm (see docs)

  • allow to use the (decoded) OpenID access token in SpEL (see docs)

  • allow to use the JSON response returned by the authentication webservice in SpEL (see docs)

  • allow to use groups when using webservice authentication (see docs)

  • allow to use custom name for container names (see docs: Docker, Docker Swarm and Kubernetes)

  • use proxyId instead of containerId in service name on Kubernetes

  • allow to configure time to wait before Docker swarm service is ready (see docs)

  • replace Docker library by an up to date version

  • update Docker library to be compatible with recent Docker releases

  • add option to control cache headers sent by an app (see docs)

  • add option to control the maximum number of running apps per app or in total (see docs)

  • add cache headers to ShinyProxy assets (CSS and JS files)

  • send userid and groups as HTTP headers (see docs)

  • add option to send custom attributes as HTTP headers (see docs)

  • allow apps to link to an (external) page/url instead of starting a container (see docs)

  • check if app has crashed on websocket connection error

  • add authorized versions of kubernetes-pod-patches, kubernetes-additional-manifests and kubernetes-additional-persistent-manifests, allowing to control when these properties are applied (see docs)

  • improve Proxy status API endpoint

  • add support for specifying a (different) favicon per app (see docs)

  • add options to specify width, height, style and CSS class of app logos (see docs)

  • drop social authentication, use the OpenID backend instead

  • drop keycloak authentication, use the OpenID backend instead

  • in the parameter form, do not reset values for other (default) parameters when changing a (default) parameter (but only if the resulting combination is allowed)

  • add log message to “auth-success” page to ease debugging when the redirect does not work

  • the authFailed metric is now increased when the /auth-error is shown to a user (e.g. after a login using OIDC failed)

  • collect the spec id in the startFailed (Prometheus) metrics (see updated dashboard)

  • add (Prometheus) metric for crashed apps (see updated dashboard)

  • OpenID: extract roles claim from user-info, in addition to extracting it from the ID token

  • OpenID: log all claims from ID token and user-info, even if no roles-claim is specified

  • the leader election of ShinyProxy now only runs on ShinyProxy replicas that are running the latest version. This allows to implement more advanced features.

  • implement container-dns when using Kubernetes

  • allow apps to override the mail-to-address (see docs)

  • allow to override the subject of the support email (see docs)

  • allow specifying docker-user option for apps (works with Docker and Docker swarm)

  • allow specifying docker-ipc option for apps (works with Docker)

  • allow specifying docker-runtime option for apps (works with Docker only)

  • allow specifying docker-device-requests for apps (works with Docker only)

  • allow redirecting the user to the first available app (see docs), contributed by @nickmelis

  • allow redirecting the user to the only app available app (see docs), contributed by @nickmelis

  • allow configuring the table name used by the usage statistics

  • Fix: loading favicon when using context-path

  • Fix: automatically add context-path to path in proxy.landing-page

  • Fix: counter metrics when using multiple replicas

  • Fix: correctly collect logs when using Docker Swarm

  • Fix: delay release of Docker port, in order to prevent issues when the Docker daemon does not release the port immediately

  • Fix: report correct app id in report issue e-mail

  • Fix: cleanup WebSocket handles when WebSocket connection is closed or app is stopped (caused a memory leak in specific circumstances)

  • Fix: parse Kubernetes events when pod runs in a different namespace

  • Fix: prevent NPE in KubernetesManifestsRemover with certain CRDs

  • Fix: do not expose logoUrl property of spec in API

  • Fix: log warning when ShinyProxy cannot access the logs of a Kubernetes pod

  • Fix: make track-app-url work with non-absolute URLs

  • Fix: validation when creating new app instance (in switch instances modal)

  • Note: when using the ShinyProxy Operator, it’s recommended to update to version 2.1.0

  • Note: when using Prometheus for Usage Statistics, you have to update the configuration: change the property management.metrics.export.prometheus.enabled: true to management.prometheus.metrics.export.enabled: true

    A typical configuration should be changed from:

      #  ...
      usage-stats-url: micrometer
            enabled: true
    #  ...


      #  ...
      usage-stats-url: micrometer
            enabled: true
    #  ...
  • Note: when using Redis for session or app persistence (e.g. when using the ShinyProxy Operator), you have to update the Redis configuration:

    • move all properties from spring.redis to
    • change spring.redis.ssl: true to true
    • the internal data format of (Spring) session information has changed and is incompatible with the new format. Clear the database or use a different redis database (i.e. changing or adding (default is 0))

    A typical Redis session configuration should be changed from:

        store-type: redis
        host: redis
        password: ${REDIS_PASSWORD}
        ssl: true
      # this config implicitly uses database 0


        store-type: redis
          host: redis
          password: ${REDIS_PASSWORD}
          database: 1
            enabled: true
  • Note: the templates were changed in this release, see our examples for more information. In order to update your templates, download them from the link and re-apply your changes. You can compare the templates using meld.


Released on 25 July 2023.

