How to 'whitelist' IP address's that can access Node RED

Node RED is a powerfull tool, and one that fits perfectly in the ever increasing connected world.
But when doing so, security should be the first priority, sadly a lot of users do not adhere to this.

With this in mind, there are various tools / services that can help protect access to Node RED, specifically it's editor.

• Cloudflare
• ZeroTier
• VPN
• Countless others

Node RED it's self has an authentication mechanism, and this should be used at the minimum.

However, not all services are easy to configure, and we need to expect that Network Security Solutions is not something understood by all users.

So here is another method, that adds a surprisingly effective barrier to Node RED.

This method only allows IP Address's that you specify to access Node RED.
there are drawbacks you need to be aware of

• You need to know the IP Address (or range) that you access Node RED from
  (your office internet IP Address for example)
  the same applies to accessing Node RED from your mobile.

• This will require Node JS v15+

So with that out of the way,

1. Open up settings.js
   This is usually ~/.node-red/settings.js

2. Above the line that reads module.exports = {
   Add the below

const allowedIPs = [];

const { BlockList } = require("net");
const WL = new BlockList();
allowedIPs.forEach((v, i, a) => {
  if (v.includes("/")) {
    const Parts = v.split("/");
    WL.addSubnet(Parts[0].trim(), parseInt(Parts[1].trim()));
  } else if (v.includes("-")) {
    const Parts = v.split("-");
    WL.addRange(Parts[0].trim(), Parts[1].trim());
  } else {
    WL.addAddress(v.trim());
  }
});

allowedIPs should be an array of IP address's or ranges or subnets

• "172.16.0.0/24" (i.e your subnet)
• "172.16.0.0-172.16.0.20" (i.e a network range)
• "216.58.201.99" (i.e your office public IP address)

Example:

const allowedIPs = [
  "127.0.0.1",                   /* Localhost */
  "172.16.0.0/24",               /* Private Network */
  "103.22.200.1-103.22.203.254"  /* CloudFlare range example */,
];

3. Find the line that reads httpAdminMiddleware, and uncomment it, and use the following.

 httpAdminMiddleware: function (req, res, next) {
    if (WL.check(req.ip)) {
      next();
    } else {
      res.status(401).end();
    }
  },

4. Restart Node RED

The Node RED Admin API/Editor will no longer respond to any IP address or range that you did not add to the allowedIPs array.

Final Note(s):

This WILL NOT stop hacking attempts of your device, but it is one that has an instant effect on what or who can access the Node RED editor and Admin API.

This does not open up access to Node RED from external Networks, it limits what Networks can access Node RED if you choose to open it up to the internet i.e a port forward

Hi @marcus-j-davies,
Thanks for sharing this tutorial!!
It is very nice to see something about security popping up, because it might help a lot of users.

That is something I have also been wondering about in the past. I have never tested it, but I assume my smartphone gets a new ip address often from my provider. Or when I travel abroad, my phone probably will get another IP address from the foreign provider. Then I wouldn't be able to access my Node-RED system. Or do you have other thoughts about this?

Bart

Hi @BartButenaers,

Thanks

Have often wondered this myself - I don’t actually know the answer.

But I do believe it’s no different to our own pesky networks at home.

We are assigned an internal IP by the provider and it’s likely a range per cell tower.

Using NAT, it’s then presented by a public IP owned by the operator when we connect to a remote endpoint.

I would imagine parts of the city you live will be presented by a single IP address, so many will have the same IP.

This was evident when we white listed some IP ranges on our servers, for our engineers in each city.

So in theory, you could add a large range, in knowing that said range is used by the operator.

Just repeating your feedback here (from the client certificate discussion) for anybody interested in ip whitelisting.

Could the array of IP's be a separate file (ie not hardcoded in settings.js)?
That would enable me to modify this script -GitHub - Paul-Reed/cloudflare-ufw: Script to update UFW with Cloudflare IPs to periodically download Cloudflare's IP's to that file (and possibly restart the server).

