Hello,
I would like to use node red as a public facing websocket server. Essentially I have a few client apps out on general internet that need to exchange messages. I have this working on a LAN at home, but would like it to work on normal internet.
Ideally I would have node red running on something like AWS, but I'm struggling to figure out how to only expose the websocket side of it to the public internet, without exposing the whole dashboard.
Is there a secure way to do this?
Thanks in advance,
Dan
This request comes with a whole load of potential security issues and I just want to check first that you are aware of them.
- You MUST use HTTPS.
- You SHOULD prevent access using authentication.
- Websockets do not do security as well as HTTPS does. It is very hard to have session expiries with websockets because they do not support custom HTTP headers after the initial connection.
The easiest approach would be to use something like Cloudflare Zero Trust to be a front-end proxy which gives you automatic security of both HTTP and WS and lets you have up to 50 user accounts even on the free tier.
Then you need a websocket-in/-out pair of nodes.
You give the -in node a path which is added to the URL of your node-red user-facing endpoints. e.g. https://localhost:1880/ws/example.
Websocket clients do an initial connection over http(s) and then upgrade the connection to websockets using the same URL. This is using Socket.IO but the principles are the same:
An initial connection with a 200 status code and then another upgraded connection with a 101 code that remains open.
Using something like Zero Trust gets you security for your initial connection but does nothing for ongoing session expiry. That means that a socket that successfully connects never gets disconnected (by the server anyway). Whether this is an issue for you, only you can say.
WIll you be accessing this from a random audience or from a defined set of machines/users ?
If it is a defned set i would definitely look at a VPN solution of some description - be that a SDN such as Zerotier etc or Cloudflare or Wireguard etc
Craig
Sorry Craig, just to clarify that there is a big difference between standard VPN solutions such as Wireguard and proxy style solutions such as Cloudflare Zero Trust, Zerotier and NGINX.
Actual VPN's should be treated with caution as they extend your local network to remote devices - often this is not what you want and can be a security nightmare.
The proxy style solutions are much better for most people as they restrict your exposure.
