Ok i finally am moving foward with securing my Node-Red,
I am setting up a new pi, I have at the moment. setup security changes on the pi. itself. and I just installed docker. I have installed node-red in docker.
questions. should I have installed a regular instance of nodered on the pi, or is docker good enough.(i wont be using ay gpio pins on this pi)
if docker is good enough how do i ensure that nodered starts up on reboot with docker.
I plan on installing nginx next but want to make sure i completed the other important steps first. I also plan on using cloudflare with nginx to create a reverse proxy.
cheers.
Hi @9toejack
I'll approach this from my viewpoint (using bare-metal)
I do not see any benefit in me using Docker on a Pi, in fact, I think it adds more complexity into my setup, and it will add additional resource usage with running the OS layer.
As for running Node RED when my Pi boots, I use a self created systemd
file, where the user has been assigned to groups needed to access serial ports and alike.
For completeness my systemd
file is below.
[Unit]
Description=Node RED
After=network.target
[Service]
Type=simple
Environment="NODE_ENV=production"
ExecStart=/usr/bin/node /home/NodeRED/node_modules/node-red/red.js --port 1880 --userDir "/home/NodeRED/.node-red"
WorkingDirectory=/home/NodeRED
User=NR
Group=NR
Restart=on-failure
RestartSec=3
[Install]
WantedBy=multi-user.target
I didn't install Node RED with any helper script, I simply run the npm install routines (after of course installing Node 18)
Now then...
if docker is good enough
Why of course it is, but my question is, why do you need docker In the first place, do you plan an adding other isolated images - if so, then Docker may be suitable.
I think its more about preference, but for me, it has no benefit over a bare-metal install.
As I do not use docker, I have no idea how you start it up on boot, but the systemd
I have shown may help
Agree with Marcus, personally I save Docker for things that are complicated.
Manual installs of node.js, Mosquitto, etc. Then I use my alternate installer to get a clean, self-contained folder structure that wraps Node-RED itself and the userDir so I know where everything is, can control permissions exactly and that lets me run different versions of Node-RED in parallel if I need/want to.
The alternate installer has a comprehensive and well documented systemd script. And an example node-red settings.js that is an extension of the default with some (in my opinion anyway) improved settings with more env options (and a way to set those in systemd if you like) and the ability to dynamically change the node-red settings should you need to (dynamic in the sense of being able to do something like
/** Splitting the export this way allows us to dynamically override settings if we want to */
nrsettings.functionGlobalContext._port = nrsettings.uiPort
Which can't be done with the default settings approach.
It also includes npm scripts for doing standard admin like restarts and those painfully complex journalctl commands to view the log.
A direct install of both Node-RED and NGINX also avoids the need to mess around with Docker networking.
Ok, so I need to remove docker completely , (I'll just reload image on sd with fresh install)
I'll redo my pi security changes.
I'll install NR, and Mqtt,
make sure both start up at boot.
then i need to installk nginx so i can start up the reverse proxy stuff.
does that sound about right?
Might seem like a lot of work and make sure you document as you go along because you never know if you might want to redo much of it in the future. But generally, once done, you should be good for years of low maintenance serving.
yes, I have really gotten good and re-installing the raspberry pi os, node-red, and mqtt
and even setting the ssh port to a different number so i can access both pi's from home.
hoping when i figure out how to use nginx that i wont have so many ports open.
and a more secure program.
i keep trying to do the secure nodered editor but then get confused half way down the steps.
As mentioned in our chat. I now have browser-based remote SSH access using Cloudflare zero trust so I don't need to expose SSH at all which is nice.
oh yes , that is right,
so when im going into that stage,
i have my ISP router, and then my internal router is wired to the ISP,
I will have the 2 basic ports forwarded to the internal network.
then i can set up
brewboxssh.mydomain.com for one
and brewcontrolssh.mydomain.com to the other
leaving all those special ports closed and not forwarded.
( and yes i figured it was best to start the post then pm)
it does however frustrate me and im assuming others. when i go through multiple videos that are step one video and step 2 video. .... and in one of the videos they talk about another feature that was never brought up in the earlier videos. i get lost when that happens.
but i keep trucking because i want/need to know what the heck im doing so i dont have to rely on someone doing part of my work.
cheers.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.