[ANNOUNCE] node-red-contrib-ui-web-push: beta version

Hi guys,
I'm at work now, so cannot follow this discussion.
But could we do this in a separate discussion, because this is way off-topic.
Otherwise users interested in web push won't be able to follow this discussion anymore ...
Thanks !!

I do not really agree. As long as you want a SECURE connection for your web-push I do believe it is relevant to this topic. And you actually covered it with the certificate path... :innocent:
But ok, I think the discussion is finished about that anyway now

Hi Bart,
at the start the question is how to make the URL accessible from outside, hence the use of Ngrok and its https link and therefore the security certificate. (with a little off topic on Ngrok and its possibilities, but I did not elaborate on it).

image
It may be a track to do at the same time:

  • make the URL of the dashboard, from outside, accessible
  • have a security certificate integrated in the Ngrok link
    To facilitate the implementation of your WEB Push.

I completely agree that this node very strongly depends on good security (thanks to the Chrome folks). And it know that this is not easy to setup, especially for non-technical users. But I would like to keep this discussion focussed on the push functionality (e.g. new features or cool stuff that you guys do with it or ...), instead of discussion how security can be setup in a very specific setup ...
Although such a discussion is VERY useful, would like to keep thinks separated ...

Its true, you are right. I love to test what you make available to people, but as a novice user of NR, I still have gaps regarding the installations, uses of contributions (especially in Beta :wink:).
There is obviously the security certificate part which is delicate to implement for novices like me and you said it. This is why we ask ourselves the question of Ngrok, who "seems" to gather everything we need.
But maybe we are wrong.

Hello Bart,
To be able to use letsencrypt as described in this post below and then forget about it afterwards is probably the best way for the user.
Keep in mind that certificates have an expiry date and must be renewed before that date or nothing works anymore.

Focus on that, I'll try to use letsencrypt to be recognized by the CAs loaded in the browsers.

I wonder if it works with Mac/Safari, which is always a little bit "different".

Yes @Paul-Reed has made a nice tutorial. But it requires that Node-RED is restarted from time to time. Therefore we are discussing a new feature for automatic certificate renewal (i.e. renew the certificates at a regular intervals while Node-RED keeps running). Hopefully we can get an agreement about it for Node-RED version 1.1.0 Fingers crossed ...
On the other hand I have created (not on Github yet) a new node to integrate Letsencrypt entirely in Node-RED. It allows you to request a new LetsEncrypt certificate fully automatically. That node already works fine, but it is not userfriendly enough. Will need to find some time to start a discussion about it first, with people that know more about the topic than me ...

1 Like

New topic???

Absolutely, but then I need to publish that node on github first, and write documenation (in order to be able to explain the problems with the node). Should be able to buy time in the time shop ..

Just for the record.
Push notifications are fine in Safari & Firefox on Mac.
Of course these must be open

1 Like

I have added it on Github, and started a discussion. But it is for die hard technicians at the moment ...

this node is fantastic, thank you so much for developing it, so we can all say goodbye to Telegram. This is obviously conceptually superior. Have you tested sending short gifs?

IMHO all the lets encrypt stuff doesn't belong in node red at all. Users should be using a web proxy that terminates SSL, manages certs, and forwards traffic to node-red. After all, probably a good chunk are using docker, so a simple Traefik container solves all these issues auto-magically. Many hundreds of thousands of services rely on traefik, so they keep it all up to date with lets-encrypt, managing dns or http challenges, and renewals, like complete magic. A bit silly to try to re-invent that wheel inside node-red, when all you'll end up with is a less secure solution anyways.

I'll set this up soon and post up my results!

1 Like

Hi, thanks for the feedback!

Do you mean sending a single image? If so, you can find an example flow on my readme page.

I'm not very convinced of that anymore, since Telegram has build native apps for all platforms. So every user can easily use those, without all the ssl setup issues...

You are absolutely right that a web proxy does the job, but we have to be aware that Node-RED is not only made for users with a massive amount of technical skills. Would have liked to have a single-node solution for less-experienced users, but I'm afraid one or two issues will prevent me from accomplishing that. Unless somebody can give me the golden tip ...

That's exactly why SSL setup should be left to something easy, automatic, and reproducible. It's trivial to provide a docker-compose example that launches node-red and traefik together.

Not only that, but it makes it easy to protect node-red with oauth instead of basic auth.

There are some very significant risks exposing the node-red port to the web with basic auth. I would call that ill-advised, at best. Encouraging users to do so is asking for trouble.

Just so you know, with a traefik proxy setup you don't have to expose the node-red port to the docker host even, and nor do you have to open ports on your firewall. You can have a node-red instance completely unavailable to the internet, and still get an SSL cert using a DNS challenge. And yes, your notifications can still go out to mobile users.

All that you say makes sense! However from experience I know that lots of the users of my nodes are hobbyists, who won't get Docker or anything like that up and running. But if you know a way for this kind of users to easily setup LetsEncrypt (both with https-01 and dns-01 challenges), don't hesitate to explain the steps in the "share your project" category on this forum! The more options we have, the better ...

2 Likes

Yes please. That would be a very useful option to have available..

3 Likes

Morning Vinistois,
wow that was fast feedback!
Will try to digest it today (when I get some time from the wife and kids), but seems to be very well explained at first sight...
Thanks a lot for sharing your knowledge on this forum!

This topic was automatically closed after 60 days. New replies are no longer allowed.