Production server with no admin login?

I am new to NR. developed a simple flow on an RPI. I want to expose it to the internet. But I need to harden my env first. Tried to lock down Admin login using npm install node-red-auth-github but that crashed.
So my next idea, is to avoid the whole Admin login issue, by serving a separate production app on a different port - with no Admin login. I assume this is possible but how?

I would update the prod server using a script that

  1. copies the flow from the dev env to the prod env
  2. restarts the prod server


NOT recommended!

Hi @petercutting

One step would be to include details of what crash you saw so we can try to address it.

By 'no admin login' I assume you mean disabling the editor entirely, rather than not requiring a login.

You can disable the editor and admin api entirely by setting httpAdminRoot to false and disableEditor to true in your settings file. That leaves you with no way to edit the flows unless you have file-system access to either re-enable them, or to replace the flow file and restart NR.

1 Like

it turns out I needed sudo to install node-red-auth-github (error message not very helpful). so I can continue down that path

yes, when I say no admin I mean having no editor access

But I want to have the editor for local development/test and have a separate production environment (on another port) without the editor. This is a common use case and should be straightforward - or?


Node-RED doesn't provide a way to run the editor on one port and the runtime on another port.

Running the editor and runtime on different ports would have solved my problem nicely. But OK, its not possible

so my solution is 2 instances of node red on same RPI

  1. bog-standard development with editor on port X
  2. production (no editor) on port Y (router port forward to internet)

so I need to find out how to setup 2) but the google is of no help for some reason

I should add that maybe I dont need a full blown node red environment for production (2). perhaps my flow is just a bunch of js/html/css files I can throw into a simple web server. Or?

Not currently possible but it actually shouldn't be that hard to implement I wouldn't think. Would need careful thought about backwards compatibility of course.

One to add to the ever lengthening list of futures? It would certainly be useful and could easily help with Node-RED security.

At least, you could put your web app onto a different instance from everything else and let the admin instance push data to the user instance.

You could also easily create a simple web server of course if all you need is static assets. If you need your static assets to talk to Node-RED then uibuilder might also help - you can, if you need to, serve up uibuilder front-end assets from a different server, that was covered by me in another recent thread.

You can run two instances of Node-RED by pointing them at different user directories using the -u command line parameter. They can then have their own settings files and flow files allowing them to run on different ports.

Alternatively, you could run multiple instances using docker, exposing them on different local ports.

thanks for the help. i ended up setting up HTTPS and a username/password on the editor like you suggest. with the excelent help from
Richard Wenner

I am still wondering if it is straightforward to copy a "flow" and run it in a server like express.js

You need the Node-RED runtime to run a flow. It isn't just some html, js and CSS you can copy around.

Hi Nick, any reason disableEditor is required to be true while httpAdminRoot is false?

Would set httpAdminRoot to false be enough to disable the editor?


Hi @namgk

setting httpAdminRoot to false will stop it from exposing the admin routes. It will not stop it doing all the internal work to create those routes.

Setting disableEditor to true will cause it to skip doing the work (including loading node html into memory) to create all the server-side editor resources.