How to perform hardening on your Nodinite installation
Make sure you at least use the HTTPS protocol.
Restrict users by IP
The Log API does not currently use an authentication scheme. Hence, you may need to apply TCP/IP restrictions (e.g. add firewall rules).
Microsoft has detailed instructions for configuring your IIS to restrict by IP Address; please review the following user guide IIS 8.0 Dynamic IP Address Restrictions
Do use HTTPS
We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Web Client and the Browser.
Internet Information Services (IIS) Server Certificate Installation Instructions
The Web Client, Log API, Web API all support HTTPS. There is a performance overhead using HTTPS; You need to decide if the Web Client and the Web API need a secure transport in between. One way to address this concern is to only allow local calls to the Web API, isolating the various IIS Applications in different IIS Sites (with different enabled protocols and bindings).
- Make sure the IIS server hosting the Web Client has a static IP address (dynamic assignment of IP addresses requires a dynamic DNS solution)
- Create a DNS record pointing to the Windows Server with the Web Client
- Create a valid certificate (Note: SHA1-based certificates are being deprecated, read more here)
- Reuse from existing company policies
- Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to use Certify SSL Manager that supports IIS.
- Install a valid certificate on the IIS
- Make sure to redirect incoming calls (multiple solutions to accomplish this exist)
Local development
On your local IIS dev environment, you can opt to use a self-signed cert. NOTE: These need to be updated now and then.
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
Make sure to put this cert in the Trusted Root Certification Authorities store as well (local computer).
This self-signed cert is operational if the hostname is localhost.
Redirect traffic from HTTP to HTTPS
Here you will find a
web.config
example, redirecting the inbound HTTP calls to HTTPS, and also, if the user is accessing the root folder, or any other folder the user is redirected to the Web Client
The web.config
file must be placed in the root of the Nodinite installation folder, by default: C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\
. The subfolders should contain the LogAPI
, WebAPI
and WebClient
folders.
Note: The redirect requires the following IIS plugin: URL Rewrite Module 2.1 scroll down to Download URL Rewrite Module 2.1 and download the x86 or x64 version.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
<match url="^((?!logapi).*)$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
<rule name="Redirect to Web Client" stopProcessing="true">
<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
<conditions>
<add input="{HTTPS}" pattern="^ON$" />
</conditions>
</rule>
</rules>
</rewrite>
<security>
<requestFiltering>
<hiddenSegments>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Remember to change the
demo.nodinite.com
to your DNS name. And the path to the/WebClient/
if located in an virtual directory for example, likenodinite-test
(http://demo.nodinite.com/nodinite-test/WebClient)
NOTE: If your IIS does not allow the HTTP protocol additional configuration of web.config files may be required
HTTPS using a DNS name with redirection of the Web Client
This documentation is very useful if your IIS is hosted by a virtual machine in the cloud (Azure/AWS/...) (workgroup or domain joined)
Create a new folder for your DNS domain name, for example,
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\%nodinite.yourdomain.com%
Create a new website
- Enter the site name, in this example
nodinite.yourdomain.com
- Select the default app pool
- Set the physical path to the path you provided in the first step (#1)
- From within the Bindings panel, set the type to HTTPS
- Change the port (if it is not already set to use 443)
- Change the domain name to the name you are using as the DNS name, and most probably also named in your certificate, in this example
nodinite.yourdomain.com
- Select the appropriate certificate
- Enter the site name, in this example
Set the Authentication settings (enable the following two, all others must be set to disable)
Create a new Web Application and call it
WebClient
- Change the Application pool to use the existing application pool for the Web Client
- Set the path to the existing folder for the Web Client, for example,
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
- Set the same Authentication settings as in step 3.
Redirect traffic from the new site to the
WebClient
application by creating a new file calledindex.html
ordefault.html
- Add the content below.
- Replace
https://nodinite.yourdomain.com/webclient/
as appropriate to your setup
- Replace
- This file must be placed in the folder in the first step (#1).
- Add the content below.
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
<script type="text/javascript">
window.location.href = "https://nodinite.yourdomain.com/webclient/"
</script>
<title>Page Redirection</title>
</head>
<body>
<!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to an example</a>.
</body>
</html>
- Perform a test by navigating to
https://nodinite.yourdomain.com
. This test should not be performed locally; but from a client browser on for example your laptop/device/desktop computer.