As the use of NGINX is often recommended by myself and others to help provide performance and security gains for Node-RED. I thought that I really ought to do a full write-up on how to do this.
Note that there is also another FAQ on this subject but the above gives specifics about the use of HTTP/2 and rewrite rules for handling multiple instances of Node-RED (or multiple node.js apps or using uibuilder with its custom server feature). Or indeed just proxying specific parts of Node-RED.
The configuration in this article also uses the current standards and configuration of the community version of NGINX (e.g. it does not use the sites-available folder).
My article does not, however, cover the installation and configuration of other tools and services such as fail-to-ban or Let's Encrypt.
This is the other piece of the puzzle, doing user authentication outside of Node-RED. I still need to do an article on this and will do so when time permits.
There are doubtless various ways of doing this with NGINX but I'll first be looking at vouch-proxy which supports multiple back-end authentication services and is open source.
Small additional note. If using Let's Encrypt to provide your TLS certificate and key, don't forget that it changes fairly often. When it does, you need to tell NGINX.
sudo systemctl reload nginx
Reload simply picks up the latest config files, it does not close any existing client connections.
You will probably want to either schedule this using CRON or add it to your Acme client script.
I use the acme.sh script to manage my certificates from Let's Encrypt. It has a built-in auto-reload for common web servers including NGINX.
I am using nginx proxy manager to do the heavy lifting of configuring nginx, it has built-in support for let's encrypt with a nice web interface. I am still investigating 2FA authentication with Authelia.
Nice. Let us know how you get on. I've actually just flipped to Caddy which seems nicer to configure and has built-in Let's Encrypt if you want it. It also configures http/2 right out of the box without any additional config.
I've also worked out how to block external access to the Editor but leave the Dashboard open and even to be able to have the Dashboard and the Editor on different ports.
It has good support for external authentication and even for MFA.