Monday, 24 October 2016

unRAID Node-RED Docker with HTTPS

I'm knee-deep in setting up a bunch of automation stuff and was very interested to come across a blog article from Nathan Chantrell outlining how to set up an amazon Echo skill to allow voice commands such as 'Alexa, tell the house to....'. This allows Echo be extended beyond just the basic 'turn on, turn off commands' and permits custom responses as well.

Nathan uses Node-RED at the core of his automation system and I've been gravitating towards this as well, having previously set it up as an unRAID docker for helping openHab communicate with my legacy Comfort controller. It's a very flexible system and, when combined with MQTT, really does offer a great solution for managing automation messaging.

However, to implement this skill, it's necessary to allow Amazon development servers have access to my Node-RED instance running on my unRAID. The first step in this is getting Node-RED running in HTTPS mode.

Huge thanks to Ben Hardill as well whose blog post pointed the way.

With Node-RED docker stopped, I ssh'd into unRAID and navigated to the nodered data folder and opened the settings file;

cd /mnt/user/docker/appdate/nodered

nano settings.js

Here, I uncommented the var fs= require("fs"); line near the top and these lines in the HTTPS section about two thirds the way down;

https: {
  key: fs.readFileSync('privatekey.pem'),
  cert: fs.readFileSync('certificate.pem')

Close and save the file then access a cmd prompt inside the Docker itself;

docker exec -it NodeRed-OfficialDocker /bin/bash

Inside there, run these commands to create a key and cert;

openssl genrsa -out privatekey.pem
openssl req -new -x509 -key privatekey.pem -out certificate.pem -days 1095

The second one prompts for a set of inputs like country code, address etc. For the 'Common Name' prompt, I input the IP address of my unRAID server.

That was it. Starting up Node-RED I could now access the interface in HTTPS mode. As a test, I opened a port on my router and  could access http nodes from the interweb. I do receive a 'not private' browser alert as the cert. is self-signed but it's fine for testing purposes.

So that's step 1 completed. Next, I need to add extra security so that not all of my nodes are exposed through the open port. Reverse proxies through Apache, nginx or ha-proxy. Here be drgons but I'll figure it out!

UPDATE 1: while this process worked for Node-RED, I needed to make an update to the certificate generation process based on the Amazon developer notes.

UPDATE 2: even with a correctly generated cert, Amazon Alexa skill would not accept it. The issue and workaround are documented in this thread.

UPDATE 3: it would be a good idea to secure the admin UI as described in Node-RED docs.

UPDATE 4: I'm no longer running Node-RED like this as I've set up Apache with SSL, authentication and reverse proxy which adds extra security. Node-RED docker can also run in vanilla HTTP mode again.

No comments: