How to perform hardening on your Nodinite installation
This guide empowers you to secure your Nodinite installation and ensure compliance with your organization's security policies. Learn how to enforce HTTPS, restrict access, and configure IIS for robust protection.
✅ Enforce HTTPS for encrypted, secure communication
✅ Restrict access by IP address for sensitive APIs
✅ Step-by-step IIS and certificate configuration
✅ Protect data privacy and integrity for all Users
Important
Always run Nodinite securely—use a certificate to enable the HTTPS protocol.
Diagram: Secure communication enforced with HTTPS and restricted HTTP access for Nodinite Web Client, Web API, and Log API.
Restrict Users by IP Address
Nodinite Log API (Versions 1-6) does not use authentication (Anonymous is allowed). Apply TCP/IP restrictions (e.g., firewall rules) to limit which clients can access it. Microsoft provides a detailed guide for configuring IIS to restrict by IP address: IIS 8.0 Dynamic IP Address Restrictions
Do use HTTPS
We strongly recommend using server-based certificates to enforce HTTPS and protect the privacy and integrity of data sent between the Web Client and the client Browser.
Internet Information Services (IIS) Server Certificate Installation Instructions
Nodinite Web Client, Log API, and Web API all support HTTPS. While HTTPS adds some performance overhead, it is essential for security. You can further secure your environment by isolating IIS applications in different sites and limiting protocol/binding exposure.
- Ensure the IIS server hosting the Web Client has a static IP address (dynamic assignment requires a dynamic DNS solution)
- Create a DNS record pointing to the Windows Server with the Web Client
- Create a valid certificate (avoid SHA1-based certificates; see here)
- Use existing company policies
- Issue and manage a free certificate, e.g., Let's Encrypt or Certify SSL for IIS.
- Install a valid certificate on IIS
- Redirect incoming calls as needed:
Local development
On your local IIS Development environment, you can use a self-signed certificate.
Note
These need to be updated periodically.
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
Make sure to put this cert in the Trusted Root Certification Authorities store (local computer). This self-signed cert is operational if the hostname is localhost.
Redirect traffic from HTTP to HTTPS
Here you will find a
web.configexample, redirecting inbound HTTP calls to HTTPS, and also, if the user is accessing the root folder, or any other folder, the user is redirected to the Web Client
The web.config file must be placed in the root of the Nodinite installation folder, by default: C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\. The subfolders should contain the LogAPI, WebAPI, and WebClient folders.
Note
The redirect requires the following IIS plugin: URL Rewrite Module 2.1 (download the x86 or x64 version as needed).
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
<match url="^((?!logapi).*)$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
<rule name="Redirect to Web Client" stopProcessing="true">
<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
<conditions>
<add input="{HTTPS}" pattern="^ON$" />
</conditions>
</rule>
</rules>
</rewrite>
<security>
<requestFiltering>
<hiddenSegments>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Note
Remember to change the
demo.nodinite.comto your DNS name. Adjust the path to/WebClient/if located in a virtual directory, e.g.,nodinite-test(http://demo.nodinite.com/nodinite-test/WebClient)
Note
If your IIS does not allow the HTTP protocol, additional configuration of web.config files may be required
HTTPS using a DNS Name with Redirection of the Web Client
If you host your IIS server in the cloud (such as Azure, AWS, or another provider), or if your server is domain-joined or in a workgroup, you should follow these steps to ensure secure access to your Nodinite Web Client. This process will help you enforce HTTPS, use a DNS name, and redirect users to the correct application entry point. Carefully follow each step to avoid configuration issues and maximize security.
Step 1: Prepare the Folder Structure
Create a dedicated folder for your DNS domain name. This folder will serve as the root for your new IIS website. For example:
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\%nodinite.yourdomain.com%
This structure keeps your environments organized and makes it easier to manage multiple instances.
Step 2: Create a New IIS Website
Set up a new website in IIS for your DNS domain:
Site Name: Enter your DNS name, e.g., nodinite.yourdomain.com
Application Pool: Select or create an app pool named after your DNS name
Physical Path: Point to the folder you created in Step 1
Bindings:
- Set the type to HTTPS
- Use port 443 (the default for HTTPS)
- Enter your DNS name (must match your SSL certificate)
- Select the correct SSL certificate for your domain
Example: IIS Bindings for HTTPS and DNS configuration.
Step 3: Configure Authentication
To ensure secure access, enable only the following authentication methods for your new site:
ASP.NET Impersonation
Windows Authentication
Example: Authentication settings for Nodinite Web Client.
Step 4: Add the WebClient Application
Within your new website, add a new Application named WebClient:
- Application Pool: Assign the same pool as the Web Client
- Physical Path: Set to the existing Web Client folder, e.g.,
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
- Authentication: Use the same settings as in Step 3
This ensures the Web Client runs in a secure, isolated context.
Step 5: Redirect Users to the WebClient Application
To provide a seamless user experience, set up a redirect so that anyone visiting your root site is automatically sent to the Web Client application:
- In the folder from Step 1, create a file named
index.htmlordefault.html. - Add the following content, replacing the URL with your actual Web Client address:
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
<script type="text/javascript">
window.location.href = "https://nodinite.yourdomain.com/webclient/"
</script>
<title>Page Redirection</title>
</head>
<body>
If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to an example</a>.
</body>
</html>
This redirect ensures users always land on the correct application entry point, even if they access the root of your DNS site.
Step 6: Test Your Configuration
From a client browser (not the server itself), navigate to https://nodinite.yourdomain.com. You should be redirected to the Web Client application. If your Windows Server is domain-joined and your user is registered in Nodinite, you will be logged in automatically. Otherwise, you will see a login prompt.
Tip
Repeat these steps for each environment if you host multiple Nodinite instances on the same IIS server. Consistent configuration across environments helps prevent access and security issues.