balena-node-red - access to editor on balena tunnel only

joearkay · October 16, 2021, 1:18pm

Hi all,

I’m basing a project off of balena-node-red and I’d like to disable the editor from being visible on the network, so that nosy users can’t open the web editor and take a peek. I would of course still like to access the editor via balena tunnel <uuid> -p [port]:[port].

I’ve confirmed that I can currently use balena tunnel as described. I tried to turn off editor access by editing the settings.js file for Node-RED to set uiHost to localhost (127.0.0.1) but this seems to block any connections at all, which isn’t expected.

Is it the case that the tunnel is considered outside of localhost, therefore the UI is not visible?

Can somebody advise?

mpous · October 18, 2021, 10:24am

Hello @joearkay that’s a really interesting question, but let me take 1 step back.

Did you try to use the credentials to access to the UI? balena-node-red/settings.js at 4a75e4845f8a0c6edf5b430fa2c7709596c121e2 · balenablocks/balena-node-red · GitHub

With that you would avoid to people to access to the UI, right? is that what you want?

joearkay · October 19, 2021, 3:33pm

Thanks for the comment. Yes, I’m using credentials so that nobody can edit the Node-REDs flow via the editor, however without logging into Node-RED it’s still possible to have a look into the flows, credentials and generally ‘poke’ into a UI that I’d prefer to not be accessible on the local network.

For example, see the screenshot below of what is visible without logging into the editor:

I’d like to limit access to the web editor to either ssh tunnel locally, or balena tunnel remotely. Do you think this may be possible?

Thanks

mpous · October 19, 2021, 3:35pm

Yes! you are right @joearkay i was confused with another app that introduces the credentials before getting into NodeRED!

Let me research a bit more on this!

Thanks

joearkay · October 19, 2021, 3:50pm

Fantastic - thanks. I think the uiHost idea doesn’t work because this limits access to the localhost only. balena tunnel allows access to ports available externally to the device, for which the Node-RED editor port 80 wouldn’t be in this case. So perhaps uiHost is not the answer here.

mpous · October 19, 2021, 3:52pm

Could you please confirm the network_mode of your nodeRED service on your docker compose?

joearkay · October 19, 2021, 3:57pm

network_mode: host, so should not be isolated to the container only.

mpous · October 19, 2021, 3:59pm

That should work @joearkay … not sure about the uiHost feature of NodeRED. I’m going to research more today as i’m preparing a project with NodeRED!

pdcastro · October 19, 2021, 11:31pm

balena tunnel allows access to ports available externally to the device

@joearkay, I tested it and indeed observed balena tunnel to print “500 Internal Server Error” when a socket/port is bound to 127.0.0.1 instead of being bound to :: or 0.0.0.0:
tunnel: "500 Internal Server Error" when connecting to remote port bound to 127.0.0.1 · Issue #2366 · balena-io/balena-cli · GitHub

I have found a workaround that combines ssh -L with balena tunnel to allow remote access to a remote port bound to 127.0.0.1. It is described as comment in the same GitHub issue. With that workaround, I believe you could continue to set uiHost to 127.0.0.1, and access the UI remotely through the tunnel to your workstation. Let us know if works for you.

mpous · October 20, 2021, 11:49am

Thank you @pdcastro on showing a workaround to help @joearkay to access via localhost.

Joe i found another way to introduce the login and password before accessing the Node Red UI using a “public” local IP address. Not sure what NodeRED are you using, but if you go to the setttings.js file and delete on the adminAuth the defaults lines, then nodeRED will force you to access using username and password.

Check here on our repo balena-node-red/settings.js at 4a75e4845f8a0c6edf5b430fa2c7709596c121e2 · balenablocks/balena-node-red · GitHub

BTW to create the password follow this tutorial Securing Node-RED : Node-RED at balena we are trying to improve this very soon! I will keep you updated!

Let me know if that works as well

joearkay · October 22, 2021, 2:53pm

Interesting, thanks both @mpous and @pdcastro - I’m going to give both suggestions a try and feedback!

mpous · October 22, 2021, 6:28pm

BTW @joearkay check here the latest iteration of the balena-node-red block we published today!

the username and password credentials are managed through Device Variables.

joearkay · October 26, 2021, 6:59am

Thanks - checking out now! I just so happened to watch your section on the Node-RED con 2021 - looks like I asked the right question at the right time

mpous · October 26, 2021, 8:04am

indeed! The right question at the right time

Let me know if that works for you @joearkay