balena-node-red - access to editor on balena tunnel only

Hi all,

I’m basing a project off of balena-node-red and I’d like to disable the editor from being visible on the network, so that nosy users can’t open the web editor and take a peek. I would of course still like to access the editor via balena tunnel <uuid> -p [port]:[port].

I’ve confirmed that I can currently use balena tunnel as described. I tried to turn off editor access by editing the settings.js file for Node-RED to set uiHost to localhost ( but this seems to block any connections at all, which isn’t expected.

Is it the case that the tunnel is considered outside of localhost, therefore the UI is not visible?

Can somebody advise?

Hello @joearkay that’s a really interesting question, but let me take 1 step back.

Did you try to use the credentials to access to the UI? balena-node-red/settings.js at 4a75e4845f8a0c6edf5b430fa2c7709596c121e2 · balenablocks/balena-node-red · GitHub

With that you would avoid to people to access to the UI, right? is that what you want?

Thanks for the comment. Yes, I’m using credentials so that nobody can edit the Node-REDs flow via the editor, however without logging into Node-RED it’s still possible to have a look into the flows, credentials and generally ‘poke’ into a UI that I’d prefer to not be accessible on the local network.

For example, see the screenshot below of what is visible without logging into the editor:

I’d like to limit access to the web editor to either ssh tunnel locally, or balena tunnel remotely. Do you think this may be possible?


Yes! you are right @joearkay i was confused with another app that introduces the credentials before getting into NodeRED!

Let me research a bit more on this!

Thanks :slight_smile:

1 Like

Fantastic - thanks. I think the uiHost idea doesn’t work because this limits access to the localhost only. balena tunnel allows access to ports available externally to the device, for which the Node-RED editor port 80 wouldn’t be in this case. So perhaps uiHost is not the answer here.

Could you please confirm the network_mode of your nodeRED service on your docker compose?

network_mode: host, so should not be isolated to the container only.

That should work @joearkay … not sure about the uiHost feature of NodeRED. I’m going to research more today as i’m preparing a project with NodeRED!

balena tunnel allows access to ports available externally to the device

@joearkay, I tested it and indeed observed balena tunnel to print “500 Internal Server Error” when a socket/port is bound to instead of being bound to :: or
tunnel: "500 Internal Server Error" when connecting to remote port bound to · Issue #2366 · balena-io/balena-cli · GitHub

I have found a workaround that combines ssh -L with balena tunnel to allow remote access to a remote port bound to It is described as comment in the same GitHub issue. With that workaround, I believe you could continue to set uiHost to, and access the UI remotely through the tunnel to your workstation. Let us know if works for you.

Thank you @pdcastro on showing a workaround to help @joearkay to access via localhost.

Joe i found another way to introduce the login and password before accessing the Node Red UI using a “public” local IP address. Not sure what NodeRED are you using, but if you go to the setttings.js file and delete on the adminAuth the defaults lines, then nodeRED will force you to access using username and password.

Check here on our repo balena-node-red/settings.js at 4a75e4845f8a0c6edf5b430fa2c7709596c121e2 · balenablocks/balena-node-red · GitHub

BTW to create the password follow this tutorial Securing Node-RED : Node-RED at balena we are trying to improve this very soon! I will keep you updated!

Let me know if that works as well :slight_smile:

Interesting, thanks both @mpous and @pdcastro - I’m going to give both suggestions a try and feedback!

BTW @joearkay check here the latest iteration of the balena-node-red block we published today!

the username and password credentials are managed through Device Variables.

Thanks - checking out now! I just so happened to watch your section on the Node-RED con 2021 - looks like I asked the right question at the right time :wink:

1 Like

indeed! The right question at the right time :slight_smile:

Let me know if that works for you @joearkay