I currently have Node-Red serving two pages for a control system. The first page was built using node-red-dashboard nodes and requires HTTP authentication to access. The second page, a simple display of values from the system, uses node-red-contrib-uibuilder and does not require any authentication. However, I have not found a way to disable or bypass HTTP authentication on just the uibuilder page.
Is there a way to require authentication for the dashboard page, but not the uibuilder page? I tried to get tricky and set the uibuilder resources in the httpstatic folder without any httpstatic authentication, but it still prompts for credentials. Anything else I can try?
The simplest is to put uibuilder onto its own ExpressJS instance. You can do that in your settings.js as in this example:
/** Custom settings for all uibuilder node instances */
uibuilder: {
/** Optional HTTP PORT.
* If set and different to Node-RED's uiPort, uibuilder will create
* a separate webserver for its own use.
*/
port: process.env.UIBPORT || 3001,
/** Optional: Change location of uibRoot
* If set, instead of something like `~/.node-red/uibuilder`, the uibRoot folder can be anywhere you like.
*/
uibRoot: process.env.UIBROOT || '/src/uibRoot', //path.join(os.homedir(), 'myuibroot'),
// For project-specific uibuilder folders:
// uibRoot: path.join(os.homedir(), '.node-red', 'projects', 'uibuilder')
/** Only used if a custom ExpressJS server in use (see port above)
* Optional: Default will be the same as Node-RED. @type {('http'|'https')}
*/
customType: 'http',
/** Only required if type is https, http2. Defines the cert & key. See Node-RED https settings for more details.
* If not defined, will use Node-RED's https properties.
* @type {Object<Buffer,Buffer>}
*/
// https: {
// key: 'keyname.key',
// cert: 'fullchain.cer'
// },
/** Optional: Custom ExpressJS server options
* Only required if using a custom webserver (see port setting above).
* For a full list of available options, refer to http://expressjs.com/en/api.html#app.settings.table
*/
serverOptions: {
// http://expressjs.com/en/api.html#trust.proxy.options.table
'trust proxy': true, // true/false; or subnet(s) to trust; or custom function returning true/false. default=false
/** Optional view engine - the engine must be installed into your userDir (e.g. where this file lives)
* If set as shown, ExpressJS will translate source files ending in .ejs to HTML.
* See https://expressjs.com/en/guide/using-template-engines.html for details.
*/
'view engine': 'ejs',
// Optional global settings for view engine
'view options': {},
// Custom properties: can be used as vars in view templates
'footon': 'bar stool',
},
/** Optional: Socket.IO Server options
* See https://socket.io/docs/v4/server-options/
* Note that the `path` property will be ignored, it is set by uibuilder itself.
* You can set anything else though you might break uibuilder unless you know what you are doing.
* @type {Object}
*/
// socketOptions: {
// // Make the default buffer larger (default=1MB)
// maxHttpBufferSize: 1e8 // 100 MB
// },
/** Controls whether the uibuilder instance API feature is enabled
* Off by default since uncontrolled instance api's are a security and
* operational risk. Use with caution. See Tech Docs for details.
*/
instanceApiAllowed: true,
},
Now your uibuilder pages will use http://localhost:3001 instead of 1880. You can set ExpressJS however you like and it won't impact the rest of Node-RED or the Dashboard.
If you want to hide the workings from users, you can put node-red behind a reverse proxy. A reverse proxy is also the other way to have different security settings for different endpoints in Node-RED without having to make changes to the Node-RED default config.
