Okay my brain is mush. I've created a local DNS, a local Certificate Authority. Now that I can secure the local ssl/tls and update at a regular intervals (ACME). But the change from http to https is fraught with problems. I have some code which is hard coded with http. So my question is can I have both http and https (various ports). I know this is a simple question on a complex problem (websockets, JS files, CSS files. etc.) but I need to start somewhere. I'd like to start leaving the legacy code on the http and move the problem code to https as I resolve the issues.
Hello @ncherry,
That’s not much information on your problem. Maybe you can give some more details which kind of code/ action should use https and which not. Did you try it already? Did you have errors?
In general I would say: you can address the same (web-)server in both ways (http and https), if you do not set something, which forces to allow https-only. In node-red settings this would be the following parameter, but keep it on false:
requireHttps: true,
But I am asking myself, if you are talking about node-red as you have different ports?! If you have several node-red instances (with different ports) you should be able to setup one with and one without https.
So maybe you can detail your setting and requirements and we can help you in a better way.
Cheers
Ranki
As far as I know, node-red (for its admin/ui) can only listen on one port. You cannot make it do http and https at the same time. The conventional solution to achieving the latter is to run a reverse proxy, such as caddy or nginx. That proxy would provide both ports to clients and use one (typ http) to talk to node-red on the back-end. I hope this helps.
Sorry about that, I was setting up Node-Red (NR) for ssl and login on the main page when it dawned on me that I have a few pages that are served up via http. One has web sockets the other has XMLHttpRequest, others have various css and js includes. I suspect some of those to have had coded http which can be a problem when NR is running https.
Going by what has been said, my best bet is to getup 2 NRs, one on port x (with http) and the other port y (with https). I can then migrate the code over and fix the hard coded ones.
Hello @ncherry,
and the served pages are provided by node-red? Then they are https as well or is the client, who is requesting the pages not able to deal with SSL? I did not get a real clue on the architecture you're trying to achieve.
Cheers
Ranki
Let me add one more detail that may not be clear. This is a private network (RFC1918 addresses).
The ssl certs are signed by a local CA (step-ca). The IoS client won't work as I can't add the root CA to the IoS Client. Not sure about Android. Firefox, Chrome and curl are no issue (I know how to add the correct intermediate CA cert used to sign the certs).
The end results is SSL/TLS on everything (MQTT, sockets, https, API, etc.).
To get the best of both worlds, keep Node-RED serving without https and add a reverse proxy using Caddy, NGINX or similar. Make the reverse proxy to the hard work regarding TLS termination and let Node-RED focus on its own things.
That will let anything that is accessing node-red via localhost continue to use http. Should you need to add external access (not really recommended even on a local network), you can add more settings to the reverse proxy.
Unless this is blocked by an enterprise policy, you can add a local cert to iOS: add self-signed certificate to ios - Google Search
Worse my CFO (my wife ;-)) won't let me touch her IPhone. So yes, corporate policy works. 
Thanks for the link, I'll work on making that work. If I can add the Local Root CA it will solve a lot of problems.
To get round the CFO problem, you will want to see if you can configure "hairpin DNS" on your router. This lets you use an external domain name on your internal network. If you can get that working, you can then switch to using Let's Encrypt which is a much better approach and what I do. I have a spare domain that I use with a wildcard LE cert and used in a number of services on my internal network.
If your router can't do that, there are tools you can run on a Pi that will do it.
1 Like
Thanks.
I'll look into the hairpin dns. Wasn't aware of that.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
