I am following this tutorial for integrating google smart home with node-red so that I can trigger flows with “ok google …”. Node-red runs as an add-on in home assistant. My home assistant is exposed to the internet via custom domain and reverse proxy that does ssl off-loading using a letsencrypt valid ssl cert (required by the add-on but I already have this in place).
I have completed all the fun google authentication setup stuff in this tutorial. The final requirement for this setup is verifying that I can reach https://example.com:3001/check. The node-red-contrib-google-smarthome palette that I’ve added to node-red basically listens on this port 3001. So in order to achieve this I need to forward port 3001 on my domain to the home assistant host (I’ve done this) but I also need to tell home assistant to map port 3001 to the node-red container (not sure how to do this). Any advice?
Strictly speaking, it’s not that you need to forward from HA to NR. The google smarthome node is going to listen to whatever port is configured. However, docker isolates containers to only whatever is specifically allowed. This isolation also allows for a port to be mapped to another - for example, port 1234 outside the container might be mapped to port 5678 inside the container.
If you have control over the container’s configuration, you can do this yourself. However, I’m guessing that you’re using the Node Red addon, in which case you’re limited to what that addon allows you to do. Node Red normally listens to port 1880, and the addon allows you to map this to a different port outside the container. You can’t expose any other ports using this addon.
So technically you could map 1880 to 3001 outside the container, but this doesn’t help much, so you might as well just use 1880 everywhere instead. Either way, this will also expose your whole NR editor to the internet. From my minimal testing it looks like the addon will require your HA credentials (without 2FA) to get to the NR editor, and I assume no credentials for non-editor access (using NR’s “adminAuth” mechanism that is not exposed by the addon).
Personally I’d run this on a different machine. Assuming you used a docker container, you could then have it configured for port 3001 and not expose port 1880 to the internet at all (or at least protect it).
You’re correct that the plugin setup advised that I could re-use port 1880 and you’re also correct that if I do that I expose NR to the world and I do not want to do that.
I agree that I could run NR outside of HA to also resolve this but I’m not ready to do that.
I found that if I log into the host ssh at port 22222 then I can configure the container port mapping such that I can get the host port 3001 connected to the NR container.
The issue I ran into is that with the new palette enabled and supposedly listening on port 3001 in the container – I don’t see it. I checked using netcat and ss wget and that port doesn’t appear to be open. I checked with a shell in the NR container itself. I’m not quite sure what I’m doing wrong. So I guess I’m stuck until I resolve that.
One thing I think I’m fundamentally misunderstanding is how port 1880 could even be shared in the first place. At the socket level you cannot share ports. So something else to enable this tcp communication on port 3001 (or reuse of 1880) must be occurring. Any ideas there?
The port isn’t being shared - Node Red is listening to 1880, and it allows multiple things inside Node Red to respond. This is, for example, how the http-in node works, as it is also “listening” on port 80. If you tried to start a separate docker container that was also listening on port 1880 (on the host), it would fail as already being in use.
Oh ok, that makes sense. However, any idea why I couldn’t see port 3001 open?
How are you opening that port? With a docker container you would have to change the config and recreate the container. Or have a look at this, although I’m not sure how that will work with HA. It would also not survive a restart.
With this node-red add-on it defaults to port 3001 for http (tcp) communication. You’re suppose to port forward from your firewall to the node-red host. As you said, the HA node-red addon is in a container so the port is not open at the host. But I connected to the shell of the node-red container directly and checked if port 3001 was open and it was not. So that seems suspect.
The documentation for the addon says if you leave the port empty it will use the same as NR (ie. normally 1880). Did you have it configured for 3001 and deployed when you checked? Not that it will help, because getting it accessible from outside the container is the hard part.
The tutorial recommended port 3001 and this is what I configured it for. It’s strange the port isn’t open when checking within the container.
Assuming I can fix this issue above then I know how to edit the docker compose file so that the container port is always open (even after reboots)
I just went through all this and here’s what works for me.
Since I have my own domain, I went into DNS and created a subdomain: nr.example.com. Forward that to your home IP.
I also use NGINX reverse proxy. So I created a new Proxy Host that sends nr.example.com to my HASSIO machine with a port of your choosing e.g. 192.168.1.101:1234 This should not expose your whole NodeRed, just the SmartHome server.
NGINX can request a new SSL certificate for you, or use a wildcard if you have one.
In Node Red, set the Google SmartHome configuration node to the same port: 1234
Now test: https://nr.example.com/check
This way, when creating google actions, account linking, service account, credentials etc. there is no need to use any ports
Now I just need to figure out the pros and cons of all the different types of devices.