Release notes

  • add option to ignore OpenID session expire (see docs)
  • streamline fallback config (do not use LDAP in fallback config and use same config for all deployment options)
  • add mobile viewport meta tags, contributed by @tanho63 and @andrewsali
  • preserve subpath when starting an app
  • add compatibility with Dash.jl apps (see demo)
  • add support for admin users in addition to admin groups (see docs)
  • add RuntimeValue SHINYPROXY_USER_TIMEZONE containing the timezone of the user (retrieved from the browser) (see docs).
  • Fix: prevent NullPointerExceptions in OpenID code
  • Fix: when a user opens an app before being authenticated, redirect user back to that app after login
  • Fix: make stopping an app more reliable (e.g. if stopping an app fails halfway)
  • Fix: prevent errors when requests during the start of an app fail because of a network issue. This is also a workaround for a bug in Firefox.
  • Fix improve behavior of refreshing the OpenID session, preventing unexpected logouts
  • Fix: prevent corrupt file downloads
  • Fix: prevent errors with UTF-8 characters on some platforms
  • Fix: prevent error when uploading files in RStudio
  • Fix: try to prevent the user from going back to the IDP when using OIDC or SAML, which causes the user to see an error. Note: because of some browser protections, this cannot be prevented completely. When the user clicks the back button multiple times, they may end up on the IDP page, however, the case where the user accidentally clicks the back button has been fixed.
  • Fix: ensure compatibility with coder/code-server (VS Code) versions after 4.10.1, by including any non-standard port in the X-Forwarded-Host header
  • Fix: allow using = in query string parameters
  • Security: the HTML page of an (active) app contained the full details of that app, including runtime values that were hidden since 3.0.0. This has been fixed by only showing the non-sensitive information.
  • Security: when using none authentication, (anonymous) users had access to the admin page and can see only their apps. This includes more information than what is returned from the API (e.g. the exact docker image used), but only for the apps started by that user. Updating is strongly advised when using none authentication.


  • Component: Social Authentication
    Replacement: use the regular OpenID Connect implementation. Concrete update steps and examples will be provided with the next release.
    Reason: the Social Authentication plugins are deprecated and no longer supported by the Spring Project. The next ShinyProxy release will upgrade to Spring Boot 3, which no longer supports these plugins.
  • Component: Keycloak Authentication
    Replacement: use the regular OpenID Connect implementation. Concrete update steps and examples will be provided with the next release.
    Reason: Further releases will still support Keycloak by using the general OpenID backend. The Keycloak project has deprecated the Keycloak adapters. The next ShinyProxy release will upgrade to Spring Boot 3, which no longer supports these plugins. In addition, the general OpenID authentication has advanced features and better integration.


Released on 14 March 2023.

Release notes

  • support YAML arrays for the groups property of users
  • Fix: handle invalid requests to the /app and /app_direct as Forbidden (instead of Internal Server Error and logging exceptions)
  • Fix: do not parse commas (,) in the container-cmd property
  • Fix: do not add Content-Length header when Transfer-Encoding header is present while injecting JavaScript file into the iframe


Released on 2 March 2023.

