Secure WebSocket connection


I connect to my home website via https and the website is connected via ws to Node-RED. The problem is that the browser does not allow mixed (secure and insecure) connection.

Question 1, is there a way to allow mixed connections?
Question 2, if question 1 is not feasible, how can I connect WebSocket in secure mode wss?


I'm not going to repeat what I said (too much) - SECURE NODE RED!!!.

You have been warned, if you do not - you WILL BE a victim of open Node RED instances being hacked

But in answer to your question, setup SSL on Node RED

To answer any questions about security/SSL : see here & here

Nothing further... your honor

1 Like

There is - but as Marcus indicates - don't. And we won't help you do it.

The easiest way to fix this is to implement a proxy using something like NGINX. Let NGINX do the TLS termination so you don't have to bother messing with Node-RED. You also get the benefits of doing the security in NGINX.

1 Like

Thanks for advising. I am not going to expose Node-RED to the internet at all.

Can you please make me understand where is the risk you are mentioning? Node-RED is not exposed to the internet and there is a secure https connection.

Thanks for advising, Daniele

If that is true - then fair enough. therefore we are assuming these websites are accessed in the same LAN to Node RED?

If that is not the case, then anyone (on the internet) can access your Node RED, and then from here:

  • Brute force its password (lets assume you have at least done that)
    • import a flow to infect your system
    • Scan your network for vulnerabilities
    • capture in-memory passwords

Search for "hacked" on these forums and you will see many victims
I strongly suggested - and I urge you to understand security before doing anything further.

we have given you links - that's all we can do

You said that you connect your website to Node-RED via websockets. That will presumably run in the browser unless your web server connects to Node-RED. That means that you are indeed trying to connect to Node-RED over the Internet.

So I think you need to explain a bit more how things are working.


First of all thanks for your attention to my "safety" topic. I am not an expert so I am more than happy to share my set up.

In my Raspberry I run a Lighttpd web server. My main purpose is to have a website that shows the instant power consumption of my Shelly EM meters.

So I have prepared the html code and to extract the instant power consumption I have written a javascript code that creates the web socket connection with Node-RED and extract from Node-RED the power consumption publishing it into the web site.

The power consumption of the Shelly EM meters is available through API get, for instance http://192.168.x.y/meters/0. Node-RED gets the data form the meter and returns it to the Websocket instance.

The website uses a SSL certificate and it is accessible on a port different from the usual 443, just to be safe.

There is no password to access Node-RED and it is accessible via standard http.

If there is a security flaw I could limit the website access to the only LAN and access to it through a VPN, even if I would prefer to have standard access to it.

What do you think? Please advise.


Currently your Node RED editor can be accessed by anyone on the internet

To me it sounds as if you have 2 ports open.

443 - fine , that is quite normal for HTTPS
1880 - A fully open Node RED instance (with no password)

Stop looking at this post - and block access now at the router (block access to port 1880)

And read this over : Safely accessing Node-RED over the Internet
And whatever you do - DO NOT POST your website address here

1 Like

Thanks for replying.
Forgive me if I am insisting but why are you sayin that port 1880 is open? I have never opened it!

Now anyway I find a way to scan my open doors but 1880 has never been opened.

I have just tried with a port checker and it shows it closed.

1 Like
  • Is this website open to the public?
    • Does this website connect to Node RED web socket in javascript code?
      • It must be open?

Maybe we are not understanding about how this website is being accessed?

Until yesterday the website was open to internet on a port different from 443, just to be safer. Yesterday I blocked port 443 and it is accessible only from LAN.
I could use a VPN to access to it but I would prefer to have it accessible from the internet.

YES, this website connect to Node RED web socket in javascript code

In any case, as I am answering, I am also password protecting Node-NED


I would assume then, this socket connection is not successful if accessing the website from outside your lan?

You are correct.
So having understood my set up, do you see any security concern? As I said, I have jus password protected Node-RED and I will implement https access.

Second question, how can I solve the problem that this socket connection is not successful if accessing the website from outside your lan?

By the way, for the https access, can I use the same certificate that I use for the web site?


Providing port 1880 is being block for public access (although it means your website will not work externally either because of the failed connection) I feel somewhat better

This is where it gets difficult.
I am not good at the offerings with various tunnels - @TotallyInformation is all over that.

But if you know server side scripting (such as PHP), this is an avenue you could take.
i.e get the server side script to make the connections (not the browser i.e javascript)

This means - its the web server making a connection, not the viewers web browser.
As long as the web server and Node RED is on the same LAN then they can speak.

And at the same time allowing your website to work, without the security risk of having port 1880 open.

PHP is perhaps not a subject covered on these forums - so you will have to research if the tunnel approach is not for you.

You can have the best of both, check out Cloudflare Zero Trust.

The websocket connection is FROM THE BROWSER. Therefore, the path for websockets is:

Client browser -> Internet -> your network -> Node-RED

Though the path for the web page would be:

Client browser -> Internet -> your network -> your web server

If you put everything behind Cloudflare Zero-Trust (or similar), you can use its security to protect everything without having to set up your own certificates and local TLS termination.

If you choose not to do it that way, you need to set up and configure your own domain, publicly cross-signed certificates (e.g. Let's Encrypt), NGINX with TLS termination and with a wss->ws proxy to route to Node-RED.

Honestly, ANY connection across the Internet to a resource really needs to be protected by TLS (e.g. HTTPS, WSS). Train yourself to just never do it any other way. You can do your own research as to why this is important even if you think your resources might not be important to anyone. For now though, please just trust that this is a basic requirement.

The great news is that, although a bit of a pain for the initial setup, you can still do all this for free if you need to. Thanks to services like Let's Encrypt and Cloudflare.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.