Node-RED - password for ui dashboard

I have made a dashboard for a client. They really do not like that anyone who have the url can access the dashboard. How can I secure the ui with a passord?
I have implemented a password for entering the dashboad editor.

Please see: https://nodered.org/docs/user-guide/runtime/securing-node-red

It's the httpNodeAuth setting.

Or put it behind a reverse proxy to secure it.

Thanks! Is it complicated to install? I'm new into Node-Red ....

I run the Node-RED on a VM in Azure. How do move forward with reverse proxy?

There are several ways with Azure. You can add a service to your VM like NGINX, Caddy, Apache or some other web server or you could run HAproxy. All can be configured as a reverse proxy, there are instructions for Node-RED floating around, a web search should turn them up. Remember to proxy websockets as well.

You can, in fact run Node-RED as an Azure web app as well, in that case, you use IIS as a reverse proxy and this happens by default which makes it really easy to secure and you can use your Azure Active Directory to provide identity management. If you are running a Windows VM, you can do the same.

Of course, you should also be ensuring that Node-RED either uses HTTPS natively or that the proxy terminates HTTPS. Never use authentication without HTTPS. If you use Caddy, it has built-in Let's Encrypt integration.


If you don't know how to secure web services to the Internet, I strongly recommend getting a professional to check and improve the security configuration. The above is friendly information and isn't intended to be "Secure". It is very easy to get security wrong.

2 Likes

@Lance99 It's not complicated to just enable the httpNodeAuth, you just have to uncomment the correct line of code within the settings.js file (it's line 136 in my case), restart node-red and everyone should be prompted to enter a password.

@TotallyInformation you are right, but since this whole thing is already running.... httpNodeAuth would already add security, even on http (if they choose a password that is not used somewhere else) within minutes. He can then of course add more things like https etc.

I'm afraid this is going to result in both unhappy customers and unhappy OP. Because just enabling a password is certainly not enough for an Internet connected instance of Node-RED.

No, I'm afraid it wouldn't be enough. Doing so will result in the password being presented in clear-text over the Internet. That will get cached in the local browser and at every cache point between the user and the server.

Please, ALWAYS enable https FIRST not last.

There are, of course, also other reasons for always wanting to present services over https but that is for a different discussion.

3 Likes

Currently I'm running one VM with password for the Node-RED editor. And one other VM has no password for entering the editor.
Should I install password for the editor, before I enable httpNodeAuth?

By the way, the two dashboards I'm doing contain no critical information for the client. They can live with no password, but would be happy if its possible in the near future.

If you leave the editor open, we've previously seen hacked versions of Node-RED. It can be used to attack other machines, spread malware, do phishing. It can also be used to gain a foothold in your VM. It could also be used to pass malware to your clients. The probably wouldn't be too happy then.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.