Run node red HTTPS

I am experimenting with this tutorial running node red on the cloud.

Would anyone have any advice for securing node red on HTTPS? For just some experimentation site I really dont want to purchase a whole domain name to run an nginx bot which the tutorial goes thru.

Is this method fine of using the settings.js file to secure node red? Would the only advantage of using nginx be performance? I dont imagine my site getting hit a 1000 times per day its just myself running a mosquitto broker on the same Ubuntu cloud instance and some mqtt IoT experiments. Thanks for any tips not a lot of wisdom here.

Node-RED can happily handle serving it's self via HTTPS using the documented options, handing off HTTPS termination to Nginx can just make things a little simpler for a number of things e.g. not having to restart Node-RED when the certificates expire*

Proxying with Nginx also allows you to host other things like static files without having to set Node-RED up to do that as well.

I would really recommend getting a really cheap domain and using something like LetsEncrypt to provide real certificates signed by a public CA especially if you are not already familiar with using openssl to generate certificates and the understanding what needs to be done to user them securely (e.g. distributing CA certs to all the required clients and trusting them). You can reuse the same certificates with the MQTT broker as well.

*From 1.1.0 you can now get Node-RED to reload the certs using the function in the docs, but that's just getting trickier for the sake of it.

Great thanks for the tips ill go the nginx route, its something I have been meaning to learn anyways. As well as learning how to encrypt MQTT. Would you know of any tutorials for what you mention that the nginx can share certs with the MQTT broker?

No need to have Nginx do TLS termination for mqtt as well https, but it is possible using stream proxying.

You can just point the 2 separate config files (nginx & mqtt broker) and have a letsencypt post install script trigger the reload on both when the cert is updated.

But if you really want to here is an example that does MQTT TLS termination.

1 Like