Https configuration

Hello,
following previous post and the advice got, I would like to enable https connection with Node-RED.

I have already a certificate used for my webserver, the problem is that Node-RED has not been installed with sudo so it will not be able to read this certificate.

Would you have an idea on how to solve it?
Thanks,
Daniele

I would first store the certificate/key in a location that can be read (and only read) by both process's
Say /etc/ssl/certs.

Then point your web server config at its location.
And do the same for Node RED (settings.js)

https: {
    key: require("fs").readFileSync('/etc/ssl/certs/privkey.pem'),
    cert: require("fs").readFileSync('/etc/ssl/certs/cert.pem')
},

If required, adding Read access to the node-red process user shouldn't be too strenuous.
be mindful of the Common Name in the cert as it may not match with the host you use for Node RED - so you might get a security warning when accessing Node RED - its more a bother than anything else

EDIT
And to enforce SSL on Node RED

requireHttps: true,
1 Like

What web server are you using?

Configure it to work as a reverse proxy for Node-RED then you won't need to configure node-red for HTTPS.

That is by far the safest, most robust and most performant option.

2 Likes

I am using lighttpd, I have no experience with reverse proxy, can you please help?

I don't know lighttpd but whilst it does support proxying

Just be careful about creating a potential gap for public internet traffic to hit Node RED.

I don't know lighttpd either but a quick search took me back to the same page that Marcus shared. You need the mod_proxy module and it has support for proxying web sockets.

        #"upgrade" => "enable",
            # enable support for Upgrade: websocket
            # Depending on the websocket application, please also review
            # settings for server.max-read-idle and server.max-write-idle
1 Like

Hello Marcus,
I have created a new certificate, configured the setting.js file and it works. I have then mapped a random port XYZ to 1880, just to be on the safe side.

So, if I type:

https://mydomain.org:XYZ

I reach Node-RED form the Internet.

I have then set:

requireHttps: true,

but if I type:

http://mydomain.org:XYZ

it will not work, I get the error, Safari cannot open the page.

The same applies if I try to connect from the LAN, I need to connect typing https// otherwise it won't connect.

What am I doing wrong?
Please advise.
Thanks,
Daniele

Just stops plain text traffic - and according to notes: should redirect :man_shrugging:

  /** The following property can be used to cause insecure HTTP connections to
     * be redirected to HTTPS.
     */
    //requireHttps: true,

It should redirect but it does not seem to redirect.

By the way, now that I have set a password and an https connection, is there any risk to expose Node-RED to Internet?

In any case I will close the port and limit to LAN access, just to be safer!

There is always some risk. Whether it is significant is hard to judge from seeing just bits of the configuration and not knowing your environment.

As previously stated, if you want to really cut down the risk, use something like CloudFlare Zero Trust which will do a lot of the heavy lifting for you.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.