In the article NodeRed - Set up user login has already pointed out that it is very important to secure the access to your NodeRed configuration interface. Especially if you access your NodeRed configuration via the internet, you should make sure that only you have access to it.
Besides setting up a user login, it is also important and useful to encrypt the connection between your browser and the NodeRed server.
How you can do this is described in the following article.
Safety instructions
I know the following notes are always kind of annoying and seem unnecessary. Unfortunately, many people who knew "better" have lost eyes, fingers or other things due to carelessness or injured themselves. Data loss is almost negligible in comparison, but even these can be really annoying. Therefore, please take five minutes to read the safety instructions. Because even the coolest project is not worth injury or other trouble.
https://www.nerdiy.de/sicherheitshinweise/
Affiliate links/advertising links
The links to online shops listed here are so-called affiliate links. If you click on such an affiliate link and make a purchase via this link, Nerdiy.de will receive a commission from the relevant online shop or provider. The price does not change for you. If you make your purchases via these links, you support Nerdiy.de in being able to offer other useful projects in the future. 🙂
Requirements
Helpful articles:
To be able to set up a user login, NodeRed should of course already be installed.
How to prepare a RaspberryPi and then install NodeRed on it is described in the following articles.
The following three articles describe what needs to be done to prepare the RaspberryPi:
RaspberryPi – setup for nerdiys!
RaspberryPi – The first configuration!
RaspberryPi – Control the RaspberryPi via SSH
NodeRed – Installing NodeRed on the RaspberryPi
Required material:
-no-
Required material:
In the following list you will find all the parts you need to implement this article.
Log in to the RaspberryPi via SSH
To start, you must first log in to the Rasp Pi with Putty via SSH. How to do this is in the article RaspberryPi - Control the RaspberryPi via SSH described.
Create folder for the certificates
To be able to store the certificate files in a central location it is recommended to create a folder in the NodeRed directory. If your ".node-red" folder is located in your home directory - which should be the case if you installed NodeRed with the installation script - you can create a new folder with the following command.
mkdir /home/pi/.node-red/certificates
After running this command, a new folder named "certificates" should have been created in your ".node-red" folder.
Switch to the created folder
So that the certificate files to be created are also stored in this newly created folder, you should now change to this folder with the following command.
cd /home/pi/.node-red/certificates/
Generate certificate files
To make the encryption of your connection to Node-Red work you have to create some certificate files. With the following command you create a key file.
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt
Enter the path to the certificate files in the NodeRed configuration file.
Now you have to tell your NodeRed installation that the connection should be encrypted in the future. You also need to specify where the certificate files you just created are located.
This information must be entered into the NodeRed configuration file. To do this, open your NodeRed configuration file with the following command:
sudo nano /home/pi/.node-red/settings.js
So that this function block also contains the paths to your certificate files you have to specify them. To do this, copy the following text into the function block.
key: fs.readFileSync('/home/pi/.node-red/certificates/key.pem'), cert: fs.readFileSync('/home/pi/.node-red/certificates/server.crt')
Restart NodeRed
So that the entered changes in the configuration file are now also taken over you must restart NodeRed now. This can be done with the following command.
sudo service node red restart
Call NodeRed configuration page
After restarting NodeRed you will see that your NodeRed installation is no longer accessible under the old URL. This is because you used to access your NodeRed configuration page via "http://", but now it is only accessible under "https://". The screenshots show the way with the browser Google Chrome. With other browsers this way is similar.
To access your NodeRed configuration page again you have to prefix the URL to your NodeRed configuration page with a "https://".
Most browsers warn at this point that the certificate with which you encrypt your connection is self-signed and thus not validated by a third party. On normal websites, this is indeed a problem, because it can indicate that the supposedly secure connection is not secure in reality. In this case, however, it is fine because we have just created the certificate ourselves.
To bypass the warning click on "Advanced"...
...and then click on "Continue to ...". Now you will be redirected to the usual configuration page of your NodeRed installation.
Have fun with the project
I hope everything worked as described for you. If not or you have questions or suggestions please let me know in the comments. I will then add this to the article if necessary.
Ideas for new projects are always welcome. 🙂
PS Many of these projects - especially the hardware projects - cost a lot of time and money. Of course I do this because I enjoy it, but if you think it's cool that I share the information with you, I would be happy about a small donation to the coffee fund. 🙂
Hello,
Thank you for your contribution.
This security warning bothers me and all other users in my household too. Checking the room temperature is always associated with a few clicks.
How can I bypass the browser security warning (when I open the dashboard)?
I'm running Node-Red on a Raspberry.
Many thanks and best regards
Hi Commendation,
gladly. 🙂
The problem with this is that the self-signed certificate is not accepted by the browser. This is actually intended but of course annoying.
As far as I know you have two options:
– Install the certificate on each device. Unfortunately, I have no instructions for this, but I also believe that this would only be an option for Windows. For security reasons, this is not possible on Android/Apple devices (as far as I know).
– There might be Option two possible: Signed SSL certificates can be created with LetsEncrypt. Unfortunately I don't have any instructions for this either. But maybe the following helps. 🙂
https://discourse.nodered.org/t/node-red-ssl-using-letsencrypt-certbot/17606
Best regards
Fabian