HowTo: Node Red – Encrypt connection

Posted on by

In the article NodeRed – Setting up user login it has already been pointed out that it is very important to secure access to your NodeRed configuration interface. In particular as you access your NodeRed configuration over the Internet, make sure that you really only have access to it.

In addition to setting up a user login, it is also important and useful to encrypt the connection between your browser and the NodeRed server.

How you can do this is described in the following article.

Hints for our lovely english readers: Basically, many of the articles on Nerdiy.de are translations from the original german articles. Therefore, it may happen here and there that some illustrations are not available in english and that some translations are weird/strange/full of mistakes or generally totaly wrong. So if you find some obvious (or also not obvious) mistakes don't hesitate to leave us a hint about that in the comment section. 
Also please don't get confused, that instead of a "dot" often a "comma" is used as decimal separator. 🙂

Safety instructions

I know the following hints are always a bit annoying and seem unnecessary. But unfortunately, many people who knew it "better" from carelessness lost their eyes, fingers or other things or hurt themselves. In comparison, a loss of data is almost not worth mentioning, but even these can be really annoying. Therefore, please take five minutes to read the safety instructions. Even the coolest project is worth no injury or other annoyance. https://www.nerdiy.de/en/sicherheitshinweise/

Affiliate links / advertising links

The links to online shops listed here are so-called affiliate links. If you click on such an affiliate link and shop via this link, Nerdiy.de receives a commission from the online shop or provider concerned. The price doesn't change for you. If you do your purchases via these links, you will support Nerdiy.de in being able to offer further useful projects in the future. 🙂

Requirements

Helpful Articles:
Of course NodeRed should already be installed so that you can take over this configuration.
How to prepare this and a RaspberryPi and then install NodeRed on it is described in the following articles.

RaspberryPi – Setting up for Nerdiys!
RaspberryPi – The first configuration
RaspberryPi – Controlling the RaspberryPi via SSH
NodeRed – Installing NodeRed on the RaspberryPi

Required tools:
-none-

Required material:

In the following list you will find all the parts you need to implement this article.

Log in via SSH on the RaspberryPi

To get started, you first need to log in to RasPi with SSH on Putty. How to do it is described in the article

After entering your username and password you can start to enter the first commands.

Create a folder for the certificates

To save the certificate files at a central location, it is recommended to create a folder in the NodeRed directory. If your “.node-red” folder is in your home directory – which should be the case if you have NodeRed installed with the installation script – you can create a new folder with the following command.

mkdir /home/pi/.node-red/certificates

After executing this command a new folder called “certificates” should have been created in your “.node-red” folder.

Switch to the created folder

To save the certificate files at the newly created folder, you should now switch to it with the following command.

cd /home/pi/.node-red/certificates/

Generate certificate files

In order for the encryption to work, you need to create a few certificate files. With the following request you create a keyfile.

openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
After entering this command, you will be asked for a few details that will be entered in your key-file. Here you can of course – as far as possible – fill out correct date, but you do not have to. For the sake of simplicity, you can also leave everything empty or (as in this example) enter only dashes.

openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt

This command creates a certificate and signs it with the key you created.

Enter the path to the certificate files in the NodeRed configuration file

Now you have to tell your NodeRed installation that the connection should be encrypted. For that you need to specify where your just created certificate files are.
This information must be entered in the configuration file of NodeRed. Open your NodeRed configuration file with the following command:

sudo nano /home/pi/.node-red/settings.js

Several settings/values must be adjusted in the configuration file.
First, remove the two slashes before “var fs = requiere (“fs”);”. This loads a function that allows NodeRed to access the certificate files.
Now you navigate with the arrow keys down to the specified position in the configuration file.
Once there, remove the slashes before “https: {” and the line that lies three lines lower with “},”. Removing slashes activates this function block and its settings.

This function block also contains the paths to your certificate files you have to specify. To do this, copy the following text into the function block.

key: fs.readFileSync('/home/pi/.node-red/certificates/key.pem'),
cert: fs.readFileSync('/home/pi/.node-red/certificates/server.crt')
Once you copied the commands into the function block, it should look like this.
The last change you find a few lines below. There you have to remove the two slashes before “requireHttps: true,”. This should cause you to be automatically redirected to the secure connection if you are trying to access NodeRed over an insecure connection. ATTENTION: Be sure to include a comma after the “requireHttps: true”. If this is missing, your NodeRed installation will not start correctly.
If you have made all changes, you can close the configuration file. Press “CTRL + X” …
… and confirm the demand with “Y” and “Enter”.

Restart NodeRed

So that the registered changes will be taken over, you have to restart NodeRed. This is done with the following command.

sudo service nodered restart

Call NodeRed configuration page

After rebooting NodeRed, you will see that your NodeRed installation is no longer available under the old URL. This is because your NodeRed-instance is now only accessible via “https://”. The screenshots below shows the way how you can connect to it via the browser Google Chrome. For other browsers this way is similar.

Access via the old URL is no longer possible.

In order to access your NodeRed configuration page again, you must prefix the URL to your NodeRed configuration page with “https://”.

URL to the configuration page preceded by “https://”.

Most browsers now warn against the fact that the certificate with which your connection is encrypted is self-signed and therefore not validated by a third party. This is actually a problem on regular websites because it may indicate that the supposedly secure connection is not really secure. In this case it is ok, because we have just created the certificate.

Security warning of the browser (in this case of Google Chrome).

To bypass the warning, click on “Advanced” …

… and then on “Weiter zu …”(German for “Continue to…”). Now you will be redirected to the usual configuration page of your NodeRed installation.

NodeRed configuration page called with encrypted connection.

I hope everything worked as described. If not or you have any other questions or suggestions, please let me know in the comments. Also, ideas for new projects are always welcome. 🙂

Fab

P.S. Many of these projects - especially the hardware projects - cost a lot of time and money. Of course I do this because I enjoy it, but if you appreciate it that I share these information with you, I would be happy about a small donation to the coffee box. 🙂

Buy Me a Coffee at ko-fi.com

Leave a Reply

Your email address will not be published. Required fields are marked *