Access Node-RED from the Internet securely using NGROK

Hi @TotallyInformation,

I think I should ask this question directly to you for obvious reason but of course it could be of general interest.

I am experimenting with NGROK + Telegram based on your flow:

It is all good except for this particular setup:

1 - Node-RED - not using HTTPS
2 - adminAuth configured in settings.js file

Because of #1 I am using below command to trigger ngrok tunnel.

http http://localhost:1880 -auth="aaa:ppp" -region=sa

What is the issue:

Ngrok creates the tunnel as expected. When I try to reach Node-RED from the tunnel I am asked the ngrok user/password and seconds later I got the Node-RED login screen. So far so good.

When I enter username/password for Node-RED then I got again the popup asking to enter ngrok login. No matter how many times I reenter the login I keep being asked to enter it again.

I guess ngrok is trying to get SSL certificates, which I do not have installed (as the login screen warns: this connection is not private). Is this assumption correct ?

I get it working well in another setup where adminAUth is not configured but this is a configuration that is not ideal as I want to restrict access to Node-RED editor.

Do you think there is a way to get it working without using https in Node-RED (even this is also not ideal) ? My limited knowledge of security and SSL / HTTP makes my wonder if I am doing something wrong on trying this setup.

Well lets start with security. You REALLY don't want to be running NGROK without HTTPS and you should note that by doing so, you may have compromised your id/pw because that is now recorded in any number of intermediary caches.

http http://localhost:1880 -bind-tls=true -auth='id:pw' -region=sa

Is, I think, what you want. That should still create an https link for use at the remote end but binds to the non-https Node-RED locally. THe -bind-tls part tells NGROK not to create the http link, only the https one.

You don't really need the https on Node-RED itself as long as you are only allowing direct access to it from localhost. If NGROK is the only external access, just let it take care of the security for you.

For the rest, I suspect that the issue is because both connections are trying to use basic authentication and the NGROK one is taking preference. Not sure that there is any fix for that other than using a different authentication method (or none) for Node-RED. If it is just you accessing Node-RED, I'd say take the Editor auth off. But if you do that, make sure that you force https for NGROK and use a strong passcode.

1 Like

Explanation above makes it clear to me. This is what I was expecting ngrok to do.

I fully agree with you on the importance of security. What I am doing is just experimenting on my own environment, using disposable passwords in tunnels that live no more than two minutes.

I will keep investigating though what would be a perfect scenario for a future use case where I want a group of users accessing the dashboard but not the editor. I want to have occasional access for remote support, in which case I need to open the editor.

Did you ever try to use your telegram-ngrok flow in a Node-RED setup where configured with adminAuth ? I can not imagine this is not possible. I am pretty sure I am doing some mistake. Just need to uncover it.

Huge thanks indeed !

Don't think I would want to use NGROK for that, at least not the free service anyway. To be honest, if you need a multi-user setup like that, I would do it properly with a reverse proxy and be done with it. It will perform better and be more secure. NGROK is great for one-off use though.

No, I have no need for that. Again, if I were serious about securing the Editor, I would use a reverse proxy and let the proxy do the authentication.

MY write up of NGROK was prompted because I kept seeing people recommending a setup that was insecure. I don't actually have any real need for it myself. My HA system is pretty rock-solid and doesn't need intervention & even if it fails, it has very little impact. But the worst that has ever happened is the need to restart a Pi.

I have enough control of lighting and heating from Telegram alone.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.