Hi! I've installed NR in a shared hosting, with a wizard that allows me to set Node.js version, domain, and startup file. Once app is started, a virtual enviroment is created where I can access with ssh terminal and install nodered in the usual way. In terminal, node-red starts ok, but shutdown when I close terminal. I can´t find a way to start node-red from package.json or app.js in a stable mode.
I've not played with Passenger for a long time but there shouldn't be any problems using it to keep Node-RED running - as long as your hosting provider allows you to have long-running processes which some do not.
Passenger allows you to configure a node.js start command with options to keep the process running in a similar way to working with systemd. You will need to tell Passenger the full path to node.js, the node-red start script and the userDir folder.
The usual security warnings apply of course along with an additional warning about having private data on shared servers. Keep a master copy of your app offline, periodically check to make sure that nothing has changed critical files. Ideally, create a separate non-root user id to run node-red and make sure that all critical files are owned by that user. And since you will be using a web server anyway, use that to provide TLS (HTTPS & WSS) support and user authentication and authorisation.
Thanks Julian! Actually, I'm using some kind of wizard from Cpanel like this:
Step1: I've created the node app instance, with just a domain and route. This step create a virtual enviroment route and "app.js" as startup file.
Step2: From ssh terminal, I've installed "npm install -g --unsafe-perm node-red" inside the virtual enviroment. Then test typing "node-red" and NR run ok, pointing to "127.0.0.1:1880"
Here I run random behaviors (random because I don't document it!) where in some point NodeRed was accesible through "appdomain:1880" or "appdomain" when I change startup file from app.js to "virtualenviromentroute/node-red" ( symbolic link to `../lib/node_modules/node-red/red.js' ).
I've trying to set that "virtualenviromentroute/node-red" as start script in package.json too...
But... I've no idea of Node.js and node apps deployment.
Sorry about my messy query and weird english... Any help is welcome!
Yes, that is not a good move for a shared server accessed over the internet. That's because you've installed Node-RED with more privileges than it should have by installing with
-g, So the slightest vulnerability in node.js, Node-RED or any of the dependency libraries opens you up to more attacks.
You should use a local install using a separate user id specifically set up for that job and that only has access to the minimum it needs. You may find my alternate installer on Github a helpful starting point.
It is also sensible to change the default port from 1880 to something else above 1024 that isn't commonly used. This helps put off anyone trying to scan your server. We've certainly seen attacks against poorly configured instances of Node-RED.
Also, when configuring your web server, don't forget to proxy the websockets traffic, not just the https traffic (I did say not to use anything but HTTPS/WSS I think previously?).
And don't forget to configure your local firewall if you are allowed. So as to limit access to endpoints. If you can, it is worth limiting access to the Editor to only known source IP addresses or ranges.
Even better would be to only allow access to your web server from CloudFlare and use their front-end to give access - they have additional protections available even on the free tier.