I am new to NR. developed a simple flow on an RPI. I want to expose it to the internet. But I need to harden my env first. Tried to lock down Admin login using npm install node-red-auth-github but that crashed.
So my next idea, is to avoid the whole Admin login issue, by serving a separate production app on a different port - with no Admin login. I assume this is possible but how?
I would update the prod server using a script that
One step would be to include details of what crash you saw so we can try to address it.
By 'no admin login' I assume you mean disabling the editor entirely, rather than not requiring a login.
You can disable the editor and admin api entirely by setting httpAdminRoot to false and disableEditor to true in your settings file. That leaves you with no way to edit the flows unless you have file-system access to either re-enable them, or to replace the flow file and restart NR.
it turns out I needed sudo to install node-red-auth-github (error message not very helpful). so I can continue down that path
yes, when I say no admin I mean having no editor access
But I want to have the editor for local development/test and have a separate production environment (on another port) without the editor. This is a common use case and should be straightforward - or?
I should add that maybe I dont need a full blown node red environment for production (2). perhaps my flow is just a bunch of js/html/css files I can throw into a simple web server. Or?
Not currently possible but it actually shouldn't be that hard to implement I wouldn't think. Would need careful thought about backwards compatibility of course.
One to add to the ever lengthening list of futures? It would certainly be useful and could easily help with Node-RED security.
At least, you could put your web app onto a different instance from everything else and let the admin instance push data to the user instance.
You could also easily create a simple web server of course if all you need is static assets. If you need your static assets to talk to Node-RED then uibuilder might also help - you can, if you need to, serve up uibuilder front-end assets from a different server, that was covered by me in another recent thread.
You can run two instances of Node-RED by pointing them at different user directories using the -u command line parameter. They can then have their own settings files and flow files allowing them to run on different ports.
Alternatively, you could run multiple instances using docker, exposing them on different local ports.
thanks for the help. i ended up setting up HTTPS and a username/password on the editor like you suggest. with the excelent help from
Richard Wenner https://www.youtube.com/watch?v=z9a_ztJqaII
I am still wondering if it is straightforward to copy a "flow" and run it in a server like express.js
setting httpAdminRoot to false will stop it from exposing the admin routes. It will not stop it doing all the internal work to create those routes.
Setting disableEditor to true will cause it to skip doing the work (including loading node html into memory) to create all the server-side editor resources.
