Why the disconnection?
What should I have in my nginx conf.d directory to make test.com successfully redirect to Node-red?
How does nginx even know that I requested test.com since the DNS server redirected it to the IP address?
You may well have covered it Julian, I'm lagging reading your emails. But, I don't know what a websocket is, or indeed many of the terms used regarding networking. I guess it's a TCP connection to a particular port but perhaps not.
I presume the too many connections (? Not at pc) is due to a loop, and the 5 sec delay is how long it takes to loop that many times.
Sorry, my bad, I forget that not everyone has had over 40 years experience in IT!
Websockets (WS or WSS when secured with TLS), are a real-time communications channel that runs over HTTP(S) - ish. The client makes an HTTP(S) connection to the server which is then "upgraded" to WS(S). A bit hard to see on the Editor's page:
That is from the network tab in the browser dev tools. Code 101 is the "upgrade" response code. Click on that line and you will see the "realtime" messages going back and forth:
As a side-note, UIBUILDER and the 2 Dashboards all use Socket.IO which is a richer service built over HTTP (long polling) and WS. It can fall back from WS to regular HTTP polling requests and does lots of clever things like creating specific comms channels.
Yes it is - to the same port as your HTTP(S) connection - both can exist at the same time.
Not sure if it is a loop or simply a configuration issue to be honest but the info I shared in our 1-2-1 chat gives some ideas on how to resolve it I think.
Well that's giving you a 404 so not sure if that is a valid endpoint? Have you moved the NR admin root? Mine is at :1880/red/, not at the root URL As I don't think it makes sense to have the Editor off the root URL. So if you moved it, it would need to be at ws:/xxxxxxxxxx/red/comms in my case.
Also, did you implement redirection to https? If so, you would need to be using wss rather than ws.
I think that I shared the relevant ws/wss NGINX config with you for node-red?
The editor still loads correctly at 192.168.1.28:1880 (this is the Pi which has nginx installed too, I am accessing it from a PC at 192.168.1.33).
I think that means I have not moved the Node-red admin root.
Sorry, I don't know what an endpoint is. Is it different from a URL?
When I point the browser to test.com, nginx applies the rule
proxy_pass http://127.0.0.1:1880/;
The editor page loads. Does that mean it's a valid endpoint?
Then the connection drops because of the error[s]. Does that mean it's not a valid endpoint?
Pointing the browser to test.com:1880 loads the editor and the connection does not drop.
I have not yet got as far as https. In fact I have had to disable the browser setting "Https Only" for this experiment with nginx.
You did send me a bunch of nginx config code. Unfortunately the terminology defeats me - eg "Core variables is ..." What are core variables (etc)?
I'm going to try following some much more basic nginx tutorials unconnected to Node-red.
Generally, it means that you haven't applied the required websocket proxy rules.
That is normal. For a complete secure setup, you would redirect port 1880 back to port 80 or simply block all access at a firewall level to anything other than ports 80 and 443 (which is the default port for https).
Core variables are things that control the basics of the proxy. Things like the domain name you are using, stuff like that.
One of the things I sent was a websocket config. You need to load that to the nginx location for the node-red editor. You would also need to load it to locations for /ui, /dashboard, and any UIBUILDER and http-in/-response locations.
An endpoint is a serviced URL or set of URL's.
A location is an endpoint that you want to apply specific proxy rules to. Or it might be an endpoint that you want to serve up using NGINX as a web server.
A URL is a single connection point, e.g. a page or a specific API
The initial setup of NGINX as a reverse proxy is, as you are seeing, reasonably complex. But once done, it will "just work".
As with splitting up complex JavaScript into functions, it is good to split the config into separate files and include them as needed. Particularly for websocket and security config as you have to repeat those for each managed location.
At the moment I am concentrating on accessing Node-red entirely within my local network, it should work without internet access.
I'm using mobile broadband, which is metered.
I believe Tailscale (or Zerotier, which I do use) requires a connection via the internet.
I recently advised someone regarding minimal security for Node-red.
Initially I said set a username and password, but then I considered that a password without encrypted networking does not really enhance security and withdrew the advice.
There is almost certainly nobody sniffing my wifi for passwords, however to permit a secure username/password I need to encrypt the LAN with https certificates.
For this I hoped nginx would help, though I think it may be unusual to use https on a home lan, obviously it must be normal for a corporate network.
So far though I am only trying to get nginx http redirection working.
@TotallyInformation I notice you said "Don't forget to tell Node-RED to trust the proxy."
I've not done anything in Node-red so perhaps that explains the connection refused error.
In settings.js there is this
/** If you need to set an http proxy please set an environment variable
* called http_proxy (or HTTP_PROXY) outside of Node-RED in the operating system.
* For example - http_proxy=http://myproxy.com:8080
* (Setting it here will have no effect)
Tailscale does require a connection to the internet to get connected, but this should be minimal. The data between the devices then goes direct on your LAN, not via the internet. I think the mobile bandwidth used should be absolutely minimal.
Really, if you use a strong wifi password and keep the router firmware up to date then I don't think you need worry. That is assuming that you are a home user and don't have state or valuable commercial secrets that you need to protect. Perhaps @TotallyInformation could comment on this?
You misunderstand Colin. I am not worrying about the security of my system. I advised someone else about the security of their system and I'm worrying about the quality of my advice.
And as I typed that I ran out of data for this month. (Fallback to phone hotspot now) Can't accept that running out of data would interrupt services entirely on the LAN.
Not THAT unusual. I'm using it on my "live" home server. But it is less usual because stopping your browser(s) from complaining about things does require a bit more setup.
I think you could possibly just set it to http://localhost but I'm not entirely sure.
To be honest, I add some ExpressJS config to get it to trust the proxy. As you can see, I get it to trust the entire localhost subnet for both IPv4 and IPv6:
/** The following property can be used to pass custom options to the Express.js
* server used by Node-RED. For a full list of available options, refer
* to http://expressjs.com/en/api.html#app.settings.table
*/
httpServerOptions: {
// http://expressjs.com/en/api.html#trust.proxy.options.table
'trust proxy': '127.0.0.1/8, ::1/128', // true, // true/false; or subnet(s) to trust; or custom function returning true/false. default=false
},
That lets it trust all proxying from the local host but does not trust any proxies from anywhere else.
Tailscale is a VPN which is very different to a local reverse proxy.
A reverse proxy has a number of advantages. You can make it the TLS termination which is far more efficient than making node.js do it. It will also provide http caching which can greatly improve performance.
Lots of other things it will do for you - NGINX is, of course, also a highly efficient web server.
Whether any of this will make a big difference to a home setup might be debatable of course. But certainly it adds some performance and security.
Security wise, it can add far more detailed authentication requirements down to location level so, for example, you could add a login to an individual http-in/-response or to a uibuilder URL. You can also pass security headers on to D2 or UIBUILDER to make use of that in your flows.
