Dashboard and Admin Panel Secur problem

I have the problem that I can not protect the admin panel and the UI url. In settings.js I have unblocked the part which is commented out, but after restarting the server nothing happens.

I still have not found a solution to this problem.

I guess that is because you have not provided enough information.

To help you, please provide following info...

  1. How is node-red installed? (docker? cloud? local computer directly? Rasperry PI?)
  2. What is the full path of the settings file you are editing?
  3. What OS is node-red running on (Win/Linux/Mac etc)
  4. How do you start node (runs as a service? always started manually by user 'PI'? etc)?

Lastly, please copy & paste the startup log of node-red (the text you see in console or log file upon starting node-red)

Ok.

I installed NodeRed direct on a Debian 11 System.
The Settingsfile is at /home/.node-red/settings.js
Its in the autostart "systemctl enable nodered.service"

Hope these are the infos which do you need

You don't appear to have provided that information. The commands
node-red-stop
node-red-start
Should provide that.

Also what do you mean by 'nothing happens'.

What account runs node-red? Look in top or htop for node-red when it is running as a service. What user does it show?

Surely that is not the full path - it will be something like /home/something/.node-red/settings.js

What does pwd reveal? What is your username?


The point I am trying to get to is - imagine for 1 second the system runs the node-red application as root or my-node-red-service-account then the settings file loaded will most likely be somewhere different to the one you are editing. Ergo, why we need the logs to determine what settings file is being used.

The point I am trying to get to is - imagine for 1 second the system runs the node-red application as root or my-node-red-service-account then the settings file loaded will most likely be somewhere different to the one you are editing. Ergo, why we need the logs to determine what settings file is being used.

That was the solution. I forgot, that when i use it as startup service, it run as root. So it was at /root/.node-red/settings.js

I Repalce the settingsfile from /home/.node-red/ to the root folder and now it works.

Thanks alot for your time and the hint and have a nice day

It really isn't a good idea idea to run node red as root. A bug in your flows could trash the whole system.

+1

Also, if your node-red is accessed by a bad actor (and i dont mean Sylvester Stallone), then a very simple flow modification to infect your full system (at root level no less) is next on the cards.

Its realy safe. No default Port and no access to the www.
It runs in our intranet in seperat vlan without connection to our mainnetwork.

The Machine run as VM on a test physical server without access to other things. So its ok i think so =)