Thanks for bringing this thread back to life. It's made me realize I need to update my own popular thread on running node-red on a vps. TLS and general security has changed allot from my post in may 2020.
One thing I've not seen covered here is that having your service online is a wack a mole job. There is no set it and forget it if you do this stuff yourself.
Choose your favourite web server (my preference is generally NGINX) and configure it as a "reverse proxy". As such, it sits between users and the Node-RED service and acts as an intermediary for all web (and websocket) traffic.
I Don't expect you to write a howto guide on this but in 2022 I learned allot about NEVER TRUST THE USER!!!! when it comes to TLS and nginx.
In my howto from may 2021 my certbot creates:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
This will no longer cut it! A man in the middle can break TLSv1 and TLSv1.1 along with the use of downgrading ssl_ciphers now. I had one of my personal use, reporting systems hijacked while I was asleep by this method. I noticed the odd traffic the next morning and the lack of reports from the other device 1/2 way across the country.
To any one reading this thread 2 times a day morning/bed time I check/glance at my logs. And when I take my one 10 day vacation in the woods with no cell or internet access I have at least one nightmare about getting took.
If you are not seeing this regular.
Your not doing your job
The bots/scripts have gotten so bad and the knowledge required to do a mediocre job of security has increased so much that I will no longer bother to Write a Howto setup a (insert stack here) For whom ever thinks they can follow a howto and never touch it again is just a roll of the dice away from getting took.
Now for a howto I have to explain how to setup the new SSL stuff (example)
ssl_certificate /***/***/gluster-***/***-x/docker/host/service/letsencrypt-certbot/etc/letsencrypt/live/***.***.com/fullchain.pem; # edit domain name
ssl_certificate_key /***/***/gluster-***/***/docker/host/service/letsencrypt-certbot/etc/letsencrypt/live/***.***.com/privkey.pem; # edit domain name
# Only return Nginx in server header
server_tokens off;
ssl_dhparam /****/***/******/***/***/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "frame-ancestors 'self' '***.com' '***.***.com';";
## Strict Transport Security (HSTS): Yes
add_header Strict-Transport-Security "max-age=15552001; includeSubdomains; preload";
Then tell them once a week they will need to read about TLS1.2 and TLS1.3 to see if they are broken and to check all them ssl ciphers once a week to see if they are broken or rather secure enough to keep using.
I'm not perfect. I make mistakes. I'm not a security expert. If you have any thing running node-red on the internet and it is used for any mission critical infrastructure. HIRE a security expert to test your setup. Pay the consultation and yearly monitoring fee!. based on the size expect to pay a few grand.
