Node-RED, Apache,Proxypass - no debug data

Hey All,

Issue: debug node dosn't work - no debug data

I have got an issue after securing Node-RED by Apache web server with ProxyPass and uiHost:127.0.0.1,
adminAuth.

  1. What I have:

[Issue]
When I run Node-RED in browser locally: localhost:1880 then evrything works.
Into flows, debug nodes works (debug data are retrived in debug panel), mqtt and mysql shows that they are connected.
But when I run Node-RED in browser on WAN site e.g https://io.company.com/
I could login to Node-RED, I see running flows - database accepts data from mqtt.
The problem is - debug node dosn't work (nothing shows in debug panel), mqtt node dosn't show that there is connected,also mysql node dosn't show that there is connected.

Did I omit something in the configuration?

Best regards.
Bronto

the websocket connection back to the editor (debug) also needs to be allowed through your proxy.

2 Likes

@dceejay - I thank You
I have done some research on the web, and found out some informations about RewriteCon for websocket. I have implemented that solution and now, my Node-RED debug node works in proxy.

Best regards
Bronto

2 Likes

@bronto any chance you could post a sanatized version of your Apache config? It would be useful as a reference.

OK - I could, no problem.

  1. There's a popout on that forum which tells us about security of Node-red.

Shortly - OS Ubuntu, Node-Red runs by tux user.
Tux home directory: /home/tux/.node-red/settings.js.
Three important parameters

uiPort:process.env.PORT || 3005,
uiHost:"127.0.0.1",
httpAdminRoot:'/nodered',

And now

  1. Apache virtual host setup (SSL by letsencrypt)
ServerName example.com ServerAdmin you@example.com DocumentRoot /var/www/html/example.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade}   =websocket    [NC]
    RewriteRule /nodered(.*)              ws://localhost:3005/nodered$1 [P,L]

ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off

<Proxy *>
    Order deny,allow
    Require all granted
</Proxy>

ProxyPass 		/nodered		http://localhost:3005/nodered
ProxyPassReverse	/nodered		http://localhost:3005/nodered

ErrorLog ${APACHE_LOG_DIR}/error-example.com.log
CustomLog ${APACHE_LOG_DIR}/access-example.com.log combined

SSLCertificateFile       /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Above configuration works for me.

Best regards
Bronto

2 Likes

Awesome, thanks @bronto !

I currently have my http end points all proxied via Apache, but it would be nice to proxy the admin interface as well!

Hi,

I am having trouble dealing with the websocket connection with two Node Red instances: one local and another one on different Raspberry Pi in same private network. I had my local device (the one with Apache running) setup working by following this and this discussion. Here is my Apache Virtual Host configuration for all 443 traffic:

<IfModule mod_ssl.c>
<VirtualHost *:443>

RewriteEngine On
RewriteCond %{HTTP:Upgrade}   =websocket    [NC]
RewriteRule /node1(.*)     ws://localhost:1234/node1$1 [P,L]

ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off

<Proxy *>
    Order deny,allow
    Require all granted
</Proxy>

# This is the first (local) node-red instance, works well with the Rewrite lines above
ProxyPass /node1 http://localhost:1234/node1
ProxyPassReverse /node1 http://localhost:1234/node1

# This is the second node-red instance running on another Pi, ProxyPass works but websockets do not
ProxyPass /node2 http://192.168.x.x:1234/node2			
ProxyPassReverse /node2 http://192.168.x.x:1234/node2

ServerName mydomain.com
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>


I have learned that I could separate the websockets by custom paths like this:

Node server:

var io = require('socket.io')({ path: '/ws_website1'}).listen(server);


Client HTML:

<script src="/ws_website1/socket.io.js"></script>
...
<script>
var socket = io('', { path: '/ws_website1' });
...

I am guessing that I should edit my node modules to make this happen, but I have no idea which one to look at. Any help would be greatly appreciated.

Thank you!
Hjellmarr

Hy all,

I am running node-red with https enabled (see http://www.steves-internet-guide.com/securing-node-red-ssl/) and wanted to proxie it from another account. Let say, NR is running at my.server1:1880.

There is a second server exposed via DNS at my.server2, and I wanted to use this adress for node-red (without :1880). This server is running Debian10 and a clean installation of Apache 2, ssl certificates from Letsencrypt.

Finally I managed to get node-red running without any rewrites.

I set /root/etc/apache2/sites-available/000-default-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	ServerName my.server2
	
	SSLProxyEngine on

    #ProxyPreserveHost On
    ProxyRequests Off

	ProxyPass /comms wss://my.server1:1880/comms
	ProxyPassReverse /comms wss://my.server1:1880/comms

	ProxyPass / https://my.server1:1880/
    ProxyPassReverse / https://my.server1:1880/
   
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/my.server2/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/my.server2/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Hope this can help someone to get things running. wss://my.server1:1880/comms seems to be necessary to get websockets running.

Thank you, this works great! Took me a while to figure it out because not all the required apache modules were loaded. I had to run enable proxy, proxy_http, and proxy_wstunnel. Sharing in case others have the same issue.

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_wstunnel

1 Like