- 6 minutes to read

How to perform hardening on your Nodinite installation

Make sure you at least use the HTTPS protocol.

Restrict users by IP

The Log API does not currently use an authentication scheme. Hence, you may need to apply TCP/IP restrictions (e.g. add firewall rules).

Microsoft has detailed instructions for configuring your IIS to restrict by IP Address; please review the following user guide IIS 8.0 Dynamic IP Address Restrictions

Do use HTTPS

We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Web Client and the Browser.

Internet Information Services (IIS) Server Certificate Installation Instructions

The Web Client, Log API, Web API all support HTTPS. There is a performance overhead using HTTPS; You need to decide if the Web Client and the Web API need a secure transport in between. One way to address this concern is to only allow local calls to the Web API, isolating the various IIS Applications in different IIS Sites (with different enabled protocols and bindings).

  1. Make sure the IIS server hosting the Web Client has a static IP address (dynamic assignment of IP addresses requires a dynamic DNS solution)
  2. Create a DNS record pointing to the Windows Server with the Web Client
  3. Create a valid certificate (Note: SHA1-based certificates are being deprecated, read more here)
    1. Reuse from existing company policies
    2. Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to use Certify SSL Manager that supports IIS.
  4. Install a valid certificate on the IIS
  5. Make sure to redirect incoming calls (multiple solutions to accomplish this exist)

Local development

On your local IIS dev environment, you can opt to use a self-signed cert. NOTE: These need to be updated now and then.


New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

Make sure to put this cert in the Trusted Root Certification Authorities store as well (local computer).

This self-signed cert is operational if the hostname is localhost.

Redirect traffic from HTTP to HTTPS

Here you will find a web.config example, redirecting the inbound HTTP calls to HTTPS, and also, if the user is accessing the root folder, or any other folder the user is redirected to the Web Client

The web.config file must be placed in the root of the Nodinite installation folder, by default: C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\. The subfolders should contain the LogAPI, WebAPI and WebClient folders.

Note: The redirect requires the following IIS plugin: URL Rewrite Module 2.1 scroll down to Download URL Rewrite Module 2.1 and download the x86 or x64 version.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
					<match url="^((?!logapi).*)$" />
					<conditions>
						<add input="{HTTPS}" pattern="^OFF$" />
						<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
				</rule>
				<rule name="Redirect to Web Client" stopProcessing="true">
					<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
					<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
					<conditions>
						<add input="{HTTPS}" pattern="^ON$" />
					</conditions>
				</rule>                  
			</rules>
		</rewrite>
		<security>
			<requestFiltering>
				<hiddenSegments>

				</hiddenSegments>
			</requestFiltering>
		</security>
	</system.webServer>
</configuration>

Remember to change the demo.nodinite.com to your DNS name. And the path to the /WebClient/ if located in an virtual directory for example, like nodinite-test (http://demo.nodinite.com/nodinite-test/WebClient)

NOTE: If your IIS does not allow the HTTP protocol additional configuration of web.config files may be required

HTTPS using a DNS name with redirection of the Web Client

This documentation is very useful if your IIS is hosted by a virtual machine in the cloud (Azure/AWS/...) (workgroup or domain joined)

  1. Create a new folder for your DNS domain name, for example, C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\%nodinite.yourdomain.com%

  2. Create a new website

    1. Enter the site name, in this example nodinite.yourdomain.com
    2. Select the default app pool
    3. Set the physical path to the path you provided in the first step (#1)
    4. From within the Bindings panel, set the type to HTTPS
    5. Change the port (if it is not already set to use 443)
    6. Change the domain name to the name you are using as the DNS name, and most probably also named in your certificate, in this example nodinite.yourdomain.com
    7. Select the appropriate certificate
      IIS Bindings
  3. Set the Authentication settings (enable the following two, all others must be set to disable)

    1. ASP.NET Impersonation
    2. Windows Authentication
      Authentication
  4. Create a new Web Application and call it WebClient

    1. Change the Application pool to use the existing application pool for the Web Client
    2. Set the path to the existing folder for the Web Client, for example, C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
    3. Set the same Authentication settings as in step 3.
  5. Redirect traffic from the new site to the WebClient application by creating a new file called index.html or default.html

    • Add the content below.
      • Replace https://nodinite.yourdomain.com/webclient/ as appropriate to your setup
    • This file must be placed in the folder in the first step (#1).

<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
        <script type="text/javascript">
            window.location.href = "https://nodinite.yourdomain.com/webclient/"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
        If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to an example</a>.
    </body>
</html>
  1. Perform a test by navigating to https://nodinite.yourdomain.com. This test should not be performed locally; but from a client browser on for example your laptop/device/desktop computer.
NOTE: If your server is domain joined and running as a registered user within the Nodinite instance, you should automatically get into the Web Client's start page (Dashboard). Otherwise, a login prompt presents itself.
Repeat the steps above for each environment if you co-host multiple instances on the same IIS server.

Next Step

Install Nodinite