Release notes

  • add support for app parameters such that the user must select some (arbitrary) parameters before starting an app (see docs).
  • add support for running multiple ShinyProxy replicas providing scaling and high availability (see docs)
  • add option to automatically pull Docker image when using Docker engine, contributed by @unixlab
  • add support for Shiny bookmarking
  • add option to track the URL of the app in the browser. This ensures the URL in the browser changes together with the (active) URL of the iframe.
  • add Prometheus metrics for the duration of the individual steps of starting an app (e.g. scheduling, pulling image, starting of application) (see docs)
  • support using multiple usage statistics plugins at the same time, (see docs).
  • add My Apps modal that shows the current (active) applications of the user. This can also be shown inline on the main page.
  • add App Details modal to the app page, the Switch Instance modal and the ( new) My Apps modal. In addition to showing basic information about an app, it also shows when an app will be stopped by ShinyProxy (e.g. because of heartbeat timeout or max-lifetime).
  • show a message when the user has access to zero apps (instead of an empty page)
  • add support for additional port mappings. For example proxying the path /mypath to a different port on the same container, (see docs)
  • inject a javascript file into the iframe on the server (instead of on the client). The previous method did not work all the time on all browsers.
  • improve admin page
  • add option to show the Switch Instance modal before opening an app such that the user can re-open an existing app or choose the name for a new app, (see docs).
  • add support for secrets when using Docker Swarm, (see docs)
  • add support for memory and cpu requests and limits when using Docker Swarm
  • add support for private registries when using Docker and Docker Swarm, (see docs), contributed by @ziyunxiao
  • the duration of the API call to start an app is now limited at 10 seconds, therefore there is no need to increase request timeouts of proxies or loadbalancers
  • do not show internal errors and stack traces to users for improved security (errors are still logged)
  • improve error reporting when app fails to start on Kubernetes: warnings reported by Kubernetes are now logged in ShinyProxy logs (e.g. issues with the image, issues with the nodes or scaling etc.)
  • add option to output logs as (structured) JSON (using logstash format) (see docs)
  • logged stack traces are now more concise (when using the JSON format)
  • improve collecting applications logs on Kubernetes by ensuring that logs are always flushed
  • improve application log writing to S3: logs are now send to S3 every 10 seconds and every 1MB (previously the Docker backend would write the logs to S3 on every write)
  • improve App Recovery by not using the application spec when recovering applications. Therefore, the spec of running applications can be changed or removed, after which the ShinyProxy can be restarted (see updated docs)
  • add support for setting an annotation to kubernetes-additional-manifests that allows to specify how existing Kubernetes resources must be updated (see docs)
  • when proxy.kubernetes.debug-patches is enabled additional manifests are now logged as well
  • add support for using auth related objects in SPeL expressions in the kubernetes-additional-manifests and kubernetes-additional-persistent-manifests properties
  • change the way kubernetes-additional-manifests are deleted such that the SPeL expressions in these properties are not evaluated when the manifests are deleted. Therefore, ShinyProxy can now delete resources of which the name is dynamic (using SpEL) or when the spec is unknown (e.g. when using the operator or App Recovery).
  • make it possible to use SpEL in max-instances, heartbeat-timeout, max-lifetime and target-path properties (see docs)
  • the API no longer returns security-sensitive runtime values
  • the API no longer includes the spec when returning information about an app, such that the API does not return security-sensitive information
  • the API now returns only a limited set of properties when querying for specs ( also to improve security), this can optionally be reverted (see docs)
  • add option to configure CORS (see docs)
  • add option to add custom headers to HTTP responses (see docs)
  • add option to disable default security headers (see docs)
  • add OpenAPI specification and swagger API docs
  • drop kerberos support
  • OIDC access tokens are now automatically refreshed, such that a new container always has a non-expired access tokens. ShinyProxy now also respects the max session lifetime of the OIDC Identity Provider.
  • make it possible to use PKCE when using OIDC (see docs), contributed by @janhh
  • make it possible to use the userinfo-url endpoint when using OIDC (see docs)
  • Fix: properly handle when user reloads the page while starting or stopping an app
  • Fix: ensure height of apps is correct when using custom navbar
  • Fix: restore ShinyProxy acting as an OAuth Resource Server
  • Fix: memory leak in ActiveProxiesService
  • Fix: prevent the user from ending on the /auth-error page when their session expires when using OIDC
  • Fix: always redirect to the main page after logging in. Otherwise, users might end up on internal API endpoints or on pages that no longer exist (e.g. removed app or instances).
  • Fix: replace the SAML implementation using the new Spring implementation for improved security
  • Fix: do no return internal errors (e.g. app_stopped_or_non_existent) on /app_direct endpoint
  • Fix: correctly parse emails claim when using OIDC
  • Note: the templates were changed in this release, see our examples for more information. In order to update your templates, download them from the link and re-apply your changes. You can compare the templates using meld.


Released on 1 April 2022.

Release notes

  • Fix: update Spring Boot to 2.5.12 in order to mitigate CVE-2022-22965 See the GitHub issue for the latest updates on how this issue affects ShinyProxy.

  • Note: when using Redis for session persistence (e.g. when using the ShinyProxy Operator), you have to change the Redis configuration to use a different database (or a different namespace). By default, database 0 is used, you must change this to use database 1 (or any other free database). Use the spring.redis.database property for this (see example). This change will require the users to re-login. This change is required because the data format of the session information has changed in Spring.

    A typical Redis session configuration should be changed from:

        store-type: redis
        host: redis
        password: ${REDIS_PASSWORD}


        store-type: redis
        host: redis
        password: ${REDIS_PASSWORD}
        database: 1


Released on 5 November 2021.

