Hello guys, I'm happy to share with you my personal Node-Red project.
It involves the use of a little bit personalized Dashboard (with some CSS play on borders, colors and background), weather tiles (two cities where i have my houses), timers, switches and button style text views.
Everything runs on a Digital Ocean droplets, with Docker's containerized Node-Red and Mosquitto MQTT; no local server involved, everything runs in the cloud.
I manage some Sonoffs, placed in two houses with Tasmota flashed on.
You'll see timers, which don't involve particular nodes but rely directly on Tasmotas internal timers, this means no variables to store locally, everything is kept into Tasmotas memories.
Views are from my Android phone browser.
It is far from being finished, but I hope you enjoy and please feel free to ask for anything might be useful for your use!
Very nicely done
It would be nice to document a bit more about how you have managed the communications and security between the geographically dispersed units (in light of the recent spate of attacks on Node Red instances that others have reported)
Craig
Oh, now you've scared me 
Actually, I have just a basic user/password authentication both for Node Red editor and Dashboard.
Node Red is built into a Docker container instance onto a Digital Ocean VPS.
Mosquitto has user/password authentication too.
The Tasmotas comunicate with the Mosquitto MQTT connecting to the remote VPS static IP.
The Tasmotas are onto a natted net (under a 4G connected router in both houses), no way to get a public IP and connecting directly to them.
Shoud I be worried of something?
Are you using https everywhere?
Yep you should be worried as it is only a matter of time before someone decides to attack this.
As you are using dynamic remote connections (so you can not lock down access by the firewall in the VPS) - your best bet would be to look at a VPN solution - do the routers on your remote connections support some form of VPN client such as OpenVPN, Zerotier, Wireguard, Tailscale etc ?
Depending on the resources in your VPS and what your routers support you could look at Netmaker which is a management interface on top of Wireguard
Craig
- Digital Ocean Droplet VPS with Fail2ban
- Fixed IP and registered Domain Name
- Portainer installed to manage containers (secured with strong password)
- Node Red is hosted as Docker container onto that VPS
- Node Red and its UI are secured with strong passwords
- Mosquitto MQTT is hosted as Docker container onto that VPS, secured with user/password combination
- Delocalized IOT modules running Tasmota, connecting to Mosquitto MQTT remotely hosted, messages are sent using user and password combination in MQTT (TLS to be implemented soon)
- NGINX reverse proxy manager that route SSL encryption for Portainer, NodeRed and NGINX Proxy Manager itself, everything run with LetsEncrypt generated certificates
All the above (the NGINX reverse proxy security measures and HTTPS i mean) have been implemented during the last week!
Now...yes, routed by Nginx Reverse Proxy Manager.
Aaah - that sounds much better then !!
I thought that Tasmota was only going to support MQTT/TLS on ESP32 modules ?
It would be nice if you could get all the update processes (i.e. Tasmotas) over a VPN but if your routers do not support that natively then not much you can do
Also have you disabled password based login for SSH and implemented Key Exchange to authenticate
If it was mine (and i do something similar to what you have) i would lock down the management (portainer etc) to only be allowed from my VPN addresses - you could then install Zerotier etc etc into the VPS
Craig
Actually, if you compile by yourself, also on ESP8266 modules.
Thanks for the suggestions, much appreciated, i'll give them a try.
Max
