I’m using an RPi4 with Mosquitto, Node-Red, Influxdb, and Grafana to create a quick and easy way to deploy an IoT Gateway with a built-in dashboard.
I’ve successfully got each section running and passing data by using the Balena-sense project as a reference and adding the Balena-Node-Red. My next step is to ensure that each section is properly secured and I plan to enable TLS for all 4 containers.
I want to create the certificates on the first boot and store them in the persistent data. I will also need to download them to my pc in order to connect as a client to the MQTT broker.
Unfortunately, I have minimal experience using LetsEncrypt or similar services and have never used them on Balena. Is there a recommended method for creating the Certificates?
Currently, I am not using the public URL feature but I intend to use it in the future to give me remote access to the Grafana dashboard and the Node-Red interface. Are there any other steps needed to secure it for the public URL?
Hey there, you can see an example repo here: https://github.com/balena-io-playground/balena-nginx on how to generate a certificate and use nginx as a reverse proxy. Aside from generating a certificate for your domain, you’ll need to protect your services using some form of authentication, as the public URL is public (as the name suggest :)) by default and we don’t provide any sort of authorization out of the box.
Thanks for the message. I’ll take a look at that repo.
For adding TLS for purely internal services - e.g without having the public URL turned on - will I need to use a domain name or can I use the IP address of the device?
I’m trying to make this as scale-able as possible so I don’t want to have to use a different domain name for each device.
I currently have set up the password authentication for both Node-Red and Grafana, and am in the process of ensuring that Influxdb is also secured by password.
What’s the reason for you needing a certificate for the internal services? If you need that, you can potentially create self-signed certificates, not sure if that would work for you though. You can check the let’s encrypt documentation and the repo I linked for more information, that should be a good start to figure out how to do start, please reach out if you’re still stuck
I will look into creating self signed certificates, as well as creating them with the cert bot and a domain. I am not 100% sure if I will need the public URL on, so self signed may be the best option. I am only using them to ensure that my services are encrypted and secure, as the devices may be used on non-secure networks.
