4 x Node-RED Docker containers with Nginx reverse proxy - help

#1

I have recently installed Docker on my Raspberry Pi 3 B+. I am trying to set up Nginx as a reverse proxy for 4 Node-RED containers. The containers are at localhost:8880, 8881, 8882 and 8883. It is very easy to set up Nginx to map one of these ports to localhost:80 but I want to map them as localhost/nodered0, localhost/nodered1, localhost/nodered2 and localhost/nodred3. After much googling I have modified the /etc/nginx/sites-enabled/default file as follows:

indent preformatted text by 4 spaces    
location /nodered0 {
        rewrite ^/nodered0(.*) /$1 break;
        proxy_pass http://127.0.0.1:8880;
}

location /nodered1 {
        rewrite ^/nodered1(.*) /$1 break;
        proxy_pass http://127.0.0.1:8881;
}

location /nodered2 {
        rewrite ^/nodered2(.*) /$1 break;
        proxy_pass http://127.0.0.1:8882;
}

location /nodered3 {
        rewrite ^/nodered3(.*) /$1 break;
        proxy_pass http://127.0.0.1:8883;
}

No love - the pages only load partially, however, they load fine if accessed directly at say 127.0.0.1:8880. This is almost certainly not a problem with Node-RED also I understand that exposing Node-RED on port 80 is dangerous and yet I must try.

0 Likes

#2

2 things. Firstly, you haven't proxied the websockets so you need to do that.

Secondly, it isn't that exposing port 80 is the problem really. Assuming that you are exposing your system to the Internet, it is not securing everything that is the problem. Firstly, you need to set up NGINX to use Let's Encrypt or some similar certificate supplier. Then you need to restrict all access to use https and wss (the websockets) and not allow http or ws. When you have that sorted, you will need to add user login to at least your admin ui.

0 Likes

#3

Julian is correct -- I've been using Nginx in front of several node-red instances for a long time and it works very well. Here is an excerpt of how I configured different url "root paths" to be proxied to the backend servers for both http and websocket connections:

        location /logs/ {
            proxy_pass http://localhost:18818/logs/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
        }

The Nginx server only allows https connections, and has the appropriate certificates installed -- you may have noticed that the http://localhost backend connection is NOT using ssl. The is another nice feature of this setup, since I don't have to add certs to each of the node-red installs. Hope this helps...

1 Like

#4

Thanks Julian - you are correct about security with Steve's example websockets are now proxied. I am now able to access the editors and dashboards of two node-red instances.

indent preformatted text by 4 spaces
location /ui0/ {
    proxy_pass http://localhost:8880/ui/; 
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
}

location /edit0/ {
    proxy_pass http://localhost:8880/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;

location /ui1/ {
    proxy_pass http://localhost:8881/ui/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
}

location /edit1/ {
    proxy_pass http://localhost:8881/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
}

Thanks very much.

I'm now testing an ngrok https tunnel. Is this connection secure enough on its own or should more security be implemented?

1 Like

#5

Yes, NGROK is as secure as the vendor who runs it - and they do seem reasonably reliable as far as I can tell. It is one of several remote proxy services that let you do similar things and has probably been around the longest.

Another alternative - though more intrusive - is to run a VPN.

One final tweak if you do expose Node-RED to the Internet. Use a firewall configured to only allow connections from Cloudflare and then use Cloudflare to front your end points using their SSL proxy service. This gives a whole additional level of protection as well as some analytics so you can see how many people are using and abusing your end points.

0 Likes

#6

Excellent advise, much appreciated.
Cheers.

0 Likes