Release notes

  • add proxy.default-stop-proxy-on-logout option to not stop apps on logout of a user (see docs)
  • add option to limit the maximum lifetime of an app (see docs)
  • add proxy.stop-proxies-on-shutdown option to not stop apps on shutdown of ShinyProxy (see docs)
  • optionally restore running apps on startup (known as App Recovery)
  • add heartbeat-timeout property to the specification of proxies (see docs)
  • allow to disable the heartbeat-timeout property (see docs)
  • add authentication information to SpEL context (see docs)
  • add way to easily use runtime-values in SpEL (see docs)
  • add kubernetes-additional-persistent-manifests option to specification of apps. These Kubernetes manifests are created when an app starts, but are never removed (in contrast to kubernetes-additional-manifests) (see docs)
  • add absolute_apps_running, absolute_users_logged_in, absolute_users_logged_in metrics to Micrometer (i.e. Prometheus) metrics, providing a way more consistent and correct value
  • add proxy.usage-stats-micrometer-prefix to optionally prefix Micrometer (i.e. Prometheus) metrics
  • add target-path option to specification of apps (see docs)
  • add a fallback heartbeat system for when the app does not use websockets and does not send HTTP requests often enough. This makes it easier to run applications which do not have these functionalities (e.g. traditional server-rendered apps, static html files etc.).
  • add Restart app button to navigation bar
  • add Stop app button to navigation bar
  • add mechanism to automatically reconnect the websocket connection in case it gets disconnected (see docs)
  • add support for running multiple instances of the same app by a single user (see docs)
  • add hide-navbar-on-main-page-link option to the specification of apps. When this option is enabled, the sp_hide_navbar query parameter will be added to the link on the main page to that app. This way you can control that an individual app is opened with the navbar hidden, while it is still possible to show the navbar for that app (by changing the URL).
  • automatically extend the lifetime of the session of a user when a websocket connection is active. This prevents the user from automatically getting logged out when using an app that only uses a websocket connection and no HTTP requests (see the corresponding GitHub issue)
  • add support for using SpEL in proxy.openid-logout-url (so that id_token_hint can be provided) (see docs)
  • add support for using http.proxyHost and http.proxyPort system properties for HTTP requests made by the SAML component (e.g. to fetch SAML metadata), contributed by @bartleboeuf
  • updated admin page to show more information
  • add support for grouping apps (see docs)
  • add support for specifying metadata to an app that can be used in the template (see docs)
  • add access-users property to proxy specification. This allows to configure a list of users that should have access to the app (see docs)
  • add access-expression property to proxy specification. This allows to configure a SpEL expression to determine whether a user has access to an app (see docs)
  • Operator: add proxy.operator.force-transfer option. When enabled a user is automatically transferred to the latest ShinyProxy instance when not using any apps. This is checked both on the main page and before starting a new app (see the operator docs).
  • Operator: automatically transfer user to latest ShinyProxy instance before logging in and after logging out (see the operator docs)
  • Operator: add option (see the operator docs)
  • Operator: add option (see the operator docs)
  • Fix: make issue form a client-side feature, such that current running app isn’t closed
  • Fix: make it possible to run Jupyter Notebooks using ShinyProxy
  • Fix: make it easier to run Python Flask applications using ShinyProxy
  • Fix: update jQuery library so that the Bootstrap collapse module properly works
  • Fix: parsing of OIDC roles when these are provided as an embedded JSON string
  • Fix: return JSON on the DELETE /api/proxy/id API endpoint
  • Fix: show message when a login attempt is rejected because of an expired session
  • Fix: ensure API is accessible using access token when using Keycloak
  • Fix: cleanup any started container if user logs out during startup of an app
  • Fix: all web assets (JavaScript and CSS files) are now included in ShinyProxy itself and not loaded from a CDN
  • Fix: adapt the proxy.same-site-cookie property so that it also changes the SameSite Policy for session cookies created by Undertow (i.e. the session cookie when not using Redis)
  • Fix: adapt the property so that it also changes the Secure flag for session cookies created by Spring (i.e. the session cookie when using Redis)
  • Fix: update all included dependencies
  • Fix: do not show undefined in the browser when navigating away while an app is starting, for example, by logging out or navigating to the main page.
  • Fix: support parsing Keycloak JWKS information when it contains an ECDSA key
  • Note: using #{proxySpec.containerSpecs[0].env.get('SHINYPROXY_PUBLIC_PATH')} in the specification of an app will no longer work. The code can be replaced by #{proxy.getRuntimeValue('SHINYPROXY_PUBLIC_PATH')} (see the SpEL docs)
  • Note: change the default value for proxy.same-site-cookie to Lax, in order to ensure compatibility with changes to cookies in browsers (see the docs)
    When using SAML this value may need to be changed (see the docs)
  • Note: make sure to use true when using proxy.same-site-cookie: None (e.g. for making SAML work properly), see the docs


Released on 3 November 2021.

Release notes

This release consists only of a security update. In previous releases, the SAML and Keycloak authentication backends did not protect against session fixation. If an attacker can deploy a malicious application in ShinyProxy or an attacker has control over web applications hosted on the same domain (or subdomain) of the ShinyProxy server, such an attacker was able to fix the session id of a user and ultimately hijack the session of a user. This requires the victim to either open the malicious app or webpage. Updating to ShinyProxy 2.5.1 or 2.6.0 is advised when using the Keycloak or SAML backend. Other authentication backends (e.g. OpenID Connect, LDAP) are not vulnerable. Therefore, it is possible to switch to another authentication backend as a workaround.

  • Security Fix: enable session fixation protection when using SAML authentication

  • Security Fix: enable session fixation protection when using Keycloak authentication

    Note: the documentation of the Keycloak library advices to not employ session fixation protection, since this breaks “universal logout”. However, since this is a non-standard extension of the OIDC protocol, we prefer the security benefits of this protection over the “universal logout” feature.


Released on 2 March 2021.

Release notes

  • add support for exposing Prometheus metrics, see Usage Statistics using Micrometer
  • add support for SAML Logout (using the /saml/logout endpoint), contributed by @DefensePoint
  • add support for SAML Single Logout (using the /saml/SingleLogout endpoint)
  • add option to log SAML attributes whenever a user authenticates using SAML (proxy.saml.log-attributes)
  • expose SAML metadata on /saml/metadata endpoint
  • properly handle receiving expired SAML credentials by redirecting the user to /auth-error and logging a warning message. See this FAQ Entry.
  • add option to configure the max authentication age of SAML credentials (proxy.saml.max-authentication-age). See this FAQ Entry.
  • allow to specify the Same Site policy for Cookies (proxy.same-site-cookie). See the documentation
  • add load balancer support for SAML authentication, contributed by @johannestang
  • provide the SHINYPROXY_PUBLIC_PATH environment variable to app containers in order to allow compatibility with Dash 1.3 and RStudio. See the documentation
  • refactor label and annotations of application containers. These labels and annotations can be processed by monitoring software, such as Grafana Loki. See the documentation
  • allow to specify the query parameter sp_hide_navbar=true on app pages in order to hide the navbar.
  • Docker image was improved in order to reduce the image size (~300MB vs ~800MB). Note: the /etc/shinyproxy config directory no longer exists. Configuration files should be placed inside the /opt/shinyproxy/application.yml directory. See the updated documentation.
  • add the /logout-success endpoint. This can be configured as the logout-url or as part of a logout callback. See the documentation for OIDC and SAML.
  • add the /app-access-denied endpoint. This is shown when the user logs in using SAML and the IDP indicates that logged-in user may not use the application (i.e. the IDP sends a urn:oasis:names:tc:SAML:2.0:status:RequestDenied status code.)
  • Fix: ensure SHINYPROXY_OIDC_ACCESS_TOKEN is always set when using OIDC and Redis for session storage
  • Fix: ensure clicking back button after authenticating does not cause errors when using SAML with (Azure) Active Directory
  • Fix: do not hardcode JS and CSS versions inside templates to allow easier upgrade
  • Fix: prevent redirect-loop when using OIDC and email is missing in attributes
  • Fix: handle stale session cookies and state when using OIDC (and Keycloak). This prevents errors when the user keeps an OIDC login page open for too long or using stale bookmarks.
  • Fix: username not shown when using OIDC, SAML …
  • Note: if you are using AWS ElastiCache in order to enable session persistence, you have to change the configuration of both ElastiCache and ShinyProxy. More information
  • Note: templates have changed, see our examples for more information.
  • Note: the port of the management server has changed to 9090. Therefore, all endpoints starting with /actuator are now server on port 9090 instead of 8080. Therefore, the configuration of readiness and liveness probes must be updated. In addition, these endpoints do not start with the context-path (if any).
  • Note: this version requires at least version 0.0.1-SNAPSHOT-20210302.095930 of the ShinyProxy Operator.


Released on 08 January 2021.

Release notes

  • use GitHub Actions to test ShinyProxy against multiple Java and Kubernetes versions
  • Fix: properly cleanup proxies at shutdown
  • Fix: include health of Redis into readiness probe (but only when Redis is used)
  • Fix: fix SAML and Kerberos authentication (since 2.4.2 it would throw an Exception at startup)
  • Fix: take server context-path into account when redirecting to /auth-error


Released on 17 December 2020.

Release notes

  • support any JDBC compatible database for storing usage statistics
  • use database connection pooling for usage statistics (improves the performance and reliability of it)
  • allow to use Spring Expression Language inside the kubernetes-pod-patches and kubernetes-additional-manifests configuration properties
  • add proxy.kubernetes.pod-wait-time property to configure the time ShinyProxy waits for a Kubernetes pod to become ready
  • add warning when using the removed server.use-forward-headers property
  • Fix: do not throw StackOverflowException when OpenID Connect throws an exception (e.g., when there is a configuration issue)
  • Fix: do not cause a redirect loop when ShinyProxy cannot verify an OpenID Connect token, but the user is correctly logged in (e.g., when there is a configuration issue)
  • Fix: disable debug log level for org.springframework.web.servlet.DispatcherServlet since it interfere with requests being proxied to the app
  • Fix: POST requests don’t work when using OpenID Connect
  • Fix: make heartbeat mechanism less intrusive such that it doesn’t break the websockets connection. Especially useful on slow connections and when using Shiny apps with large plots.


Released on 21 December 2020.

Release notes

  • Fix: rebuild JAR packages using OpenJDK 8 so that they can be run using OpenJDK 8


Released on 12 October 2020.

Release notes

  • support arbitrary settings at app level for the Kubernetes backend using pod patches
  • support for creating additional Kubernetes resources when an app starts and removing these when the app stops
  • instrument ShinyProxy for deployment using a Kubernetes operator
  • support Kubernetes liveness and readiness probes
  • improved handling of concurrent users of a proxied resource (increase proxy client’s queue size to 100)
  • include version of ShinyProxy in startup message
  • support logout redirection for SAML authentication (proxy.saml.logout-url)
  • Fix: support compilation with both OpenJDK and Oracle JDK
  • Fix: POST requests to apps a.o. large file uploads
  • Fix: correct checksums generated by builds
  • Fix: build snapshot Docker images and push to Docker Hub
  • Fix: update dependencies so that Google Social Login is supported
  • Note: the property to configure useForwardHeaders has changed, see Security
  • Note: the property to configure logging to a file has changed from logging.file to, see Logging


Released on 18 June 2020.