Absolutely (untested, but should work):

const allowedIPs = require("./AllowedIPs.json")

AllowedIPs.json

[
   "127.0.0.1",                   
   "172.16.0.0/24",               
   "103.22.200.1-103.22.203.254"
]

Nice @Paul-Reed ! It would also make it easy to copy the list to other machines running NR on your network!

A Restart of NR will be needed of course, but yes, this will allow an external list
and this is for Editor/Admin API itself.

to extend it to standard http in nodes (untested)

httpNodeMiddleware: function (req, res, next) {
    if (WL.check(req.ip)) {
      next();
    } else {
      res.status(401).end();
    }
  },

@Paul-Reed Note that if putting the IP's in a separate file, comments are not allowed, they will cause NR to crash at startup. i.e.:

BAD

[
   "127.0.0.1",      /* localhost */
   "192.168.1.0/24"  /* Private Network */
]

GOOD

[
   "127.0.0.1", 
   "192.168.1.0/24"
]

The Nodejs BlockList class seems not to have much methods to change the ip addresses at runtime. Isn't it better to do it in another way, so you can change the list without restarting?

Is whitelisting public IP addresses like this a good idea?

One would have to open a port which if a bot spotted would identify your IP as an attack target.

Combine that with whitelisting a whole range of public IP addresses which you are not using but someone else is ...

There are much better ways to provide secure access from the web.
A simple rule is never open a port on your router. Ever.

Excellent for controlling access to the editor within a LAN though.

As opposed to allowing all Public IP's?

This is in response to many events on the forum, where those that have opened up ports, are not restricted to who can access those open ports - we have seen the posts.

This "Helpful trick" will allow to tighten up security in these situations.

like I said : "However, not all services are easy to configure, and we need to expect that Network Security Solutions is not something understood by all users."

This is about adding a layer of security to what is otherwise a currently unrestricted open port.

Yes, we have herd about CloudFlare, VPNs, tunnels so on and so forth, and its not always straight forward for users to get to grips with it all, or understand how those services work.

what this does, is adds an effective barrier to those that blindly opens up their Node RED, and choosing not to try and understand or who are put off by learning the services available.

It's kind of like "If you do not want to use this service, then at least add some IP filtering"

Drawbacks of course, about needing to know the IP and having it static, but the alternative is being wide open to all Public Networks

Agreed! - if only users followed that advice

Don't want to be negative here. This is certainly useful, thanks for sharing.

However, there are, I think, some notable caveats that relate to different network configurations.

Not at my pc so can't test my assumptions for now.

Anyway, this method does no harm and should help in many cases. But certainly isn't a panacea.

No. As opposed to whitelisting any public ips whatsoever.

Yes I know some people discover they can open a port and do so without any further thought until they get hacked.

Your post gives easily followed instructions for one way to make NR more secure, I just think it's dangerous to suggest it is applicable to an installation exposed to the internet.
But yes, if NR is exposed to the internet, it's probably safer to whitelist all of cloudflare's IPs than to allow access to everyone.
It probably isn't much help if you hope to turn off your lights from the pub, does the hotspot give you a cloudflare IP address?

Certainly the current Node-red setup procedures pay lip service to security.
There are forum posts which list a bunch of security related acronyms and jargon without explaining.
We do need more simple howtos for other approaches.
I keep starting to write one for Zerotier and find myself unable to answer the questions it raises.
The product itself badly needs a security overhaul too.

Was wondering if it might have some benefit to add logging of 401 responses?

intriguing idea to identify the Mr Meaners

Depends if you know the landlord, and manage their sytem

Or some form alert that access attempts are happening from non white list IP's.

I wonder why you would need to give access to the editor to turn off lights from the pub. I use a Telegram or free tier cloud mqtt server for this sort of thing, but most my home systems will turn off or on when leaving home or returning, using automation, isn't that what home automation is for/should do?

Good point. I suppose I use the editor as a dashboard!

Happy Christmas all

You’ll be on Santa’s naughty list ! Merry Xmas.

In this FAQ everyone has always been talking about the security of the NR editor. Does in NR exist any option to use this kind of protection in the dashboard?