https everywhere is gaining momentum.
In my world, that means my website and aircraft tracking apps need to be tweaked so that they work with my SSL certificate.
The problem is that a few of the apps are either old, abandoned or never really had/have any way to add a certificate or both.
For no reason, I started with VRS, Virtual Radar Server and Node-RED.
VRS forums were no use at all. The author simply said it was on his to-do list back in 2015-2017. No updates on SSL that I can find since then.
Node-RED forums are usually very helpful, this time however, the search results were very sinister, they said that if you are asking about security for Node-RED then you have no business putting it on the web.
So I was left to stumble around in the dark a good while.
Here is how I solved it, and rest assured, based on the Node-RED forums, what I have done is wrong, very wrong and you should close this blog and turn off your Internet.
Since Node-RED and VRS (in my case) run on Windows, I needed something that would support that OS. Stunnel checks that box.
I have a certificate for thebaldgeek.net, so we are ready to go.
Add a port forward rule on your router (you might already have these in place) for VRS and Node-RED to point each of them to your Windows PC that will be running Stunnel.
Download Stunnel. Right click on the .exe and run as admin.
It will walk through the install, part of which is making a cert, just mash enter and get it done, we are not going to use the self signed cert they are making.
Once you are done, launch the app either from the check box on the installer, or from programfiles(x86)/stunnel.
Now the fun part.
I have not found a way to edit the conf file while its running, so I opened Windows services and right click ‘stop’ and then you can edit the stunnel conf file. Right click, ‘start’ the service to apply the settings.
Remove everything in the text file, its all example stuff that is not helpful.
Here are the contents of my .conf file.
cert = TheBaldGeek.pem
debug = crit
accept = 2288
connect = 2277
debug = crit
accept = 2880
connect = 1880
What is happening here?
VRS port forward rule on my router is incoming on 2288. That’s the port that people from the WWW will find my VRS on.
Internally, my VRS has its webserver on port 2277.
Node-RED will accept people from the WWW on 2880 and internally it is listening on 1880 (as per its settings.js file).
In both cases SSL will be applied to the connection from the global setting of the cert.
I should add here that you MUST set up your adminAuth in the Node-RED settings.js file. You MUST not allow the public to access your Node-RED editor.
I need my dashboard to be public, but you can also put it behind a user/pass as well if you like, but yeah, bad things WILL happen if you expose your editor.
Lastly, the debug = crit is to chill the stunnel log file out. It was logging every mouse click and I could not really see what was going on.
According to the stunnel readme, I should be able to protect a linux webserver on another PC in my network, but after some 5-7 hours of trying, I cant make it work which is a real shame as I’d love to use the one install / cert to protect all my web stuff.