Hello, I am trying to publish a project I have created using cloudflare. The goal is to make it so users can only access the dashboard page, so we set up redirects. Initially I only had a redirect from the editor itself to the dashboard. However this morning I found a different path where if you type /flows at the end of the url it shows my .json file. I have since redirected that path as well. Are there anymore paths that I need to worry about?
Hi @rotycha
it sounds like you haven't applied any basic security to Node-RED itself.
If you don't want to access the editor in the deployed project, then you should disable it and the admin api (which /flows is part of) - rather than try to make sure you are blocking all the right paths.
In your settings.js file, set httpAdminRoot to false
Alternatively, if you do want the editor to be available, you should set httpAdminRoot to a path like /editor - that will move the editor and admin api away from the root path. Then you should configure adminAuth to setup proper authentication for the editor and the admin api.
See Securing Node-RED : Node-RED for details on how to set adminAuth.
Other configuration options are documented here: Configuration : Node-RED
If you have an unsecured node-red instance running on the internet, you are inviting trouble - there are port scanners out there that actively look for Node-RED and try to deploy bitcoin miner flows into unsecured instances.
In addition to Nicks advice, a few other things to think about.
-
You need to ensure that you have set up https access only.
-
Make certain that the only Internet access to your device is from Cloudflare itself. (in other words that nobody can reach the device via your local networks internet IP address).
-
It is best to hide the internal node-red port as well as the internal IP address from the outside. So use Cloudflare, your router or a proxy (see below) to do a port address translation (PAT) from 1880 internally to 433 (default for https) externally.
The connection from Cloudflare to your device must be encrypted using TLS - see the previous bullet.
You can go further by setting node-red so that it ONLY is accessible on localhost (127.0.0.1) - by default it is available from all network cards. And then configuring a reverse proxy and allowing only the Dashboard URL to be accessed from outside the machine. More likely of course, you will set it up so that the Dashboard can be accessed from the Internet and local network but everything else can only be accessed from the local network. Lots of other useful things you can do with a reverse proxy as well such as controlling access to different urls with different authentication - even depending on where you are accessing from. For example allowing all access from your local network but requiring a login if coming from the Internet.
You need to ensure that everything is blocked by default and then enable just the path to the Dashboard.
We have done almost all of that minus some of the last suggestion. Currently users are able to access it locally only if they are connected to Ethernet and have the user name and password. We use firewall rules on cloudflare that only allow specific ips to access the ui and require TLS, and a few other rules. We are not able to disable the editor because out application is being constantly built on. Our solution to that was setting up an Oauthrization system requiring the user to be in our domain. We are pretty confident in the security side from outside threats. We are mainly worried now about not allowing someone within our system to be able to reach pages outside of the dashboard. So thank you both for the help, do you have any other recommendations about only allowing people in the dashboard?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
