Access remote NR instance behind firewall with proxy server?

Hopefully this isn't a silly question, but for work I use an electrical meter called an egauge to log data for research projects and it has an easy configuration interface via a web browser.

What I think is really slick is the manufacture has a proxy server where I can setup this device in a building, then connect up the egauge device to proxy server where I can then view the same configuration page I used to setup the device (as well as retrieve data). This is really slick not having to setup a VPN or get the clients IT staff involved to setup special firewall rules/port forwarding...

Is there anything like this for Node Red? Could someone ever develop this proxy server like egauge has? If so what would that look like as far as how the proxy server would work relaying information back and forth???

This is closest thing I found but more of a networking approach I think to access your remote Node Red Instance:

Thanks for any tips for different options browsing into a remote Node Red instance that could be miles and miles away and behind a firewall..

You can't do this without thinking about the network not just the proxy. But the approach taken could indeed be reused for Node-RED as it is certainly a generic approach.

A lot depends though on where the proxy is set up and how it is configured. It is all too easy to create something that APPEARS to be secure but really isn't.

So the main question is - where would you set up the proxy? It needs to be somewhere that is, itself secure. You then still need to create a secure connection from the proxy to all of the Node-RED instances.

None of this is massively hard but it does need to be done with care and tested well. I would strongly recommend getting professional help and it would absolutely need specialist security testing.

But in principle, the concept is to create the proxy somewhere secure. Using something like NGINX or Caddy as a proxy would be fine as would HAproxy. Apache web server also works but is rather resource hungry by comparison.

Then you need a well protected route between the proxy and the node-red server. This either needs to be protected with a VPN or at least with a secure HTTPS connection. If using HTTPS, you will want to make sure that the connection is well secured and that the Node-RED instance ONLY accepts connections from the proxy and nowhere else. You can also configure Node-RED to trust proxy headers - when doing so, it is best to restrict that to the specific proxy servers.

If using a VPN, remember that ALL inter-connected networks on the VPN are only as secure as the weakest link. Meaning that if you extend the VPN to a weakly protected laptop for example, you are asking for trouble.

A proxy can, and often should, be used to provide any authentication and perhaps authorisation services as this is often easier to manage and better battle-tested than doing those things within Node-RED. It may also be easier if connecting your IDAM to an enterprise SSO service. Doing that from within Node-RED would likely be complex and may not be a well tested option.

Here are a few more references that may help you: