Access to the Dashboard from outside and inside your home

What is the best solution? (This for a neophyte)

Ok, you have easily installed your Letsencrypt certificates with the node-red-contrib-acme-client node, performed port forwarding in your router. External access is ok via https. :ok_hand:
But, you should still add a control with credentials and OTP if possible, otherwise access is immediate to the Dashboard.
The side-effect is that now I also have to enter my credentials when I'm locally at home.
So it's fine from the outside, but boring when I'm at home.
Would it be possible to have the best of both worlds?
Outside the house = identification
Inside the house = no identification
Is there a parameter in NR that would say,
if we come from the internal network (example 192.168.x.y) not to ask for identification?
Or could NR be reached via 2 URLs, one via http and the other via https ?

I can't talk about Trafeak, Juniper, or Netscaler and other reverse proxies, dockers which are not for a "normal" user.
While understanding that it's more professional.
Ideas, arguments, solutions are welcome.
I also want to say that I read the various posts on this forum and articles in Github but it is still very complex for a non-specialist.

I know you want a simple solution.........there is none.
This kind of stuff keep us computer guys employed. If we went making it too easy how would we make a living :stuck_out_tongue:

You could use nginx proxy server and nginx basic auth to accomplish this.
also use UFW (linux universal firewall) to only allow local ip's access to node-red port 1880

If you take a look at this server build I wrote up for foundryVTT you will get the Idea.
https://github.com/meeki007/FoundryVTT-Server-HowTo#Securing_Setup_Page

This is rather complicated stuff for non CLI guys.

If you want a simple solution and only intend to access your NR from a limited number of external nodes then i would highly recommend ZeroTier.

5 minute install on your phone and RPi and you are set

Craig

@craigcurtin
Hello, Craig,
Indeed, this morning I tested this Switch Wan solution and it is very quick and easy to start up.
I could even install it on my NAS. I will search for a while more this tool.
What bothers me a bit is the fact that I am using resources external to my network.
But that's another story.
For now, I like this super simple solution to get started.
Thank you for introducing me to this.

@meeki007
That said, I will also try to install a nginx proxy server.
Which seems less simple to approach but which does not expose my resources at ZeroTier. There is work in perspective for my not so young neurons. :face_with_monocle:

Thank you for your comments and recommendations

If you are worried about using an external service you can download and install your own Zerotier master node - you could then have a cheap VPS solution ($5/month) and host it on there - you would then not be reliant on the cloud provider at all

Craig

1 Like

This zerotier is really efficient to export his network all over the world !

However certificates that are necessary for other functions (web-push for example) can't work anymore because the certificate embedded by the web server doesn't have the right name and so the browser refuses it.
Not easy to have everything under the same roof.

Well I started by following the tutorial, and all of a sudden I have to go to a site and pay immediately to get the link to download the software.
It's a bit brutal since I've never seen this software working before. That's the end of my experience.

The link is just an example of how to protect a server. In that case it is the VPS linked to that is running the server. In your case you already have the server (node-red) so you don't need another server. Read and understand the linked post. When you have understood it then you will know one way of protecting your node-red.

2 Likes

Look at Real VNC. Free and easy to use (up to 5 devices), secure. Allows access to your designated device from anywhere in the world where you have internet ... via PC, cell phone, tablet, etc..Set up an account on Real VNC site, install server app into device you wish to access and viewer app into device(s) you use to access the server device ... and make them all connected via your Real VNC account. Real VNC.

Even though your devices are all registered In your Real VNC website account (which is no security issue really), all that does is provide a way for the VNC viewer app(s) to find the VNC server(s) across the internet. Once you access your server device you still must enter credentials for access.

I've been using this for years and find it easy to set up and so simple to use.

Thank you for all your remarks and for this proposal,
I am indeed familiar with VNC. Also playing around with ZeroTier. It would just need a special DNS to manage these new IP addresses assigned to each device by ZeroTier. Otherwise very good tool.

But my original question is this.
Can there be 2 URLs in NR, one used with Certificates, SSL, TLS, etc... for secure external access and the other one, internally without all this security?

One way to do that is to use something like nginx to provide the secure proxy layer in front of the internal network.

1 Like

Nginx is great !
I was able to interface all my internal web services via this reverse proxy with a letsencrypt certificate and alternating names.
Now, how to install an OTP to make the access totally secure. We're a little far from NR on this one. But if you still have some good ideas or suggestions... :sunglasses: welcome...

Not using Nginx - but Traeffik - try this

Craig

I quickly read this configuration. I immediately ask myself a question, can this Google OAuth work without a connection to Google?
Is it in charge of managing the OTP?
Can it be replaced by something independent of the GAFAM.
I use as standard the FreeOTP+ application, can it be used with Traefik?

As you will have understood, I wish to remain independent of outsourced solutions. No data in the cloud.

This solution is attractive, docker, all in one, there's just this Google word...:thinking:

Can you tell me more before I dive into this for a few days?

Craig, Thanks for pointing that one out to me.

Jean-Luc

I understand that Authelia can be associated with nginx to do the work of dual authentication.
To dig on this side since I already have nginx which works now.

Google OAuth cannot work without a connection to Google. However that is just the particular authentication technique used in the example. You can use whatever authentication technique you like.

1 Like