I am creating an api to communicate from an iis webpage to node red and back to the page. I have a http in and a http out node. I am wanting to secure this api from unauthorized get request. Any suggestions on where I should start?
How/where are you running Node-RED? Is that also running on a Windows server with IIS? Because if so, there is a proxy tool that Microsoft use on Azure web services that you can use anywhere that integrates running Node-RED with IIS and opens up the ability to secure access using AD/AAD.
Generally, proxies are the most comprehensive way to secure things. Not only does it keep your Node-RED configuration simpler but you tend to get far more options and options that may be more battle-tested as well. Certainly, they will be more performant.
Node red is currently on ubuntu vm machine and iis is on its own server. We are planning on using url rewrite to access node red from the outside.
I would strongly recommend the use of a proxy server then. Something like NGINX, Caddy, or HAProxy with a suitable identity and access management integration. Especially if you are operating in an enterprise environment where you may already have an existing IdM setup.
Is there not a way I could just pass a token?
