Node-RED behind Reverse Proxy auth issue

Hello all,

Running Node-RED behind reverse proxy that does not point to subdomain (for example nodered1.server.com) but to specific path like server.com/nodered1 causes auth issues (and maybe more).

When I open server.com/nodered1, enter my credentials and click login my browswer is redirected to server.com/?access_token=asdf which is wrong. Expected behaviour should be to redirect to server.com/nodered1/?access_token=asdf

Is there any workaround for that?

One solution (not sure if stupid or clever :smiley: ) might be to look at the Referer header and comparing it with httpAdminRoot before doing res.redirect().

Or maybe it can be somehow done in other way?

Before you go any further down this route even once you get authentication to work for a single instance, you need to know that you can't run more than one instance this way. e.g. www.example.com/nodered1 and www.example.com/nodered2 because the editor currently stores it's access token in browser local storage which is only scoped to the hostname, not the hostname + path.

The solution to the first problem probably to include a rewrite option in your reverse proxy settings. Can you post what your proxy config and is it Nginx, Apache or Traefik?

editor currently stores it's access token in browser local storage which is only scoped to the hostname, not the hostname + path.

Ye but I do not need to be logged in to two instances at once. If token is invalid login dialog will pop out.

I figured out easy solution for my problem. It is to expose httpAdminRoot in the same path as in reverse proxy and everything works.

Proxy Apache config that works (treat it like a PoC):

ProxyPassMatch "/node-red/(([^\/]*)(?=[\/]))/(.*)" "http://svc-nodered-$1.nodered-test.svc:8080/node-red/$1/$3"
ProxyPassReverse "/node-red/(([^\/]*)(?=[\/]))/(.*)" "http://svc-nodered-$1.nodered-test.svc:8080/node-red/$1/$3"

In this scenario proxied path is /node-red/{tenant} and httpAdminRoot is also set to /node-red/{tenant}

There is at least 1 setting in Node-RED that tells it to trust the proxy, you may need to do that.

Otherwise, use your proxy to do authentication, not node-red. This is likely to be more flexible, and powerful anyway and creates a nice separation of concerns between node-red and the proxy.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.