- 6 minutes to read

How to perform hardening on your Nodinite installation

Make sure you at least use the HTTPS protocol

Restrict users by IP

The Log API is not yet authenticated and you may need to restrict from what IP addresses logs can be sent.

Microsoft has detailed instructions for configuring your IIS to restrict by IP Address, please review the following user guide IIS 8.0 Dynamic IP Address Restrictions

Do use HTTPS

We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Web Client and the Browser.

Internet Information Services (IIS) Server Certificate Installation Instructions

The Web Client, Log API, Web API all support HTTPS. There is a performance overhead using HTTPS. You need to decide if the Web Client and the Web API needs a secure transport in between. One way to overcome this still being secure is to only allow local calls to the Web API, isolating the different IIS Applications in different IIS Sites (with different enabled protocols and bindings).

  1. Make sure the IIS server hosting the Web Client has a static IP address (dynamic assignment of IP addresses requires some kind of dynamic DNS solution)
  2. Create a DNS record pointing to the Windows Server with the Web Client
  3. Create a valid certificate (Note: SHA1 based certificates are being deprecated, read more here)
    1. Reuse from existing company policies
    2. Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to is use Certify SSL Manager that supports IIS.
  4. Install a valid certificate on the IIS
  5. Make sure to redirect incoming calls (multiple solutions to accomplish this exists)

Redirect traffic from HTTP to HTTPS

Here you will find a web.config example, redirecting the inbound HTTP calls to HTTPS, and also, if the user is accessing the root folder, or any other folder the user will be redirected to the Web Client

The web.config file must be placed in the root of the Nodinite installation folder, by default: C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\. The sub folders should contain the LogAPI, WebAPI and the WebClient folders.

Note 1: The redirect for HTTP to HTTPS traffic rule is ignored for the Log API since some of the WCF services might use other ports for example, the LogApiService.svc

Note 2: The redicrect requires the following IIS plugin: URL Rewrite Module 2.1 scroll down to Download URL Rewrite Module 2.1 and download the x86 or x64 version.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
					<match url="^((?!logapi).*)$" />
					<conditions>
						<add input="{HTTPS}" pattern="^OFF$" />
						<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
				</rule>
				<rule name="Redirect to Web Client" stopProcessing="true">
					<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
					<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
					<conditions>
						<add input="{HTTPS}" pattern="^ON$" />
					</conditions>
				</rule>                  
			</rules>
		</rewrite>
		<security>
			<requestFiltering>
				<hiddenSegments>

				</hiddenSegments>
			</requestFiltering>
		</security>
	</system.webServer>
</configuration>

Remember to change the demo.nodinite.com to your DNS name. And the path to the /WebClient/ if located in an virtual directory for example, like nodinite-test (http://demo.nodinite.com/nodinite-test/WebClient)

Note: If your IIS does not allow the HTTP protocol additional configuration of web.config files may be required

HTTPS using a DNS name with redirection of the Web Client

This documentation is very useful if your IIS is hosted by a virtual machine in the cloud (Azure/AWS/...) (workgroup or domain joined)

  1. Create a new folder for your DNS domain name, for example C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\%nodinite.yourdomain.com%

  2. Create a new web site

    1. Enter the site name, in this example nodinite.yourdomain.com
    2. Select the default app pool
    3. Set the physical path to the path you provided in the first step (#1)
    4. From within the Bindings panel, set the type to HTTPS
    5. Change the port (if it is not already set to use 443)
    6. Change the domain name to the name you are using as the DNS name, and most probably also named in your certificate, in this example nodinite.yourdomain.com
    7. Select the appropriate certificate
      IIS Bindings
  3. Set the Authentication settings (enable the following two, all others must be set to disabled)

    1. ASP.NET Impersonation
    2. Windows Authentication
      Authentication
  4. Create a new Web Application and call it WebClient

    1. Change the Application pool to use the existing application pool for the Web Client
    2. Set the path to the existing folder for the Web Client, for example C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
    3. Set the same Authentication settings as in step 3.
  5. Redirect traffic from the new site to the WebClient application by creating a new file called index.html or default.html

    • Add the content below.
      • Replace https://nodinite.yourdomain.com/webclient/ as appropriate to your setup
    • This file must be placed in the folder in the first step (#1).

<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
        <script type="text/javascript">
            window.location.href = "https://nodinite.yourdomain.com/webclient/"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
        If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to example</a>.
    </body>
</html>
  1. Perform a test by navigating to https://nodinite.yourdomain.com. This test should not be performed locally, but from a client browser on for example your own laptop/device/desktop computer
Note: If your server is domain joined, and you are running as a registered user within the Nodinite instance, you should automatically get into the start page (Dashboard) of the Web Client. Otherwise, you will be prompted to login.