Release notes

  • support hosting of Zeppelin notebooks on ShinyProxy (by using non-greedy pattern matching to get app name)
  • possibility to set secure flag on cookies (server.secureCookies)
  • set HttpOnly on cookies set by ShinyProxy
  • set X-Frame-Options header using server.frameOptions
  • perform CSRF check on the login form and set X-Content-Type-Options header to nosniff
  • allow to set a forceAuthN flag when using SAML authentication (proxy.saml.force-authn)
  • improved parsing of custom OIDC role claims
  • improved support for the ’emails’ claim in OIDC
  • Fix: AJAX error when using Keycloak
  • Fix: ‘Error: 200’ page in case of login expiration
  • Fix: 404 when a user makes concurrent /app_direct calls;
  • Fix: error when stopping containers in a different namespace;
  • Fix: documentation for web service authentication


Released on 21 Jun 2019.

Release notes

  • support for (encrypted) SAML 2.0 based authentication and authorization;
  • support for writing application logs to S3 buckets;
  • additional logging for OpenID Connect based authentication and authorization


Released on 10 May 2019.

Release notes

  • fine-grained control on container runtime constraints with new fields container-memory-request, container-memory-limit, container-cpu-request and container-cpu-limit; this works both for a plain Docker back-end (except for container-cpu-request) and for a Kubernetes backend (all fields);
  • support for providing Kubernetes secrets to apps (using secret key refs)
  • additional documentation on request dumping (logging.requestdump)
  • app_direct URLs require a trailing slash, so /app_direct/myapp now redirects to /app_direct/myapp/ for convenience
  • fix: global privileged flag was no longer working
  • fix: proxy could take a long time to start on Kubernetes pods


Released on 29 March 2019.

Release notes

  • landing-page can now be used to redirect the user to a single Shiny app (/app/<app-name> or /app_direct/<app-name>) instead of the list of Shiny apps (default; /)
  • fix: enable proxying of other request methods beside GET
  • fix: re-enable basic auth for API usage when OAuth2 is not being used


Released on 23 March 2019.

Release notes

  • added new OAuth2 compliant security mechanism for the ShinyProxy API to allow for secured embedding of Shiny apps in broader applications or platforms
  • replaced endpoint URLs with user-friendly URLs based on app name i.e. /app/<app-name> (standard ShinyProxy interface) and /app_direct/<app-name> (direct access to the Shiny app)
  • moved configuration of authentication method webservice to proxy.webservice
  • new setting logging.requestdump to enable full request dump
  • fix: ShinyProxy will now throw an exception if specs are defined with the same id
  • fix: uptime field in admin interface now displays 0 for initializing apps
  • fix: influxdb now records non-ASCII usernames correctly
  • fix: 400 bad request when launching proxy via api without body
  • fix: error when setting proxy.openid.roles-claim is miss-spelled or missing in the id token


Released on 21 December 2018.

Release notes

  • new Kerberos authentication and authorization back-end, which also allows to use Kerberos tickets for downstream usage inside the Shiny or Dash apps (including support for constrained delegation)
  • new authentication method webservice for custom web services that handle authentication with a HTTP POST call returning a session id and user information
  • allow user to set node-selector for a Kubernetes cluster using proxy.kubernetes.node-selector
  • add support for non-ico favicons i.e. png
  • updated Keycloak dependency to 4.7.0
  • fix: openid login does not trigger login log event
  • fix: timing issue with heartbeat on small requests
  • fix: proxy.admin-groups didn’t work for multiple groups
  • fix: tear down proxies once done testing with them in TestConcurrentUsers
  • fix: use instead of in the index.html of templates when app logos are used for the landing page


Released on 12 October 2018.

Release notes

  • add favicon-path to allow for easy use of custom favicons for ShinyProxy
  • add ShinyProxy API documentation
  • introduce proxy.keycloak.use-resource-role-mappings to allow for switching between client roles and realm roles
  • add to allow for specific attributes to be used as the user’s name
  • add possibility to specify the proxy.openid.logout-url for OpenID Connect based authentication
  • document proxy.openid.username-attribute
  • fix: container-env setting was ignored
  • fix: authentication: none still hides apps if access-groups is set


Released on 21 September 2018.

Release notes

  • support SpEL (Spring expression language) in the application.yml configuration file; this allows a.o. to mount user-specific volumes for Shiny apps
  • ship MonetDB client jar again for usage statistics monitoring with MonetDB
  • fix leftover pixels below app iframe
  • fix proxy access error when using 2 sessions and OIDC
  • fix blank page or 404 when re-accessing a starting proxy
  • fix generation of the ShinyProxy RPM package
  • document settings for large file uploads in Shiny apps


Released on 4 September 2018.

