Hi all,
I created a small little service that allows you to securely expose local servers to the internet and created a plugin for node-red:
Any feedback is appreciated!
Thank you for the contribution.
But may I suggest you detail to potential users on the:
to securely expose local servers
We have many battle hardened security folk around here, and its best to detail how your service works (without revealing any IP of course)
- What security mechanisms are in place (encryption algorithms?)
- Account/Server Access Security (Multi-Factor Auth, IP restriction?)
- Does any middleware server see the traffic?
- How does it compare to other offerings?
Whilst I, myself, don't need such a service, anyone who does, should understand how their server is protected.
This is not an attack on a service that offers "secure" server access, but as you can imagine - the word secure, means nothing these days, so such a service needs to be clear on how protection is implemented.
Visiting the Website/Repo - details nothing about how security is implemented, hence my suggestions.
Marcus
2 Likes
Very good point, thanks for the suggestion. I will add details on the main page/github repo.
- all the traffic that is leaving the machine all the way to the browser, is encrypted using TLS1.3, certificates are handled by google cloud. Basically the client that runs inside node-red tunnels the traffic via a secure web socket connection and it's only accessible by the same user via a browser session.
- The account can be created with external providers Google (soon to add Github) and email/pass. Email/pass auth method doesn't support MFA but the email does need to be verified. There are no IP restrictions, but the access to a users tunnels is allowed only to the user that created the API key. The api key (that the node-red client needs) is generated from the browser, it's not stored in plaintext, once shown it's gone, only the hash is stored. Authentication on the browser side is maintained via an http only secure cookie with a 12h lifetime. No IP restrictions added (yet).
- Nope, there's nothing in between. node-red <-> noralink.eu <-> user browser. Also, the client source code is open source and extremely lightweight. It can only access the hosts defined in the tunnels (server can't just decide to tunnel to other local things): nora-link-client/src/client.ts at main · andrei-tatar/nora-link-client · GitHub.
- It's super simple to setup, just a few clicks. My plan is to have a free tier and probably a monthly subscription (~ 2-3 eur/month) depending on the interest. If it's just a bunch of users and it doesn't need to scale, it will likely remain free since I need it anyways for my home access.
Phishing (or any kind of social engineering) attacks aside, I don't see an easy way to get access to user data. I'm also trusting this service with my personal home network.
Also, I'm open to suggestions for feature requests, improvements, bugs, etc.
2 Likes
