How to perform hardening on your Nodinite installation

Make sure you at least use the https protocol

Do use HTTPS

We strongly recommend the usage of server based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Web Client and the Browser.

Internet Information Services (IIS) Server Certificate Installation Instructions

The Web Client, Log API, Web API all supports HTTPS. There is a performance overhead using HTTPS. You need to decide if the Web Client and the Web API needs a secure transport in between. One way to overcome this still being secure is to only allow local calls to the Web Api, isolating the different IIS Applications in different IIS Sites (with different enabled protocols and bindings).

  1. Make sure the IIS server hosting the Web Client has a static IP address (dynamic assignment of IP addresses requires some kind of dynamic dns solution)
  2. Create a DNS record pointing to the Web Client server.
  3. Create a valid certificate (Note: SHA1 based certificates are being deprecated, read more here)
    1. Reuse from existing company policies
    2. Issue and manage a free certificate, for example using Let's Encrypt, an easy way to is use Certify SSL Manager that supports IIS.
  4. Install a valid certificate on the IIS
  5. Make sure to redirect incoming calls (multiple solutions to accomplish this exists)

Redirect traffic from HTTP to HTTPS

web.config example for how redirecting incoming HTTP calls -> HTTPS and if the user is accessing the root folder or any other folder the user will be redirected to the Web Client
This web.config file should be placed in the root of the Nodinite installation folder C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\ in where you should locate the LogAPI, WebAPI and WebClient folders.
The redirect for HTTP to HTTPS traffic rule is ignored for the Log API since some of the WCF services must be run on other ports for example the LogApiService.svc

Requirers the IIS plugin URL Rewrite Module 2.1 scroll down to Download URL Rewrite Module 2.1 and download the x86 or x64 version.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
					<match url="^((?!logapi).*)$" />
					<conditions>
						<add input="{HTTPS}" pattern="^OFF$" />
						<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
				</rule>
				<rule name="Redirect to Web Client" stopProcessing="true">
					<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
					<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
					<conditions>
						<add input="{HTTPS}" pattern="^ON$" />
					</conditions>
				</rule>                  
			</rules>
		</rewrite>
		<security>
			<requestFiltering>
				<hiddenSegments>

				</hiddenSegments>
			</requestFiltering>
		</security>
	</system.webServer>
</configuration>

Remember to change the demo.nodinite.com to your DNS name. And the path to the /WebClient/ if located in an virtual directory for example like nodinite-test (http://demo.nodinite.com/nodinite-test/WebClient)

Note: If your IIS does not allow the http protocol additional configuration of web.config files may be required