4

I have searched everywhere but I can't seem to find a way to secure my Node-RED user interface. The UI can be accessed by anonymous users...

So far I have tried to set up the settings.json file and the httpNodeAuth part but nothing worked.

How can I limit access to the Node-RED UI?

komarek
  • 371
  • 3
  • 4
  • 10

3 Answers3

2

First make sure you are working with the copy of settings.js in the .node-red directory in. This file and it's location will be logged when Node-RED starts

18 May 11:41:51 - [info] Settings file  : /home/hardillb/.node-red/settings.js
18 May 11:41:51 - [info] User directory : /home/hardillb/.node-red
18 May 11:41:51 - [info] Flows file     : /home/hardillb/.node-red/testing.json
18 May 11:41:51 - [info] Server now running at http://127.0.0.1:1880/
18 May 11:41:51 - [info] Starting flows

Next do you want to secure the Node-RED Editor UI or the Dashboard UI?

If the Editor UI then you need to find the adminAuth section:

adminAuth: {
    type: "credentials",
    users: [{
        username: "admin",
        password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
        permissions: "*"
    }]
},

You generate the password hash using the following command:

node-red-admin hash-pw

or

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" [your-password-here]

If you want to secure the Dashboard UI then it's the httpNodeAuth option that needs changing.

httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},

If you have enabled the service of static content using the httpStatic then this content is protected via the httpStaticAuth directive.

httpStaticAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."}

The password hash in both cases is generated in the same way as for the adminAuth section.

The docs for securing Node-RED can be found here: http://nodered.org/docs/security

hardillb
  • 54,545
  • 11
  • 67
  • 105
  • @komarek you have mixed quotes chars at the start and end of the strings in your `settings.json`. What did you use to edit it? (word and some other client uses "smart" quotes that are different at the start end) – hardillb May 18 '17 at 17:34
  • i just used nano on the raspi. – komarek May 18 '17 at 18:19
  • it could be that when i posted it to pastebin i used the json format and possibly it made some mess.. where do you think it's wrong? – komarek May 18 '17 at 18:20
  • Around the username and hashed password – hardillb May 18 '17 at 18:37
  • i don't think i understand you. what do you mean? you commented again the httpNodeAuth part. – komarek May 19 '17 at 01:26
2

I FINALLY realized it was a cache problem. node-red seems to work really aggressive with cache. thanks everybody for support

komarek
  • 371
  • 3
  • 4
  • 10
  • My question is what about the next time you log in? If you press the back button, you will find that that you can still access the dashboard. – John Smith Mar 01 '18 at 05:17
0

Rather late to this question. However, for future reference, the simplest and probably most secure way to add authentication to any specific or collection of end points served by Node-RED is to use a reverse proxy using something like NGINX, Caddy, HAProxy, etc.

They all make it relatively easy to add authentication to endpoints and do not rely on the complexity of ExpressJS settings to do so.

Julian Knight
  • 4,716
  • 2
  • 29
  • 42