Hello, I'm looking for an online provider that offers Linux in the cloud. I would like to install on this server nodered and mosquitto. I can also put my own Raspberry online, but I want the availability and security of a cloud. If my internet fails at home or my Raspberry breaks down, the system stops running. That's why I want that as a cloud solution. Can you give me a tip as I can implement that, or which provider offers such a service? Thank you so much!
Not all "cloud" compute providers are equal. You have a number of choices and will need to do some research to work out the best approach for you and your budget:
- There are a few services offering direct Node-RED. Search for FRED for example. You could couple that with a cloud version of an MQTT broker.
- You could go for your own Virtual Private Server (VPS), this gives you a complete but virtualised server so you have to maintain the software yourself. This gives you a lot of flexibility and lets you arrange a security level you are comfortable with. However, there are no free lunches here but lowendbox may help you find something cheap - I ran a couple of low-cost VPS's for several years.
- You could use a global Cloud provider such as IBM, Microsoft Azure or AWS. Some of these have free tiers at least for a time or you may have professional access (e.g. being a Microsoft business partner or MVP). IBM's cloud even has Node-RED ready to go as a service which you may be able to use for free.
and another player - https://blogs.oracle.com/developers/installing-node-red-in-an-always-free-vm-on-oracle-cloud
Certified ? you have to be to work round here....
(ah the old jokes... 
3 Likes
Whow, many thanks for the many answers. I would like to distribute some sensors outside. These should transmit a status and a temperature every few hours. This happens with sim800 and Arduino. At the beginning I wanted to do the mean Blynk. Unfortunately, Blynk is very "bitchy" when it comes to a slow and unstable internet connection. Therefore, I thought to implement this using mqtt. NodeRed should then send the data back to Blynk. So I have a nice app on the phone that I can even share. Since these little devices are not for me, I do not always want to have my own Raspberry available on the internet.
Maybe someone of you has a better idea how to do that. I've been working with Arduino for a long time, but I'm not a professional for a long time ;-).
The offer from Oracle sounds very promising! I think I'll test it! Unless someone else has a completely different solution for me.
With a little help along the way I have the Oracle VM up and running with node-RED.
It seems to be running well, and very quickly, although the flow is only small at the moment.
One pointer missing from the tutorial is to secure node-RED at the first opportunity, because as soon as you type node-red-start it's exposed to the world, with no security whatsoever.
(I've messaged the author)
To distribute / collect sensor data you could also use some public mqtt service - would simplify the whole process.
My personal experience with oracle: i avoid it, if possible...
Thanks Paul, I've updated the blog post to mention securing the instance. I'll work next to update the post to show how to add HTTPS.
2 Likes
Do you think a self-signed cert is adequate for Node-RED, or do you think a full Lets Encrypt SSL cert is necessary?
Depends what you want to achieve. If you want the client to be able to validate the cert (which you should) then you either have to distribute a secure trusted root cert to all clients or simply use a cert signed by something that is already in the trusted root certs (e.g. Let's Encrypt).
Generally, LE is so easy to use now that there is little point in going to the effort of creating your own certs. It is easy to create a worthless self-signed cert, hard to create a secure one. My advice, use LE.
2 Likes
It's got to be a better option than self signed. Maybe it takes a little more initial setting up, but less work in the long term.
Let's Encrypt would get my vote.
1 Like
Nowadays, not even that more setting up. Unless you would like a shiny A+ rating to show up on ssllabs, which takes a bit more effort in configuration. But setting up LE is hardly more work than calling OpenSSL yourself to generate a certificate and deploy that one instead. Especially once you have certbot running adding more domains is a piece of cake, and renewing just an extra line in cron below your previous certificate.
2 Likes
Dear Paul, not really anything to add. I have had my vpn running on a Pi for years now with self signed certs. If I would redo it again today, I would maybe do it a bit differently, using pivpn and also use Let's Encrypt
Here are some guides I would look into (the third in German, it describes a smart solution how you can automate the certificate renewals)
https://chasingtech.net/wp/2017/01/03/pivpn-create-your-own-vpn-for-your-home-network/
1 Like
The built-in Let's Encrypt renewal script works just fine. I'm using it and have done now for probably a year or so.
1 Like
https://www.sparklabs.com/forum/viewtopic.php?t=2453
Just this statement makes me a bit worried:
Using a Let's Encrypt certificate, or any public certificate authority issued SSL certificate, is insecure by default.
Like many others I presume, I run the openvpn server on a RPi3 with self signed certificates. In the discussion thread in the link above, it is stated that it is unsecure to to use Let's Encrypt certificates in combo with openvpn, instead self created are encouraged!
Could someone kindly sort things out for us? What to do and how to? Provided running the openvpn as your vpn server. Is there a risk using Let's Encrypt certs in such combo?
I think this would be extremely useful for all our NR users to know, wanting access to NR from outside their home network. Especially now when it has been made so much easier to install and setup a vpn server (PiVPN installer)
Certificates only provide assurance. If a client doesn't validate the whole certificate chain, by definition it is insecure.
So a self-signed certificate can be a lot more secure than one that is signed by a "trusted" public root certificate(1). But only if you take the time to generate and manage your certificate chains and keys very carefully. And only if you provide your own root certificate to the clients so that they can validate the certificate chain. Consider a root certificate and its private key as the "keys to the kingdom". Mismanage that and every certificate and key that you've generated from it is insecure and ones that an attacker may have generated from it may also be in your network.
If you've spotted a load of if's and but's in there then 10/10. Certificate-based security is HARD to get right, even harder to KEEP secure. And very EASY to screw-up.
The most important point here though is whether this makes any material difference in your case? And I would say that it does simply because you have put your security endpoint on a VPS. Is it enough of an issue to worry about? Well, that depends on what your home network has access to, what you are controlling, what could a botnet make use of? Only you can answer that.
The advantage of using Let's Encrypt (apart from it being free) is its short lifetime. This limits exposure by requiring an attacker to regularly have to grab your new cert/keys.
In your case, I would estimate that an LE cert would be marginally more secure than something you create yourself (assuming the clients are all validating them) but it does require you to have one or more public domains to register against. Though I doubt it will make much actual difference to you.
(1) The big problem with public certificate authorities is that there are too many of them and it is hard to prevent root CA's signing inappropriate certificates - for example some foreign government creating "Google" certs. Because trusted root certs mean that browsers and other clients automatically trust a cert signed by one, that can introduce massive vulnerabilities. For example, there are Arabic countries (they are not alone) that have managed to get trusted root certs created by government sponsored organisations which lets them stage man-in-the-middle attacks at a nation level.
3 Likes
