Bypass HTTP Node Security prompt for uibuilder, but not dashboard

I currently have Node-Red serving two pages for a control system. The first page was built using node-red-dashboard nodes and requires HTTP authentication to access. The second page, a simple display of values from the system, uses node-red-contrib-uibuilder and does not require any authentication. However, I have not found a way to disable or bypass HTTP authentication on just the uibuilder page.

Is there a way to require authentication for the dashboard page, but not the uibuilder page? I tried to get tricky and set the uibuilder resources in the httpstatic folder without any httpstatic authentication, but it still prompts for credentials. Anything else I can try?


Yes, there is. A couple of ways.

The simplest is to put uibuilder onto its own ExpressJS instance. You can do that in your settings.js as in this example:

    /** Custom settings for all uibuilder node instances */
    uibuilder: {
        /** Optional HTTP PORT. 
         * If set and different to Node-RED's uiPort, uibuilder will create
         * a separate webserver for its own use.
        port: process.env.UIBPORT || 3001,

        /** Optional: Change location of uibRoot
         * If set, instead of something like `~/.node-red/uibuilder`, the uibRoot folder can be anywhere you like.
        uibRoot: process.env.UIBROOT || '/src/uibRoot', //path.join(os.homedir(), 'myuibroot'),
        // For project-specific uibuilder folders:
        // uibRoot: path.join(os.homedir(), '.node-red', 'projects', 'uibuilder')
        /** Only used if a custom ExpressJS server in use (see port above)
         * Optional: Default will be the same as Node-RED. @type {('http'|'https')} 
        customType: 'http',
        /** Only required if type is https, http2. Defines the cert & key. See Node-RED https settings for more details.
         * If not defined, will use Node-RED's https properties.
         * @type {Object<Buffer,Buffer>}
        // https: {
        //     key: 'keyname.key',
        //     cert: 'fullchain.cer'
        // },
        /** Optional: Custom ExpressJS server options
         *  Only required if using a custom webserver (see port setting above). 
         * For a full list of available options, refer to
        serverOptions: {
            'trust proxy': true,  // true/false; or subnet(s) to trust; or custom function returning true/false. default=false
            /** Optional view engine - the engine must be installed into your userDir (e.g. where this file lives)
             * If set as shown, ExpressJS will translate source files ending in .ejs to HTML.
             * See for details.
            'view engine': 'ejs',
            // Optional global settings for view engine
            'view options': {},

            // Custom properties: can be used as vars in view templates
            'footon': 'bar stool',

        /** Optional: Socket.IO Server options
         * See
         * Note that the `path` property will be ignored, it is set by uibuilder itself.
         * You can set anything else though you might break uibuilder unless you know what you are doing.
         * @type {Object}
        // socketOptions: {
        //     // Make the default buffer larger (default=1MB)
        //     maxHttpBufferSize: 1e8 // 100 MB
        // },

        /** Controls whether the uibuilder instance API feature is enabled
         *  Off by default since uncontrolled instance api's are a security and 
         *  operational risk. Use with caution. See Tech Docs for details.
        instanceApiAllowed: true,

Now your uibuilder pages will use http://localhost:3001 instead of 1880. You can set ExpressJS however you like and it won't impact the rest of Node-RED or the Dashboard.

If you want to hide the workings from users, you can put node-red behind a reverse proxy. A reverse proxy is also the other way to have different security settings for different endpoints in Node-RED without having to make changes to the Node-RED default config.


Perfect solution. I had to comment out the line to change the location of uibroot, but other than that it was a copy/paste into my settings.js file.


Ah yes, sorry that was a rip of my test system which exercises most of the possible settings.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.