How to Securely Host Node-RED in Cloud (For Free), and Safely Expose it to the Internet over HTTPS

Written by gourav-das | Published 2020/03/15
Tech Story Tags: node-red | ibm-cloud | aws | https | security | authetication | securing-node-red | programming

TLDR How to Securely Host Node-RED in Cloud (For Free), and Safely Expose it to the Internet over HTTPS over HTTPS. IBM Cloud Lite Plan (40+ services) is completely free without any commitment which you be able to use for a long time. The lite plan covers 256 MB per application Up to 4 apps which is more than enough to run your workload. Free Tier allows 1 Cloudant instance with 1GB of Data Storage (it will take years to consume it entirely)via the TL;DR App

Node-RED bridges the finest pieces and abridges backyard to market delivery. This article intends to teach readers to host a secure & highly available Node-RED instance. For a couple of weeks, I worked on a project where I need to secure my Node-RED.

By going through the blogs and post, everything seems very scattered on the internet and haven't found any article with end-to-end Node-RED execution as a secured frontend client accessible on the web. Thus thought to share my experience with you.
Here will use IBM Cloud to host our Node-RED, it's the best choice after exploring so many options (AWS, Azure & GCP). The integration is seamless. Node-RED is a pre-built IBM cloud service which comes under the free-tier services of Lite Plan. IBM cloud doesn't need Credit Card to avail it's Lite plan. You just need to sign-up, follow the below instructions and Ready to Go. Though it is an always free service, but Lite plan services deleted after 30 days of inactivity, there are some other limitations, kindly read them (refer below) before proceeding.

Prerequisites:

1. IBM Cloud Account, if you don't have, click here to Sign up for IBM Cloud. You don't need a Credit Card to avail it's Lite Plan, unlike the major CSPs.

Learning Objectives:

Though IBM Node-RED is capable to do a lot more, here we are focusing on hosting the Node-RED in IBM Cloud, enable SSL to establish HTTPS connection which is accessible on the web and put authentication on top of Node-RED Editor and HTTPS endpoints to restrict its access to the public and protect it from perpetrators.

Limitations:

IBM Cloud Lite Plan (40+ services) is completely free without any commitment which you be able to use for a long time, but they do come with some thresholds, for this exercise, let me cover a few.
  • Node-RED uses Cloud Foundry to host the application, the lite plan covers 256 MB per application Up to 4 apps which is more than enough to run your workload.
  • Node-RED needs Cloudant (NOSQL DB) to keep its data. Thus Free Tier allows 1 Cloudant instance with 1GB of Data Storage (it will take years to consume it entirely). Thus, you restricted to create only 1 Node-RED instance, under the Lite Plan. 
  • If you are happy with IBM Cloud, I do encourage you to upgrade to Standard plan (Pay-as-you-go) where you will get 200 USD free credit for 30 Days to avail its services.
  • Lite plan services deleted after 30 days of inactivity

Let's see something happen now.

1. Once you Sign Up, Click here to Login to IBM Cloud. Next, click on the catalog (1) and search for node-red (2). Click on the Software tab (3). Click on the Node-RED App tile (4), this will show you an overview of the Starter Kit and what it provides.
2. Click on the Create app button (1) to continue. Open Tutorial (2) in a new tab and follow the steps from 2 to 5 to host the Node-RED app. It is always better to learn from the maker. Also, want to keep the document minimalistic to discuss a few important stuff with Readers. Alternatively, click here to redirect to Tutorial - Create a Node-RED starter app (Follow Step 2 - 5).
3. Once you are done, you are able to access your Node-RED Editor, using cloud foundry Visit App URL (e.g. https://node-red-flzvn.eu-gb.mybluemix.net/ ), keep it handy. Meanwhile, you have provisioned a Node-RED on IBM Cloud with SSL certificate and the Editor is protected from anonymous access. 
Warning: 
The following URL also works on http so avoid using http:// instead use 
https://
.

How to change Editor Username & Password & allow anonymous users to have read-only access to the editor

1. Navigate to Resource list from the Sidebar. Click the cloud foundry Node-RED app.
2. Click Runtime (1) from the sidebar and then select Environment variables (2).
3. Scroll down until you hit User defined.
  1. Click Add (1) to add the environment variables.
  2. NODE_RED_USERNAME
     - the username to secure the editor with
  3. NODE_RED_PASSWORD
     - the password to secure the editor with
  4. NODE_RED_GUEST_ACCESS
     - set to 
    true
    (case sensitive) to allow anonymous users to have read-only access to the editor, this is not recommended.
  5. Click Save (3).
Thus here we have streamlined the Authentication and authorization. Next, we will see how to protect the HTTP endpoints hosted in Node-RED.

Protect the HTTP endpoint hosted in Node-RED.

1. Login to Node-RED editor, click on the menu button (three parallel horizontal lines) in the top right corner and select Manage Palette. It will open a new window (User Settings) , select Install tab (1) & search (2) 
httpauth
, and install (3) node-red-contrib-httpauth. Acknowledge the warning and, click Install and wait until you see Installed.
2. We will use a predefined flow and import it in the Node-RED. Click here to download the flows.json (Hit Save as and keep it on your local machine). Next, click on the menu button (three parallel horizontal lines) in the top right corner and select Import and pick the flows.json file. After that, a new tab (Secure Endpoint) will load the below schematic. Feel free to double-click the blocks and check the configuration settings.
3. Now, Double Click on the http auth block, it will open a new tab. Select Auth Type Digest (1), put Username (2) and Password (3), Click Done (4) and finally Click Deploy (5) at the top right corner.
4. Now, to test whether the authentication is working or not? In your browser put the Node-RED URL and append 
/test
(e.g. https://node-red-flzvn.eu-gb.mybluemix.net/test), put your username and password for authentication & then will navigate to secure web endpoint 🤗. If you are wondering, why 
/test appended?
🤔 Don't worry, you can change the same just Double-Click the 
[get] /Test
Block as shown below and change the 
/test
with your desired /path component.
Warning:
 If you provision a new flow, either keep the same username and password in your 
http auth block
 else you need to enter the credentials each time)  or use the same http auth block as shown below.
Congratulations on completing the tutorial. It is an immense pleasure to see you here and reading this, I thank you individually. Stay curious and if you want more tutorials do let me know on LinkedIn. 
Kindly Share & Comment only if you find it useful and help me on my mission to educate and familiarize people in the world of digitization 💪 #This is a Free tutorial and all my upcoming tutorials will be free and accessible from Public forums.# Appreciate if you drop me a note on 
LinkedIn
 & share your opinion. Don't worry, I don't bite 👻 so don't shy away 🏃🏻‍♀️ 🏃🏻. Your feedback will help me to come up with more awesome contents on the internet. Check my other tech stories & tutorials @ 
https://hackernoon.com/@gourav-das
Written by gourav-das | Tech Enthusiast and Clouder. AWS 6x & Azure 2x Certified. & I still watch One piece and spongebob
Published by HackerNoon on 2020/03/15
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy