HowTo: Node Red – Encrypt connection

Posted on by

In the article NodeRed - Set up user login has already pointed out that it is very important to secure the access to your NodeRed configuration interface. Especially if you access your NodeRed configuration via the internet, you should make sure that only you have access to it.

Besides setting up a user login, it is also important and useful to encrypt the connection between your browser and the NodeRed server.

How you can do this is described in the following article.

Safety instructions

I know the following notes are always kind of annoying and seem unnecessary. Unfortunately, many people who knew "better" have lost eyes, fingers or other things due to carelessness or injured themselves. Data loss is almost negligible in comparison, but even these can be really annoying. Therefore, please take five minutes to read the safety instructions. Because even the coolest project is not worth injury or other trouble.
https://www.nerdiy.de/sicherheitshinweise/

Affiliate links/advertising links

The links to online shops listed here are so-called affiliate links. If you click on such an affiliate link and make a purchase via this link, Nerdiy.de will receive a commission from the relevant online shop or provider. The price does not change for you. If you make your purchases via these links, you support Nerdiy.de in being able to offer other useful projects in the future. 🙂 

Requirements

Helpful articles:
To be able to set up a user login, NodeRed should of course already be installed.
How to prepare a RaspberryPi and then install NodeRed on it is described in the following articles.

The following three articles describe what needs to be done to prepare the RaspberryPi:
RaspberryPi – setup for nerdiys!
RaspberryPi – The first configuration!
RaspberryPi – Control the RaspberryPi via SSH
NodeRed – Installing NodeRed on the RaspberryPi

Required material:
-no-

Required material:

In the following list you will find all the parts you need to implement this article.

Log in to the RaspberryPi via SSH

To start, you must first log in to the Rasp Pi with Putty via SSH. How to do this is in the article RaspberryPi - Control the RaspberryPi via SSH described.

After entering your username and password you can enter the first commands.

Create folder for the certificates

In order to be able to store the certificate files in a central location, it is recommended to create a folder in the NodeRed directory. If your “.node-red” folder is in your home directory - which should be the case if you installed NodeRed with the installation script - you can create a new folder with the following command.

mkdir /home/pi/.node-red/certificates

After running this command, a new folder called “certificates” should have been created in your “.node-red” folder.

Switch to the created folder

So that the certificate files to be created are also stored in this newly created folder, you should now change to this folder with the following command.

cd /home/pi/.node-red/certificates/

Generate certificate files

To make the encryption of your connection to Node-Red work you have to create some certificate files. With the following command you create a key file.

openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
After entering this command you will be asked for a few details that will be entered in your key. Here you can fill in everything correctly - as far as possible - but you don't have to. For the sake of simplicity, you can also leave everything blank or (as in this example) enter only dashes.

openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt

This command creates a certificate and signs it with the key you created.

Enter the path to the certificate files in the NodeRed configuration file.

Now you have to tell your NodeRed installation that the connection should be encrypted in the future. You also need to specify where the certificate files you just created are located.
This information must be entered into the NodeRed configuration file. To do this, open your NodeRed configuration file with the following command:

sudo nano /home/pi/.node-red/settings.js

Several settings/values must be adjusted in the configuration file.
First, remove the two slashes before “var fs = requiere(“fs”);”. This loads a function that allows NodeRed to access the certificate files.
Now navigate down with the arrow keys to the specified position in the configuration file.
Once there, remove the slashes in front of “https: {” and the line three lines below with “},”. Removing the slashes activates this function block and the settings it contains.

So that this function block also contains the paths to your certificate files you have to specify them. To do this, copy the following text into the function block.

key: fs.readFileSync('/home/pi/.node-red/certificates/key.pem'), cert: fs.readFileSync('/home/pi/.node-red/certificates/server.crt')
Once you have copied the commands into the function block, the whole thing should look something like this.
You can find the last change a few lines below. There you have to remove the two slashes before “requireHttps: true.” This should result in you being automatically redirected to the secure connection if you try to access NodeRed over an insecure connection. ATTENTION: Make sure that a comma is entered after “requireHttps: true”. If this is missing, your NodeRed installation will not start correctly.
Once you have made all the changes, you can close the configuration file again. To do this, press “CTRL+X”…
...and confirms the request with "Y" and "Enter".

Restart NodeRed

So that the entered changes in the configuration file are now also taken over you must restart NodeRed now. This can be done with the following command.

sudo service node red restart

Call NodeRed configuration page

After you have restarted NodeRed, you will see that your NodeRed installation is no longer accessible under the old URL. This is because you previously accessed your NodeRed configuration page via “http://”, but it can now only be accessed via “https://”. The screenshots show the way with the Google Chrome browser. However, this path is similar for other browsers.

Access via the old URL is no longer possible.

So that you can now access your NodeRed configuration page again, you must prefix the URL to your NodeRed configuration page with “https://”.

URL to the configuration page preceded by “https://”.

Most browsers warn at this point that the certificate with which you encrypt your connection is self-signed and thus not validated by a third party. On normal websites, this is indeed a problem, because it can indicate that the supposedly secure connection is not secure in reality. In this case, however, it is fine because we have just created the certificate ourselves.

Security warning of the browser(In this case Google Chrome).

To bypass the warning, click on “Advanced”…

…and then click “Continue to…”. You will now be redirected to the usual configuration page of your NodeRed installation.

NodeRed configuration page called with now encrypted connection.

Have fun with the project

I hope everything worked as described for you. If not or you have questions or suggestions please let me know in the comments. I will then add this to the article if necessary.
Ideas for new projects are always welcome. 🙂

PS Many of these projects - especially the hardware projects - cost a lot of time and money. Of course I do this because I enjoy it, but if you think it's cool that I share the information with you, I would be happy about a small donation to the coffee fund. 🙂

Buy Me a Coffee at ko-fi.com       

2 comments

  1. Hello,
    Thank you for your contribution.

    This security warning bothers me and all other users in my household too. Checking the room temperature is always associated with a few clicks.
    How can I bypass the browser security warning (when I open the dashboard)?
    I'm running Node-Red on a Raspberry.

    Many thanks and best regards

    Reply

    1. Hi Commendation,
      gladly. 🙂
      The problem with this is that the self-signed certificate is not accepted by the browser. This is actually intended but of course annoying.
      As far as I know you have two options:
      – Install the certificate on each device. Unfortunately, I have no instructions for this, but I also believe that this would only be an option for Windows. For security reasons, this is not possible on Android/Apple devices (as far as I know).
      – There might be Option two possible: Signed SSL certificates can be created with LetsEncrypt. Unfortunately I don't have any instructions for this either. But maybe the following helps. 🙂
      https://discourse.nodered.org/t/node-red-ssl-using-letsencrypt-certbot/17606
      Best regards
      Fabian

      Reply

Kommentar hinterlassen

Your email address will not be published. Erforderliche Felder sind mit * markiert

This site uses Akismet to reduce spam. Learn how your comment data is processed.