Help creating SSL / HTTPS Node-RED Instance
2,792 views
Skip to first unread message
George K
Oct 30, 2016, 5:57:40 PM10/30/16
to Node-RED
Hello everybody,
Is there any good source around, to explain how to make an SSL instance for Node-RED working?
I know how to change the parts in the settings.js file. But when I run my localhost instance, following message is always appearing:
I've been following sources like: http://blog.ayanray.com/2015/06/adding-https-ssl-to express-4-x-applications/ or https://engineering.circle.com/https-authorized-certs-with-node-js-315e548354a2#.lggg4ecm4 but only failing so far.
Couldn't help myself also with the node-red documentation and other google group topics.
I'm glad for every hint you can give me on this!
Greetings, G.
Ben Hardill
Oct 30, 2016, 6:24:25 PM10/30/16
to Node-RED
Julian Knight
Oct 30, 2016, 6:38:29 PM10/30/16
to Node-RED
Alternatively, if you are trying to protect external access, you can use a reverse proxy to provide the TLS encryption and leave local traffic unencrypted. Depends on your requirements.
For example, in a home environment, if you have something like a Synology NAS, the NAS can act as a reverse proxy, forwarding traffic from one URL available externally to another only available on the internal network. It can provide TLS encryption on the external side.
George K
Oct 31, 2016, 1:27:08 PM10/31/16
to Node-RED
Thanks for the answers.
As far as I understand, the crucial part is:
Since this is a self signed certificate your browser will reject it the first time you try to connect with a warning like this:This is because your certificate is not signed by one of the trusted certificate authorities,...
Which basically means, no matter what I do, since the certificate is not authorized, there will always be an error for someone who connects the first time to this website, right?
If that's the case, how do you guys handle this kind of problem, if you want to have a public accessible Node-RED Instance (one with the dashboard) and have it set up securely? Do you let your certificate get authorized?
Ben Hardill
Oct 31, 2016, 4:39:11 PM10/31/16
to Node-RED
If this is not just for personal use, but for the general public then you need to use a certificate from a recognised Certificate Authority
For this you have 2 options
1) Pay for a certificate.
2) Use a service like https://letsencrypt.org/ which can provide certificates for free
3) Use a service like https://www.cloudflare.com/ to proxy for your site and provide SSL wrapping
Personally I'd go with option 2
For this you have 2 options
1) Pay for a certificate.
2) Use a service like https://letsencrypt.org/ which can provide certificates for free
3) Use a service like https://www.cloudflare.com/ to proxy for your site and provide SSL wrapping
Personally I'd go with option 2
Eric Stephens
Nov 1, 2016, 10:22:43 AM11/1/16
to Node-RED
We need to add OAuth and segmented user access. Any pointers on that?
Initially we started to just lift the planning UI into an existing J2EE app but found the Node-ness tough to untangle.
Ben Hardill
Nov 1, 2016, 12:29:07 PM11/1/16
to Node-RED
Eric,
That's not going to be easy, you will have to build your own middleware with something like passport.
And OAuth is extra tricky because you need to add a bunch of extra storage to support token generation.
That and there are only really 2 levels of access for the Node-RED admin interface, full and read only, there is no way to add more granular support. It is something that we need to look at more closely soon.
That's not going to be easy, you will have to build your own middleware with something like passport.
And OAuth is extra tricky because you need to add a bunch of extra storage to support token generation.
That and there are only really 2 levels of access for the Node-RED admin interface, full and read only, there is no way to add more granular support. It is something that we need to look at more closely soon.
George K
Nov 1, 2016, 1:49:05 PM11/1/16
to Node-RED
Now I understand the drill... Thank you, Ben! Much appreciated.
I'll take a look at option two and see where it get's me. =)
Julian Knight
Nov 2, 2016, 5:03:29 PM11/2/16
to Node-RED
Just to clarify - you can use your own certs if you are in a position to distribute a suitable root certificate to all users. Otherwise, yes all users get a warning which can be difficult to get out of unless you are aware.
Otherwise using a free cert from a recognised authority is good - the free ones only have short lifespans though so you need an automated way of updating them or it gets to be a real pain.
As Ben said, you can also use a proxy such as Cloudflare and that's what I do with all my public facing sites. Then I just make sure that the only traffic allowed through my firewall is from Cloudflare itself & use a self-signed cert to encrypt that link.
As for OAuth, it is certainly easier to do with something like passport but it is possible to use passport with Node-RED. Alternatively you could do it at a local proxy layer.
In addition to Passport, there is an OAuth cloud service run by Auth0 which might be of interest. https://auth0.com/
Reply all
Reply to author
Forward
0 new messages