Skip to content

How to safely expose Node RED to the Internet

Jump to bottom Edit New page
Julian Knight edited this page Feb 13, 2017 · 24 revisions

These are notes and ideas prior to writing a recipe for the cookbook.

What needs to be done to make NR secure when exposed to the Internet?

  • Always use HTTPS to encrypt the traffic between the client browser and the Node-RED service

    Can use NR itself to host the cert (see my script), use a front-end proxy (NGINX, HA-Proxy or Apache web) or use an external 3rd party service such as Cloudflare.

  • Consider using a non-standard IP PORT >1024

    Obscures the fact that it is Node-RED, mitigates against automated attacks. Use >1024, lower ports may open privileged access.

  • Apply protection to the editor and admin API (using the built-in password security adminAuth or using ExpressJS middleware)

  • Apply protection to the user interface pages (using the built in password security httpNodeAuther and httpStaticAuth or using ExpressJS middleware)

  • Consider putting Node-RED behind an reverse proxy such as NGINX, HAproxy or Apache Web Server. Or IIS on Windows/Azure.

    Can use those to terminate https, possibly provide a login front-end, mitigate various attacks and potentially provide better performance. Phusion Passenger can also help with Node.JS performance and keeping things running.

  • Consider preventing direct access to the Node-RED web service by using a content delivery network such as Cloudflare

    Can use that to provide better https security and to mitigate various attacks. Only allow Internet access to NR from Cloudflare. All external traffic is then forced through the CDN.

How to import saved data for docker images in volumes?

Add a custom sidebar
Clone this wiki locally