Security Concerns... #100
Comments
|
Hi @belveder79, Hi Clemens, You wrote:
I'm in the same situation and actually I use "double NAT". Yes, I know the disadvantages of "double NAT", but I never had an issue and use it for many years. However I do not need to open a port in my (both) firewalls in order to receive a response. So my port 1880 is closed and so I'm not that concerned. I do not have many ports open to the internet and if I need access to devices in my local LAN I always use VPN into that LAN. The response is very simple and consists only of "OK"
I have all my Node-RED instances not secured as well, except one instance with user/password. So check, that if you remove port-forwarding for port 1880, that it also works, as I don't think port -forwarding to port 1880 is needed. Regards |
I just stumbled into this today trying to get the module working on my node-red. I just wanted to bring up one issue that might or might not be relevant for you. Just curious about your opinions...
As likely everywhere, my system is behind a router and firewall, but in order to get the auth to connect with the callback address, I need to open or forward a port (which is a bad idea on its own, but whatever). So I did that, but it apparently puts my whole node-red public over the port and public IP.
My node-red instance is not secured inside my home (why should I do that?) and likely it is not for 90%+ of users. Obviously it is possible to lock the admin interface (or disable it entirely), lock it with a password and so on... still I think the "plain" way of forwarding a port to 1880 to make the callback work is not the greatest idea and protecting the interface with a password to have it still publicly visible is neither.
I fully understand the necessity and thoughts why it is like this in the module, but I wonder about your thoughts on security and if there was an option to mock things internally somehow to avoid this trap door...
The text was updated successfully, but these errors were encountered: