I am new to NR. developed a simple flow on an RPI. I want to expose it to the internet. But I need to harden my env first. Tried to lock down Admin login using npm install node-red-auth-github but that crashed.
So my next idea, is to avoid the whole Admin login issue, by serving a separate production app on a different port - with no Admin login. I assume this is possible but how?
I would update the prod server using a script that
One step would be to include details of what crash you saw so we can try to address it.
By 'no admin login' I assume you mean disabling the editor entirely, rather than not requiring a login.
You can disable the editor and admin api entirely by setting httpAdminRoot to false and disableEditor to true in your settings file. That leaves you with no way to edit the flows unless you have file-system access to either re-enable them, or to replace the flow file and restart NR.
Not currently possible but it actually shouldn't be that hard to implement I wouldn't think. Would need careful thought about backwards compatibility of course.
One to add to the ever lengthening list of futures? It would certainly be useful and could easily help with Node-RED security.
At least, you could put your web app onto a different instance from everything else and let the admin instance push data to the user instance.
You could also easily create a simple web server of course if all you need is static assets. If you need your static assets to talk to Node-RED then uibuilder might also help - you can, if you need to, serve up uibuilder front-end assets from a different server, that was covered by me in another recent thread.
You can run two instances of Node-RED by pointing them at different user directories using the -u command line parameter. They can then have their own settings files and flow files allowing them to run on different ports.
Alternatively, you could run multiple instances using docker, exposing them on different local ports.