Hi, noob question: I have a local installation of flowfuse that works well on ubuntu. Now I want to enable https by using the tailscale dns cert/key and the ts domain names. I read through various threads but don’t get it to fully work. I also want the hosted nodered instances (via the editor) to be available via https. How do I do this?
Did you follow Node-RED-Tailscale-Tutorial/docs/tailnet_serve_https.md at main · bartbutenaers/Node-RED-Tailscale-Tutorial · GitHub
That worked for me very easily.
Hi, the problem I got it is that if I use tailscale serve 3000, the dashboard on port 3000 works perfectly but cannot open the editor for the hosted instances for example at port 12080, 12081.... 12090. Same if I use nginx as proxy. So guess that this is security by design? How do I do get https: access then to the editor of the hosted instances?
Have you got https access to your dashboard?
If so, it's exactly the same process, serve it using something like;
tailscale serve --https=443 --bg --set-path /flow_editor http://localhost:1880/flow_editor
Thank you - yes - I got access to the dashboard with tailscale serve 3000 or tailscale serve --https=443 --bg --set-path /flow_editor http://localhost:1880/flow_editor. The problem is that with both tailscale serve commands I cannot access the flow editors for the hosted instances. There it says no connection for the 10 or so hosted node red instances on port 12080 - 12090 when trying to open the the respective flow editor (i.e. https://my-tailscale-url:128083) on the web browser. the node-red logs (here hosted instance on port 12083) are:
5/18/2025 8:28:39 PM [system] Launcher version: 2.17.0
5/18/2025 8:28:39 PM [system] Loading project settings
5/18/2025 8:28:39 PM [system] Target state is 'running'
5/18/2025 8:28:39 PM [system] Starting Node-RED
5/18/2025 8:28:39 PM [system] Starting health check monitor (7.5s)
5/18/2025 8:28:39 PM [info] Welcome to Node-RED
===================
5/18/2025 8:28:39 PM [info] Node-RED version: v4.0.9
5/18/2025 8:28:39 PM [info] Node.js version: v20.19.2
5/18/2025 8:28:39 PM [info] Linux 6.8.0-60-generic arm64 LE
5/18/2025 8:28:39 PM [info] Loading palette nodes
5/18/2025 8:28:39 PM [info] FlowFuse Assistant Plugin is disabled
5/18/2025 8:28:39 PM [info] FlowFuse HTTP Authentication Plugin loaded
5/18/2025 8:28:39 PM [info] FlowFuse Team Library Plugin loaded
5/18/2025 8:28:39 PM [info] FlowFuse Light Theme Plugin loaded
5/18/2025 8:28:39 PM [info] FlowFuse Dark Theme Plugin loaded
5/18/2025 8:28:39 PM [info] FlowFuse Metrics Plugin loaded
5/18/2025 8:28:39 PM [warn] ------------------------------------------------------
5/18/2025 8:28:39 PM [warn] [@flowfuse/nr-project-nodes/project-link] Error: Project Link nodes cannot be loaded outside of an FlowFuse EE environment (line:6)
5/18/2025 8:28:39 PM [warn] [@flowfuse/nr-file-nodes/file] 'file in' already registered by module node-red
5/18/2025 8:28:39 PM [warn] ------------------------------------------------------
5/18/2025 8:28:39 PM [info] Settings file : /opt/flowforge/var/projects/d009a453-5cd6-428c-bd3c-014833efc2f3/settings.js
5/18/2025 8:28:39 PM [info] Context store : 'default' [module=memory]
5/18/2025 8:28:39 PM [info] Server now running at http://127.0.0.1:12083/
5/18/2025 8:28:39 PM [warn] Encrypted credentials not found
5/18/2025 8:28:39 PM [info] Starting flows
5/18/2025 8:28:39 PM [info] Started flows
When I access the instance with the longer url (i.e. https://my-tailscale-url/instanc/idexyz) then the lower part with the settings are shown but not the flows
I guess that's expected otherwise the system security would be weakened.
Have you tried also serving the flow editors for the other hosted instances?
For example;
tailscale serve --https=443 --bg --set-path /instance_one http://localhost:12080/instance_one
tailscale serve --https=443 --bg --set-path /instance_two http://localhost:12081/instance_two
Etc ..
Thank you for your patience - I tried the below (executed as script) but this still doesn't allow me to connect to the flow editors of instance one or two......
# Serve FlowFuse dashboard at root
sudo tailscale serve --https=443 --bg --set-path / http://localhost:3000
# Serve Node-RED Instance 1 (UUID path)
sudo tailscale serve --https=443 --bg --set-path /0273d581-77c0-4141-b91e-ec1cc685c74f http://localhost:12080
# Serve Node-RED Instance 2 (UUID path)
sudo tailscale serve --https=443 --bg --set-path /98a97351-b648-4970-b307-f4676efe0dcc http://localhost:12081
The tailscale serve status then shows then:
Available within your tailnet:
https://my-ts-url.net/
|-- proxy http://localhost:3000
https://my-ts-url.net/98a97351-b648-4970-b307-f4676efe0dcc
|-- proxy http://localhost:12081
https://my-ts-url.net/0273d581-77c0-4141-b91e-ec1cc685c74f
|-- proxy http://localhost:12080
Serve started and running in the background.
