Hi, I know there are plenty of topic on some way to secure node-red code. I read lots of them but for one thing or another they don't comply my needs.
So my question is: I have a remote server where I would like to set the folder workplace. That you know, there is a possibility to use it without set a VPN? For example via sftp or something similar? Without save it locally, of course.
I have tested that once node-red is running, even deleting all the files in the working directory, obviously it continues working, so eventually internet connection holes shouldn't be a problem.
What do you think? Is this idea viable?
You can certainly put Node-RED onto a cloud server and access that server remotely using SSH (command line) and SFTP (file transfer) along with Node-RED's web interfaces. The issue you have is that you must secure node-red's web interfaces in this case otherwise you are asking for trouble. Depending on what your node-red instance is doing will depend on whether that trouble will result in a prison sentence, loss of money, your house burning down or merely a minor annoyance (obviously I don't know what you are using it for so I don't know what your impact would be). That also somewhat depends on what country/countries you are operating in and their laws.
What I do know is that leaving potential holes in cloud servers will eventually result in that server getting compromised and used for something nefarious. This is a much more common scenario even than having your application hacked. Not that you will ever likely know that you are causing harm to others because you will probably never notice unless some external agency comes knocking on the door.
In regards to someone deleting your files while node-red is running. It is true that much (most) of node-red and its data is kept in memory when running. But not necessarily everything. So deleting the underlying folders will eventually result in a crash. But that might take hours or even days to happen.
Also, don't forget that node-red will not be the only thing on your server so if someone has the ability to make changes to the filing system, anything could happen.
Thanks Julian, yes I agree with you. Probably I didn't explain it properly.
Node-red is installed locally, and I want it runs locally, not remotly on the server. On the server I just want the working directory that I can set as option when node-red starts
That isn't impossible. But most likely is unworkable. At the very least it would be fragile.
If your local OS supports remote filing systems, then you could certainly mount a remote filing system. How secure it would be would depend on the OS. On Linux for example, I believe you can even mount SFTP or SSH based filing systems (though certainly check that out, I've not looked for years as it isn't common for good reason).
On Windows, you won't have anywhere near as many options. However, something like Azure File System is a remote cloud solution from Microsoft that integrates with Windows.
Another alternative would be to use a synchronised file system. There are many cloud storage solutions that provide a sync tool. There are limitations though as they typically don't like very rapid file changes and often don't cope well with really big, deep folder structures which, I'm afraid is typical of node.js based applications. With care, though, this could be a really good solution.
With all of these though, you do have to be careful of network conditions and you are tying together the local and remote systems. Such tight coupling often (usually) creates a fragile system with many failure modes.
I see.
And what about just link a remote folder/json files on the server? At the end node-red is installed and runs locally. I just want the json files not being saved locally.
Or maybe this idea is just meaningless?
I forgot to say that yes, locally I have a raspberry and debian as remote server
No, you can't do that. You can only link to a filing system. Soft links can cross filing system boundaries (hard links cannot) but the target must still be a recognised filing system. You would either need to mount the remote FS or synchronise from it.
Ok. Thanks so much. And what this?
I can make a simple script in C++ that auto-start only if certain conditions are reached (IP, mac address, user, ecc). Obviously it will be compiled. This script will mount the node-red working directory. of course in this scenario everything will be locally, no more remote server.
If this is easier and safer:
- Can compiled C++ data be easily read? And the unmount path? (even putting the card in another linux system)
- Instead of an unmount path, if with the same logic via C++ compiled script I can encrypt/decrypt a dir, securly speaking is the same or not?
Well, I'd say you could do that with scripts, no need for C.
If you want the remote data to be encrypted then that is good. Just grab it using SCP or SFTP - maybe on a schedule if it changes. Unpack and decrypt it locally and restart node-red so that it picks it up.
Similarly, if you make local changes, on a schedule pack and encrypt the data and SCP/SFTP it to the remote server.
No, the problem is not the remote data or its transfer. The problem are the json files that contain the flows. I want to avoid them to be stolen, read, transfer on others machine.
That's way I was thinking on keep them on a remote server o find a way to keep them crypted in local ad just opend in RAM when node-red starts.
Basically I would like to avoid aving them locally in plain text
Sorry, no, that is not possible. The only thing you can do is serve Node-RED remotely and configure it to prevent access to the underlying filing system - not that easy since node-red is designed as a general purpose compute platform.
Well the storage sub-system is pluggable so you could create your own storage plugin that does encrypt/decrypt on the way out and back in... but of course you then have to manage the keys as well - and of course unless you turn off admin access you can always use the admin api to getFlows to get them unencrypted into an object.
Hi dceejay. Can you explain it better? How to manage the keys shouldn't be a problem
See the storage API here. Storage API : Node-RED
You can implement your own storage module
Thanks @dceejay, I think it's could be what I need, but unofrtunatly I'm not able to understand how to proceed. It's something quite new to me. I've never used API in such a deep way, Nothing at all in node-red.
Could you please give me some tip/step on what I can concentrate more and study it?
This is an example that uses the cloudant database as the store - node-red-app/cloudantStorage.js at master · IBM/node-red-app · GitHub
The default file storage one in the core is here - node-red/packages/node_modules/@node-red/runtime/lib/storage at master · node-red/node-red · GitHub
You would need to create your own that modifies the required methods to include whatever encryption/decryption you need - such that the API is the same. Yes it is an advanced topic.
Thanks a lot. I'll study it
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.