- 6 minutes to read

How to perform hardening on your Nodinite installation

Make sure you at least use the HTTPS protocol

Restrict users by IP

The Log API is not yet authenticated and you may need to restrict from what IP addresses logs can be sent.

Microsoft has detailed instructions for configuring your IIS to restrict by IP Address, please review the following user guide IIS 8.0 Dynamic IP Address Restrictions

Do use HTTPS

We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Web Client and the Browser.

Internet Information Services (IIS) Server Certificate Installation Instructions

The Web Client, Log API, Web API all supports HTTPS. There is a performance overhead using HTTPS. You need to decide if the Web Client and the Web API needs a secure transport in between. One way to overcome this still being secure is to only allow local calls to the Web Api, isolating the different IIS Applications in different IIS Sites (with different enabled protocols and bindings).

  1. Make sure the IIS server hosting the Web Client has a static IP address (dynamic assignment of IP addresses requires some kind of dynamic DNS solution)
  2. Create a DNS record pointing to the Windows Server with the Web Client
  3. Create a valid certificate (Note: SHA1 based certificates are being deprecated, read more here)
    1. Reuse from existing company policies
    2. Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to is use Certify SSL Manager that supports IIS.
  4. Install a valid certificate on the IIS
  5. Make sure to redirect incoming calls (multiple solutions to accomplish this exists)

Redirect traffic from HTTP to HTTPS

web.config example for how redirecting incoming HTTP calls -> HTTPS and if the user is accessing the root folder or any other folder the user will be redirected to the Web Client
This web.config file should be placed in the root of the Nodinite installation folder C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\ in where you should locate the LogAPI, WebAPI and WebClient folders.

Note 1: The redirect for HTTP to HTTPS traffic rule is ignored for the Log API since some of the WCF services must be run on other ports for example, the 'LogApiService.svc'

Note 2: Requires the IIS plugin URL Rewrite Module 2.1 scroll down to Download URL Rewrite Module 2.1 and download the x86 or x64 version.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
					<match url="^((?!logapi).*)$" />
					<conditions>
						<add input="{HTTPS}" pattern="^OFF$" />
						<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
				</rule>
				<rule name="Redirect to Web Client" stopProcessing="true">
					<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
					<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
					<conditions>
						<add input="{HTTPS}" pattern="^ON$" />
					</conditions>
				</rule>                  
			</rules>
		</rewrite>
		<security>
			<requestFiltering>
				<hiddenSegments>

				</hiddenSegments>
			</requestFiltering>
		</security>
	</system.webServer>
</configuration>

Note: Remember to change the demo.nodinite.com to your DNS name. And the path to the /WebClient/ if located in an virtual directory for example, like nodinite-test (http://demo.nodinite.com/nodinite-test/WebClient)

Note: If your IIS does not allow the HTTP protocol additional configuration of web.config files may be required

HTTPS using a DNS name with redirection of the Web Client

This documentation is very useful if your IIS is hosted by a virtual machine in the cloud (Azure/AWS/...) (workgroup or domain joined)

  1. Create a new folder for your DNS domain name, for example C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\%nodinite.yourdomain.com%

  2. Create a new web site

    1. Enter site name (nodinite.yourdomain.com)
    2. Select default app pool
    3. Set the physical path to the path you provided in the first step
    4. From within the Bindings panel, set type to HTTPS
    5. Change the port if not already set to 443
    6. Change the the domain name to the name you are using as DNS and most probably also in your certificate (nodinite.yourdomain.com)
    7. Select the certificate
      IIS Bindings
  3. Set Authentication settings (enabled the following two, all others must be disabled)

    1. ASP.NET Impersonation
    2. Windows Authentication
      Authentication
  4. Create a new Web Application and call it WebClient

    1. Change the Application pool to the existing application pool for the Web Client
    2. Set the path to the existing folder for the Web Client, for example C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
    3. Set the same Authentication settings as in step 3.
  5. Redirect traffic from the new site to the WebClient application by creating a new file called index.html or default.html and add the content below. This file must be placed in the folder in the first step.


<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
        <script type="text/javascript">
            window.location.href = "https://nodinite.yourdomain.com/webclient/"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
        If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to example</a>.
    </body>
</html>
  1. Perform a test by navigating to https://nodinite.yourdomain.com. This test should not be performed locally but from a client browser on for example your own laptop/device/desktop computer
Note: If your server is domain joined and you are running as a registered user you should automatically get into the start page (Dashboard) of the Web Client. Otherwise, you will be prompted to login.