Release notes

  • a new environment variable SHINYPROXY_OIDC_ACCESS_TOKEN is made available to the Shiny app containers when using the OpenId Connect (OIDC) authentication/authorization back-end; this allows to use the OIDC access token to authenticate against APIs from within the Shiny apps
  • fix ‘Not authorized to access this proxy’ issue which occurred when an admin accessed an app that was already running for another user or when the same user accesses the same app from two different browser sessions


Released on 17 August 2018.

Release notes

  • new setting proxy.bind-address to specify the bind address (hostname or IP address)
  • examples on containerized ShinyProxy with Docker Swarm back-end
  • no more redirect after logout with Keycloak-backed authentication
  • updated documentation on specification of context paths
  • support trailing slashes for app URLs
  • bug fix: OIDC now respects the context path
  • fix authentication: none
  • a default configuration file ships with ShinyProxy again


Released on 3 August 2018.

Release notes

  • the display-name is now used as browser tab name, so different Shiny apps in the browser can be more easily discriminated
  • support for setting SSL/HTTPS modes in the Keycloak back-end for single sign-on (proxy.keycloak.ssl-required)
  • better documentation of the privileged setting in proxy.docker, proxy.kubernetes and for individual app containers
  • bug fix: some settings were still using the old (1.x.y) shiny.proxy namespace instead of proxy
  • fix support of authentication: none
  • fix resolution of proxy.kubernetes.image-pull-* settings for pulling Shiny app container images


Released on 27 July 2018.

Release notes

  • support to manage Shiny apps over an API (launch, shut down) for embedding Shiny apps in larger applications and websites
  • new heartbeat mechanism that no longer requires the use of iframes
  • support of OpenId Connect authentication
  • new YAML configuration to prepare for more advanced features; note that the configuration is slightly different from the 1.x.y versions
  • better container log names with the image name and time stamp


Released on 28 May 2018.

Release notes

  • support for theming and customization of the ShinyProxy landing page
  • stricter adherence to YAML for the ShinyProxy configuration in the application.yml file
  • remove 1-pixel border around Shiny app display for certain browsers
  • bug fix to make sure a query string e.g. the ?x=y from /app/myApp?x=y is passed properly to the app
  • bug fix for kubernetes backend deleting all services


Released on 25 March 2018.

Release notes

  • support to run ShinyProxy inside a container
  • support of a Kubernetes back-end
  • new property shiny.proxy.container-backend to configure container back-end
  • support of setting a custom port per app (using a new port property); this notably allows to run Dash apps inside ShinyProxy (which have 8050 as default port)
  • allow for multiple sessions per user/app combination
  • new property privileged which, if true allows to run the app containers in a privileged mode
  • search LDAP subtree instead of one level
  • improved documentation of LDAP configuration
  • Keycloak authentication will now fail if username is empty
  • removed obsolete navbar dropdown in mobile mode
  • added travis support to the repository


Released on 12 November 2017.

Release notes

  • new property shiny.docker.proxy.port-range-max allows to limit the number of ports to be used by a single ShinyProxy instance e.g. to allow multiple instances to launch docker containers on a shared Docker Swarm cluster or to limit the number of concurrent apps on a single instance
  • app-specific environment variables can be specified in the docker-env property inside the app configuration, similarly to docker-env-file
  • the logo-url property of an individual app (to display application logos on the landing page) now also support the file scheme (to be able to use local files as logos)
  • ShinyProxy no longer fails if shiny.proxy.cert-path is missing
  • improved handling of failed app starts


Released on 24 October 2017,

Release notes

  • fix security issue when using proxy urls directly
  • fix for starttls error when TLS already started
  • remove Docker dependencies from .deb to allow for deployment of Docker on separate host


Released on 13 September 2017.

Release notes

  • new environment variable SHINYPROXY_USERGROUPS is made available to the Shiny apps and contains the group memberships of the authenticated user
  • add support for LDAP with StartTLS using property shiny.proxy.ldap.starttls
  • new optional setting shiny.proxy.docker.container-protocol to configure the container protocol; if not set, it will be taken from the docker host url as specified in shiny.proxy.docker.url
  • added animated loading feedback while Shiny app (i.e. container) is launching
  • the logo-url property now also supports the file scheme (to allow for local logo files)
  • fix for influxdb usage statistics logging when username contains whitespace
  • allow JVM to exit if ShinyProxy cannot open its allocated port
  • switch from deprecated simple proxy client to load-balanced client
  • generate SHA-256 and MD5 checksums for all downloads


Release notes

  • support for reporting issues with Shiny apps run on ShinyProxy; issues are mailed to a support address (configurable via spring.mail) and have Shiny application logs in attachment (using a new container log storage service)
  • support for multiple LDAP authentication providers e.g. for different domains or forests
  • support of custom context paths via the server.contextPath setting in the application.yml file
  • add content-type to heartbeat response
  • layout fixes when hiding the navbar (hide-navbar: true) and better IE support
  • ShinyProxy deb package available for Ubuntu 16.04 LTS (and 14.04 LTS)


Release notes

  • added Docker Swarm support for scalable deployments
  • host argument in the docker configuration removed; this is now requested directly from the Docker API
  • multiple clicking on a link to a Shiny app no longer launches multiple containers
  • improved retry wait time when container-wait-time is set to a very high value to prevent unnecessarily slow startup
  • ShinyProxy rpm package available for CentOS 7 (and RHEL 7)


shinyproxy-0.9.2.jar (sha256, md5)

Release notes

  • improved removal of containers upon application shutdown


shinyproxy-0.9.1.jar (sha256, md5)

Release notes

  • make Keycloak role names case insensitive to fix Keycloak based authorization


shinyproxy-0.9.0.jar (sha256, md5)

Release notes

  • single-sign on and advanced identity and access management using a new authentication mechanism authentication: keycloak; this integrates ShinyProxy with Keycloak


shinyproxy-0.8.7.jar (sha256, md5)

Release notes

  • new option hide-navbar to hide the navigation bar; this allows for easy embedding of ShinyProxy in other web applications
  • make height shinyframe responsive such that Shiny apps resize whenever the parent window is resized
  • support social authentication using Facebook, Twitter, Google, Github or LinkedIn accounts with a new authentication option authentication: social


shinyproxy-0.8.6.jar (sha256, md5)

Release notes

  • configurable timeout value for ‘container did not respond in time’ in a new field container-wait-time with default value of 20000 (20 seconds)
  • support the equivalent of docker run --network in a new (optional) field docker-network that can be specified per Shiny app


shinyproxy-0.8.4.jar (sha256, md5)

Release notes

  • fixed mounting of Docker volumes (using docker-volumes field)
  • tracking of usage statistics now also supports MonetDB (next to InfluxDB);
  • usage-stats-db has been removed in favour of usage-stats-url: for InfluxDB use http://localhost:8086/write?db=shinyproxy_usagestats; for MonetDB use a jdbc URL e.g. jdbc:monetdb://localhost:50000/usage_stats
  • support of DB credentials for usage statistics logging with new fields usage-stats-username and usage-stats-password


shinyproxy-0.8.0.jar (sha256, md5)

Release notes

  • allow to mount volumes in the Shiny app docker containers using the new docker-volumes field in the application.yml file
  • pass arbitrary environment variables to the container using a new field docker-env-file in the application.yml file


shinyproxy-0.7.8.jar (sha256, md5)

Release notes

  • limit memory of a shiny app with a new argument docker-memory in the application.yml file
  • allow for iframe embedding of ShinyProxy


shinyproxy-0.7.5.jar (sha256, md5)

Release notes

  • new authentication mechanism authentication: simple which allows to define users inside the application.yml file
  • the setting admin-groups has moved one level up, from shiny.proxy.ldap to shiny.proxy (since groups can now also be specified inside the application.yml)
  • the setting ldap-groups under shiny.proxy.apps has been renamed to groups (to be more generic now a user can also specify groups inside the application.yml file instead of the relevant LDAP directory)
  • fix proper passing of custom information via the URL (to retrieve it in the session$clientData$url_search variable variable inside the Shiny application)


shinyproxy-0.7.0.jar (sha256, md5)

Release notes

  • allow one user to open multiple applications as requested by this issue on Github
  • optional display of logos for apps on the landing page using a new configuration field logo-url
  • fix spurious error message on Jetty ALPN support


shinyproxy-0.6.0.jar (sha256, md5)

Release notes

  • functionality to track and save usage statistics has been added; a general model has been implemented as well as a plug-in for influxDB
  • additional logging to help pinpoint networking issues (e.g. erroneous specification of docker host IP)



shinyproxy-0.5.0.jar (sha256, md5)

Release notes

  • user information accessible to the container as the SHINYPROXY_USERNAME environment variable
  • introduced Spring Profiles for managing configuration
  • fix issue with clean-up of heartbeat timestamps
  • display-name of an app now defaults to its name



shinyproxy-0.4.0.jar (sha256, md5)

Release notes

  • members of the admin user group now can access real-time usage overview at /admin
  • optional configuration of a display name and description for an app (displayed on landing page)
  • additional logging for user authentication events
  • support docker-dns option for an app



shinyproxy-0.3.0.jar (sha256, md5)

Release notes

  • a new heartbeat mechanism will shut down unused containers



shinyproxy-0.2.0.jar (sha256, md5)

Release notes

  • fast switching between apps
  • migrate to thread-safe Docker client



shinyproxy-0.1.0.jar (sha256, md5)

Release notes

  • make the proxy port (default 8080) configurable
  • allow for disabling authentication



shinyproxy-0.0.2.jar (sha256, md5)

Release notes

  • more generic authorization support
  • simple logging added to default configuration



shinyproxy-0.0.1.jar (sha256, md5)

Release notes

  • initial release