Reverse Proxy with Node Red

Node-Red SSL

To use Node-Red out in the free world it needs a chaperone, that happens to be reverse proxy at the moment. If you are starting off from the beginning I would probably recommend following this guide. That’s assuming you have an Ubuntu server and are running Node-Red from there and you don’t mind running Nginx. What if you already have a server that may or may not be Ubuntu. Maybe you don’t like Nginx or maybe you already have Apache2 running. Or what if you are running Node-Red on a Raspberry Pi? Then that guide doesn’t work necessarily.

I searched all over again (briefly) on setting up Node-Red with SSL and or reverse proxy and it seems everyone has done it but no one is willing to share steps to do it? Is it that easy that it doesn’t need to be said? I wish I had found a write up to point the way, as it is simple but not necessarily easy. Especially for the average or new RPi tinkerer.

This is how I got it working. There may be other ways, and better ways but this is what I found worked for me. YMMV.

 

Prerequisites

  • A TLD domain pointed at your server.
  • A server connected to your network running Apache2 (could be a Pi!)
  • Your server open to the world (port forwarding required)
  • Legit non-self-signed SSL certs. Let’s Encrypt is free.
  • mod_proxy installed and enabled on the Apache server, here’s a good guide (only step #1 is needed)
  • Node-Red, either on the same server or another (like a RPi) doesn’t matter (same network)
  • Don’t forget to enable Node-Red admin password protection too.

 

I am going to assume that you already own the domain and have it setup and working so that you can go to https://yourdomain.com and it pops up. HTTPS, with a green padlock. If not, you need to buy the domain and point the DNS to your servers IP and create SSL certs, port forward yada yada. I host a server at home, makes it easy. For example, example and example. Oh and here are some Let’s Encrypt examples for Nginx and Let’s Encrypt on Apache.

You will need to edit your sites-available conf files and add the stuff for reverse proxy. You need more than just Node-Reds base URL to have a reverse proxy. I found it was best/easiest (shit maybe its required I don’t know, I’m just dangerous) to add a line for each webpage I was going to use specifically. So far thats Twilio voice, sms and Amazon Alexa.

 

Here is my Ubuntu Apache2 site-available conf for reverse proxy:

 

I’ve got a reverse proxy for each call I am going to make within Node-Red when using Twilio. These need to be accessible from the free world (to Twilio or Amazon etc). If you need more pages available to the world toss em in.

For example https://mydomain.com/twiliosms is what would be available to the world now.

Restart apache and you should be good to go.

 

Securing Node-Red
https://hoast.dk/wordpress/2015/10/24/securing-node-red/
https://www.hardill.me.uk/wordpress/2015/05/11/securing-node-red/
https://nodered.org/docs/security
https://nodered.org/docs/configuration

Node-Red-Admin (to hash a password)
https://nodered.org/docs/node-red-admin

Adding SSL to Node-Red
http://industrialinternet.co.uk/node-red/adding-https-ssl-to-node-red/

Let’s Encrypt SSL Certificates
https://daplie.com/articles/lets-encrypt-on-raspberry-pi/
https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates

https://gist.github.com/jhaury/10508bfef231bc09c4eae4723645b4f0

Adventures in SSL, why not – it’s free

I was sooo tired of Chrome telling me my self-signed server wasn’t protected and that someone wants to steal my data from me. Go away Chrome I know, I signed it, it’s all good now chill out. First world problems eh? I don’t want to click twice!! Anyways. I read about someone giving out free SSLs to the webs. Time to get mine while the gettin’s good! Straight for the deep-end, we can swim right?

So if you are here for ClearOS 7 then good, if not ClearOS then go somewhere else. There’s tons of guides for other systems, and if you don’t have ClearOS chances are there is an installer for you that works. We here at ClearOS however feel that nothing should work right out of the box, or if at all. That being said, I actually found this whole process to be “not that bad”.

Heres the setup:
ClearOS 7 and its loveliness
One or Multiple websites, its all the same
Lets Encrypt

Run that for each domain and subdomain you want to add SSL to. Now hope on over and login to your ClearOS box via the web interface. Go to System >> Settings >> Certificate Manager. Scroll down to the middle of the page till you see External Certificates, hit the add button. You should see a box asking for a bunch of files. Perfect. Give it a name like YourDomain, “Certificate File” point this to fullchain.pem. Point “Key File” to privkey.pem, and “Intermediate File” to cert.pem. Hit the Add button again. After a second you should see the new certificate listed on the page. If not something went wrong. In my experience ClearOS would not let me add the certificate if there was an error, and it would complain.

Once you see your cert in the list head over to Server >> Web >> Web Server. Click on the website you want to add SSL to. Scroll down to SSL Certificate, click the scroll-down and you should see the certificate you added in the list. Don’t forget to save. You should now have SSL on your site. Now don’t forget it expires in 3 months. I’ll figure out how to renew then haha.

Now if you want to force SSL, the simplest way I have found so far is to use .htaccess. I though there was a drop-down option to force SSL but I didn’t see it. Open up your favorite editor and create or edit an .htaccess file.

This should force any request over to HTTPS. I found this page helpful when I was doing my Googling:
https://sysops.forlaravel.com/letsencrypt