Accessing node-RED using local IP

Is this expected behaviour?

Running script installed node-RED on a Raspberry Pi, and serving a public page via HTTPS using LetsEncrypt certificates.

When I'm generally working in node-RED, I access NR by https://mydomain.co.uk:8443, but if I access via it's local IP address instead - http://192.168.0.8:8443, the browser responds;

This page isn’t working
192.168.0.8 didn’t send any data.
ERR_EMPTY_RESPONSE

However, if I use the url - https://192.168.0.8:8443 it does connect OK, albeit the browser complaining that the certificate is not valid, which is understandable because the certificate was issued for the domain name, and not an IP address.
url

In node-RED settings I have requireHttps: false, so I expected that I would be able to connect using http://192.168.0.8:8443 ??

HTTP and HTTPS use two different ports, 80 and 443 respectively.

Do you have a proxy setup or using Node-Red setting for ssl?

External traffic is accessed via Cloudflare using full (strict) end to end encryption proxy.
But I am using node-RED to setup SSL. The certificates are stored in .node-red/certs and are loaded in the settings.js file.

Try accessing the http address with port 8080 instead of 8443. 8443 is reserved for HTTPS and won’t autoforward your HTTP to 8080 without a proxy.

In the commented out section of the settings.js file

  // The following property can be used to cause insecure HTTP connections to
  // be redirected to HTTPS.
  //requireHttps: true,

i dont know if this setting is deprecated but from what i understand from the comment is that
if requireHttps its set to true and you try to visit http://192.168.0.8:8443 and you have https enabled, you should be redirected to the secure https://192.168.0.8:8443.

I dont think that it keeps any other ports open .. the port is whatever port you defined in
uiPort: process.env.PORT || 1880,

if requireHttps is false as it is in your case, then its not going to redirect

ps. its not mentioned in the docs .. possibly it doesnt apply for new versions of NR

Yes, that's my understanding, but is this normal that node-RED installations using SSL, cannot make a connection on their local network without prefixing the local IP address with https (which then in turn upsets the browser because the certificate was not issued to an IP address)?

so we put Cloudflare to the side
if you setup Node-red to be secure then its the only way to connect. no ?
which you said you can with https://192.168.0.8:8443 (local)
sorry i didnt undestand what you expected to happen :wink:
you wanted to just type the ip and the port without prefixing https and it knows that its secure and goes there ?
interesting question .. happens to my system too
(possibly thats why that redirect setting was there in the first place)

im pretty new to this security stuff .. im interested to know also

It seems something else is going on here, maybe on the Cloudflare side since it is accessible through the standard 8443 (HTTPS) port. If access via HTTPS is available on 8443 then HTTP should be accessible via 8080 unless there is another process redirecting / blocking traffic.

I'm not sure how Node-Red is handling the SSL cert, maybe a middleware which directs traffic?

Paul, considering your requirements, I think a proxy like nginx or haproxy would better suit your needs.

You'd set-up node-red as default (http) and use the proxy as a gateway (Https on the wan side, http on the LAN side)

That way, when you are on the LAN side, you can connect to the LAN IP on http or the wan domain name on https.

3 Likes

Thanks Steve
I'm going to rebuild the system in the near future, so that's something that I'll read into, and try & implement.

Some great info in this post...

3 Likes

Paul,
Indeed like Steve said, a proxy is better and much secure.
But if - for some reason you don't have that yet - you can cheat a bit, like I do:

  • First I had added the mapping from myDomain to myRaspberryIp in the hosts file of my Windows portable (in order to be able to experiment with Letsencrypt). But then it only worked on that computer.
  • Later on I had moved that my mapping to the DNS Resolver section of my router. So now it works fine for all devices (Android, Windows, ...): they all connect to Node-RED via https with Letsencrypt certificates within my LAN...

So you navigate within your LAN to myDomain, but you will be redirected to your Raspberry. However since your browser has navigated to myDomain, he will receive a LetsEncrypt certificate that matches myDomain. Which means your browser will not complain anymore...

Bart

1 Like

Thanks @Steve-Mcl @meeki007
I think that guide was specifically written for Ubuntu, so may not strictly apply for a Pi.
It may however help guide me in the right direction.

It should work for Pi as well as its Debian based distro but not the section on automatic_increasing_ban_times as this was part of the new fail to ban package for 20.04

Also for getting you password hash section adminAuth_user_password as you can now just use the command in terminal

$ node-red admin hash-pw yourPasswordhere

no need to use the bcryptjs node anymore

Good luck m8

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.