Security and node-red

Manuel_o · 14 August 2023 21:35

I am aware that there are numerous valuable guides and articles available concerning the security of Node-RED. I have extensively perused many of these resources and endeavored, to the best of my ability, to adhere to the recommended practices and integrate them into my project. For those who may be interested, I will provide a succinct overview of my project and the security measures I have undertaken. Your insights and suggestions are most welcome.

Project Overview:
In my project, I interact with and manage a dosing pump via a Raspberry Pi. The Raspberry Pi hosts a Node-RED flow responsible for collecting data, which is subsequently transmitted to my MQTT broker. This broker operates on a Virtual Machine (VM) under my ownership. On this VM, another Node-RED flow functions, enabling me to visualize the MQTT data through a dashboard and exert control over the pump as needed. The structure is simple:

PUMP <----> RASPBERRY PI <-----> NODE-RED <------> MQTT <-------> NODE-RED (dashboard)

To access the dashboard and manage the pump, I utilize a URL. I've taken the following security measures to mitigate potential risks:

Enhanced Security for Editor and Dashboard:
I have fortified the security of both the Node-RED editor and dashboard by implementing robust ID and password requirements. This ensures that only authorized individuals can access and manipulate these interfaces.

Implementation of HTTPS:
I obtained an HTTPS certificate from my hosting provider of the virtual machine. This certificate has been integrated into my Node-RED setup, restricting access to the dashboard and editor solely through HTTPS, thus encrypting data transmission.

URL Restructuring:
I have altered the URL endpoints necessary to access the editor and dashboard interfaces. For instance, the dashboard can be accessed via "demo.mywebsite.com," whereas the editor requires "mywebsite.com is available for purchase - Sedo.com"

I would greatly appreciate any assessment of the steps I have taken thus far, as well as any recommendations or insights you may have for further enhancements. In the future, I am considering a proxies such as nginx. My research has revealed that utilizing a proxy constitutes a pivotal security layer, thereby fostering a greater sense of confidence in the system's overall security.

best regards,

Trying_to_learn · 14 August 2023 22:59

Are you accessing the dashboard on the same machine that is running NR?

IF NOT
I don't think there is a problem.
So long as you have an edit password set for NR.

That machine is on the bigger internet and only accessing NR's dashboard.

TotallyInformation · 15 August 2023 01:12

Seems like a sensible approach. Though assessment of system security is only really possible by looking at a detailed design and the actual implementation.

I always recommend the use of external security using tools like a proxy to separate the security and identity management from the Node-RED service. While it adds some complexity, it lets you use independent, battle-hardened security/IdM separate from Node-RED itself. Allowing centralised IdM, use of standard IdM and security tooling and separate update paths as well as being able to share settings between different web app tools.

system · 14 October 2023 01:13

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Securing Node-Red General security	33	8207	24 December 2023
How to enable access to the Node-RED Editor over HTTPS General security	4	309	3 February 2023
Revisiting (ughhh!) security General	11	606	13 March 2021
Survey on a New User Management Application for Node-RED General node-red-dashboard , security , docker	12	538	24 October 2023
Required admin login preventing server connection Dashboard node-red-dashboard , security	1	274	13 March 2022

Security and node-red

Related Topics