To disable the proxy, run: tailscale serve --https=443 off
if I do then https://my-ts-url.net/0273d581-77c0-4141-b91e-ec1cc685c74f, I cannot connect to the flow editor. Same for https://my-ts-url.net:12080...... I tried to set a flow editor URL path (i.e. /flow_editor) for set path but that didn't work either.... nor it makes a difference if I use localhost or 127.0.0.1 in the set path statement....
That doesn't look right.
It looks as though NR is trying to run as https without credentials. https needs to be disabled in node-RED's settings file as per Bart's guide.
It would possibly be clearer for testing purposes if you;
Set httpAdminRoute to server1 in NR settings and restart the instance,
Then remove the corresponding serve command - sudo tailscale serve --https=443 --set-path /0273d581-77c0-4141-b91e-ec1cc685c74f off
...set the serve command this time to;
sudo tailscale serve --https=443 --bg --set-path /instance1 http://localhost:12080/server1
Then try accessing it using https://my-ts-url.net/instance1
If I run tailscale serve status I get;
|-- /icon proxy http://localhost:8441/images/server-a.png
|-- /jellyfin proxy http://localhost:8088
|-- /dashboard proxy http://localhost:2765/dashboard
|-- /flow_editor proxy http://localhost:2765/flow_editor
So you can see the format.
To access, say the editor, I use https://my-ts-url.net/flow_editor
What do you see if, for example, you browse to http://localhost:12080 where the browser is running on machine where you run the tailscale server command?
thanks - stupid question: where do I disable in the node-red settings file as I don't see any https section in the respective NR settings.js? I changed to instance1 as instance name, server1 (set in NR environment with httpAdminRoute) and instance2 as instance name of the second instance, and server2 (httpAdminRoute in NR environment). I use the serve command: sudo tailscale serve --https=443 --bg --set-path /instance1 http://localhost:12080/server1 and sudo tailscale serve --https=443 --bg --set-path /instance2 http://localhost:12081/server2 and sudo tailscale serve --https=443 --bg --set-path / http://localhost:3000 for the ff dashboard.
Available within your tailnet:
https://my-ts-url.net/
|-- proxy http://localhost:3000
https://my-ts-url.net/instance1/flow-editor
|-- proxy http://localhost:12080/server1/flow-editor
https://my-ts-url.net/instance2/flow-editor
|-- proxy http://localhost:12081/server2/flow-editor
... for https://my-ts-url.net/instance1/flow-editor I get on the browser: Cannot GET /server1/flow-editor
...for https://my-ts-url.net/instance1 I get on the browser: error 404
Oops! Looks like you've lost the flow...
But don't worry, it's easy to get back on track!
also there is no connection for https://my-ts-url.net:12080 or 12081 possible with the browser.
I have certainly lost track of the thread. Is the fundamental problem still as in your earlier post where you have the surrounding display but the editor pane is just grey? If so then if you right click is there an option to copy the url or something similar? If so then what url is it trying to open there?
If not then open the browser developer tools and see what url is failing.
/*******************************************************************************
* Security
* - adminAuth
* - https
* - httpsRefreshInterval
* - requireHttps
* - httpNodeAuth
* - httpStaticAuth
******************************************************************************/
/** To password protect the Node-RED editor and admin API, the following
* property can be used. See http://nodered.org/docs/security.html for details.
*/
//adminAuth: {
// type: "credentials",
// users: [{
// username: "admin",
// password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
// permissions: "*"
// }]
//},
/** The following property can be used to enable HTTPS
* This property can be either an object, containing both a (private) key
* and a (public) certificate, or a function that returns such an object.
* See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
* for details of its contents.
*/
/** Option 1: static object */
//https: {
// key: require("fs").readFileSync('privkey.pem'),
// cert: require("fs").readFileSync('cert.pem')
//},
/** Option 2: function that returns the HTTP configuration object */
// https: function() {
// // This function should return the options object, or a Promise
// // that resolves to the options object
// return {
// key: require("fs").readFileSync('privkey.pem'),
// cert: require("fs").readFileSync('cert.pem')
// }
// },
/** If the `https` setting is a function, the following setting can be used
* to set how often, in hours, the function will be called. That can be used
* to refresh any certificates.
*/
//httpsRefreshInterval : 12,
/** The following property can be used to cause insecure HTTP connections to
* be redirected to HTTPS.
*/
//requireHttps: true,
In particular the last line.
@ckishappy - If you issued the serve command as per my last post -
How come the serve status shows -
/flow-editor was not mentioned in the serve command? where did that come from?
As for disabling https, see Node-RED-Tailscale-Tutorial/docs/tailnet_plain_http.md at main · bartbutenaers/Node-RED-Tailscale-Tutorial · GitHub which is the guide which both @Colin & myself linked to in the above posts.
thanks for your patience - got it to work. Will need to play around a bit more to avoid port mapping errors by node-red in case of system reboots.
sudo tailscale serve status
https://my-ts-url.net:12080 (tailnet only)
|-- / proxy http://localhost:12080
https://my-ts-url.net:12081 (tailnet only)
|-- / proxy http://localhost:12081
https://my-ts-url.net:12082 (tailnet only)
|-- / proxy http://localhost:12082
https://my-ts-url.net:12083 (tailnet only)
|-- / proxy http://localhost:12083
https://my-ts-url.net (tailnet only)
|-- / proxy http://localhost:3000
That seems a unusual way to format it, but if it works, and you want it that way, then it's all good 
I'll mark your post as the solution.
1 Like
This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.
