Running script installed node-RED on a Raspberry Pi, and serving a public page via HTTPS using LetsEncrypt certificates.
When I'm generally working in node-RED, I access NR by https://mydomain.co.uk:8443, but if I access via it's local IP address instead - http://192.168.0.8:8443, the browser responds;
This page isn’t working
192.168.0.8 didn’t send any data.
ERR_EMPTY_RESPONSE
However, if I use the url - https://192.168.0.8:8443 it does connect OK, albeit the browser complaining that the certificate is not valid, which is understandable because the certificate was issued for the domain name, and not an IP address.
In node-RED settings I have requireHttps: false, so I expected that I would be able to connect using http://192.168.0.8:8443 ??
External traffic is accessed via Cloudflare using full (strict) end to end encryption proxy.
But I am using node-RED to setup SSL. The certificates are stored in .node-red/certs and are loaded in the settings.js file.
In the commented out section of the settings.js file
// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
//requireHttps: true,
i dont know if this setting is deprecated but from what i understand from the comment is that
if requireHttps its set to true and you try to visit http://192.168.0.8:8443 and you have https enabled, you should be redirected to the secure https://192.168.0.8:8443.
I dont think that it keeps any other ports open .. the port is whatever port you defined in uiPort: process.env.PORT || 1880,
if requireHttps is false as it is in your case, then its not going to redirect
ps. its not mentioned in the docs .. possibly it doesnt apply for new versions of NR
Yes, that's my understanding, but is this normal that node-RED installations using SSL, cannot make a connection on their local network without prefixing the local IP address with https (which then in turn upsets the browser because the certificate was not issued to an IP address)?
so we put Cloudflare to the side
if you setup Node-red to be secure then its the only way to connect. no ?
which you said you can with https://192.168.0.8:8443 (local)
sorry i didnt undestand what you expected to happen
you wanted to just type the ip and the port without prefixing https and it knows that its secure and goes there ?
interesting question .. happens to my system too
(possibly thats why that redirect setting was there in the first place)
im pretty new to this security stuff .. im interested to know also
It seems something else is going on here, maybe on the Cloudflare side since it is accessible through the standard 8443 (HTTPS) port. If access via HTTPS is available on 8443 then HTTP should be accessible via 8080 unless there is another process redirecting / blocking traffic.
I'm not sure how Node-Red is handling the SSL cert, maybe a middleware which directs traffic?
Paul,
Indeed like Steve said, a proxy is better and much secure.
But if - for some reason you don't have that yet - you can cheat a bit, like I do:
First I had added the mapping from myDomain to myRaspberryIp in the hosts file of my Windows portable (in order to be able to experiment with Letsencrypt). But then it only worked on that computer.
Later on I had moved that my mapping to the DNS Resolver section of my router. So now it works fine for all devices (Android, Windows, ...): they all connect to Node-RED via https with Letsencrypt certificates within my LAN...
So you navigate within your LAN to myDomain, but you will be redirected to your Raspberry. However since your browser has navigated to myDomain, he will receive a LetsEncrypt certificate that matches myDomain. Which means your browser will not complain anymore...
Thanks @Steve-Mcl@meeki007
I think that guide was specifically written for Ubuntu, so may not strictly apply for a Pi.
It may however help guide me in the right direction.
It should work for Pi as well as its Debian based distro but not the section on automatic_increasing_ban_times as this was part of the new fail to ban package for 20.04
Also for getting you password hash section adminAuth_user_password as you can now just use the command in terminal