First of all, I am recently learning software development skills, so don't embarass me
I am developing a dashboard to manage and monitorize an industrial large process. I would like to receive some second thoughts about the languages and communication protocols I am using: Node-Red + VueJs .
Node-Red receives information from other systems (like a Planning System), PLCs, Database,etc. and transmits that infomation, when needed, via MQTT to the VueJs application. The other way happens as well.
In terms of security, I am using the Keycloak tool to authenticate and authorize different users in different pages. The node-red is also secured with their own login system. Should I be worried about changing from HTTP pages to HTTPS in my Vue app? What about protecting the information that flows via MQTT?
The application will run on a private company domain.
I am sorry if this is a bit messy, I hope I can get some more insights from you developers.
Don't worry, we aren't into that here. This is one of the best IT forums on the Internet.
Do you know about node-red-contrib-uibuilder? That lets you build data-driven UI's with Node-RED and VueJS (or indeed any other framework but it comes with VueJS examples).
You should never try to secure any web system without HTTPS. But using keycloak I think you are doing HTTPS at the web server and not at Node-RED's server. In that case, you would only want to think about putting HTTPS onto Node-RED and your Node-RED served VueJS pages (using uibuilder for example) if your keycloak server is separate to your node-red server and over a network that might get compromised (frankly I would always choose to do so if the system is in any way valuable to you or your customers, it is a tiny overhead for a decent amount of security).
Same again. Use an encrypted MQTT connection wherever you need to move data over a network that might get compromised (pretty much any network)
The typical time for an enterprise to realise that its network has been compromised can be 1-2 years. So if your system has value, encrypt the connections. Otherwise, all that time, you will be transmitting information in the clear - including logins.
Thanks for your quick answer. I’ve worked with uibuilder using VueJs pages, however later I would like to implement a ROS interface and using that I may think I am limited.
Just one question, if I want to encrypt MQTT data, how can I get a certificate to upload in the node-red Aedes broker?
I don't really know what that is. But if it is web-based, you can almost certainly use it with uibuilder, letting uib act as a communications interface between Node-RED and your UI. uibuilder does not require any kind of front-end framework to do what it does, it works just fine with "raw" html and javascript. All the talk about things like VueJS are simply because that provides a massive boost for the majority use-case which is building data-driven web apps.
Managing certificates is always a little fraught if you've not done it before. Undoubtedly the easiest way is to make use of Let's Encrypt. There are even nodes for node-red that will help you work with LE. Personally, I use LE's "Acme" shell script on a CRON schedule on a Linux machine - but if that is gobbledegook to you, stick with the node.
You will need a spare publicly visible domain however if you want to use LE. If you need something new, try using the free tier of Cloudflare to purchase and manage a domain. It is only a few dollars per year.
You can do all of this with private - so-called "self-signed" certificates - but it is a lot harder.
Either way, you will finder older threads here in the forum covering both approaches and specifically covering how to secure MQTT traffic.
