Secure Your Nodinite Installation with HTTPS/TLS

Protect your Nodinite installation with industry-standard HTTPS/TLS encryption. This guide provides clear, version-specific instructions to ensure your environment meets security and compliance requirements.

Understanding the HTTPS Architecture

When you enable HTTPS for Nodinite, several components work together to provide secure communication:

Diagram: HTTPS communication flow between user, DNS, firewall, IIS, certificate, authentication, and Nodinite services.

Key Components Explained

Important

The DNS name users type in their browser (e.g., nodinite.yourdomain.com) must exactly match the Common Name (CN) or Subject Alternative Name (SAN) on your SSL certificate. Mismatches cause browser security warnings.

Understanding the Difference: v7 vs v6

The approach to security has fundamentally changed between versions:

Important

You should configure HTTPS/TLS BEFORE running the installation script. This is configured in the Nodinite Portal when registering your Environment.

If you didn't enable HTTPS during installation, follow the Nodinite v6 hardening steps to enable it now.

What You Need Before Starting

Before configuring HTTPS for Nodinite, ensure you have:

Certificate Requirements

• ✅ Valid SSL/TLS certificate from a trusted Certificate Authority (CA)
  • For production: Commercial CA (DigiCert, Let's Encrypt, etc.)
  • For development: Self-signed certificate (see development certificates)
• ✅ Certificate includes private key - Required for IIS binding
• ✅ Certificate matches your DNS name - Subject Alternative Name (SAN) or wildcard
• Avoid SHA-1 certificates - Use SHA-256 or higher (see Microsoft guidance)

Infrastructure Requirements

• ✅ Static IP address or DNS name for your IIS server
• ✅ Firewall rules allowing HTTPS traffic (port 443)
• ✅ Administrative access to IIS server and Nodinite Portal (v7)
• ✅ DNS record pointing to your Nodinite server

Common Certificate Sources

Option 1: Internal PKI (Most Common)
Use your organization's existing certificate infrastructure (Active Directory Certificate Services, internal PKI).

Option 2: Commercial Certificate Authority
Purchase from vendors like DigiCert, Sectigo, or GlobalSign.

Option 3: Free Certificates

• Let's Encrypt - Free, automated, renewable
• Certify SSL - Let's Encrypt GUI for IIS

Option 4: Development Only
Self-signed certificates (see development certificates)

^{New 7.x} Nodinite v7: Configure HTTPS Before Installation

The Modern Approach: With Nodinite v7, you configure HTTPS during environment registration in the Nodinite Portal. The installation script then applies these settings automatically.

Why Configure HTTPS Before Installation?

• ✅ Automated configuration - No manual web.config edits needed
• ✅ OAuth 2.0 / OIDC support - Required for modern authentication
• ✅ Consistent security - All services configured identically
• ✅ No reconfiguration - Avoid uninstalling/reinstalling later
• ✅ Immediate compliance - Production-ready from day one

Step-by-Step: Enable HTTPS in Nodinite v7

Step 1: Obtain and Install Your Certificate

Before configuring Nodinite, install your SSL/TLS certificate in IIS:

1. Obtain certificate (see Certificate Requirements above)
2. Install certificate in IIS:
   • Open IIS Manager
   • Select your server node
   • Double-click "Server Certificates"
   • Click "Import" (if you have a .pfx file) or "Complete Certificate Request"
3. Note the certificate thumbprint (you'll need this for the Portal)

See Microsoft IIS Certificate Installation Guide

Step 2: Create DNS Record

Create a DNS A record pointing to your Nodinite server:

nodinite.yourdomain.com  →  192.168.1.100

Step 3: Configure HTTPS in Nodinite Portal

1. Log in to the Nodinite Portal
2. Navigate to your Customer → Environments
3. Click "Add Environment" or edit existing environment
4. Navigate to the TLS tab
5. Configure the following settings:

Example of the TLS tab configuration in Nodinite Portal.

Important

If you plan to use OAuth 2.0 / OIDC authentication, you MUST enable TLS. See Install Nodinite v7 - OpenID for details.

Step 4: Complete Environment Setup and Install

1. Complete the remaining environment configuration tabs (Database, Authentication, Agents)
2. Save your environment configuration
3. Download the installation package
4. Run the PowerShell installation script

The script will automatically configure all Nodinite services with HTTPS bindings on port 443.

Step 5: Verify HTTPS is Working

After installation completes:

1. Open browser and navigate to https://nodinite.yourdomain.com
2. Verify the padlock icon appears in the address bar
3. Check that HTTP redirects to HTTPS (try http://nodinite.yourdomain.com)

Nodinite v6: Enable HTTPS Post-Installation

For Existing Installations: If you installed Nodinite v6 without HTTPS (because you "cheated in the past"), you can enable it now. This requires manual IIS configuration.

Warning

We strongly recommend upgrading to Nodinite v7 for simplified HTTPS configuration and modern authentication support. See Updating from v6 to v7.

Prerequisites for v6 HTTPS

Before starting, ensure you have:

• ✅ Valid SSL/TLS certificate installed in IIS (see Certificate Requirements)
• ✅ DNS record pointing to your server
• ✅ URL Rewrite Module 2.1 installed on IIS
• ✅ Administrative access to IIS server
• ✅ Backup of your current configuration

Step-by-Step: Enable HTTPS in Nodinite v6

The process involves configuring IIS bindings and adding HTTP-to-HTTPS redirection.

Option A: Simple HTTPS Setup (Shared Port)

This approach uses port 443 for all Nodinite services (Web Client, Web API, Log API).

1. Add HTTPS Binding in IIS:

   • Open IIS Manager
   • Right-click "Default Web Site" → "Edit Bindings"
   • Click "Add" → Select "https"
   • Select your SSL certificate
   • Click "OK"

2. Configure HTTP-to-HTTPS Redirect:

Follow the instructions in Redirect Traffic from HTTP to HTTPS below.

Option B: Advanced Setup (Separate Ports)

If you need different ports for different services:

1. Configure Log API (Legacy v1-v6):

The Log API v1-v6 uses anonymous authentication and requires special configuration. See Restrict Users by IP Address.

1. Configure Web API and Web Client:

Follow Option A for HTTPS binding and redirection.

Tip

If you have a DNS name hosted externally, see HTTPS Using DNS Name with Redirection for additional configuration.

Redirect Traffic from HTTP to HTTPS (v6 Only)

Note

Skip this section. When you configure TLS in the Nodinite Portal, the installation script automatically configures HTTPS bindings. HTTP-to-HTTPS redirection is handled automatically.

To automatically redirect HTTP requests to HTTPS in Nodinite v6, configure URL rewriting in your web.config.

Prerequisites:

• URL Rewrite Module 2.1 installed on IIS

Configuration

Edit the web.config file in the root of your IIS site (usually C:\inetpub\wwwroot\web.config):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
                    <match url="^((?!logapi).*)$" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                        <add input="{HTTP_HOST}" pattern="nodinite.yourdomain.com" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
                </rule>
                <rule name="Redirect to Web Client" stopProcessing="true">
                    <match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
                    <action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering>
                <hiddenSegments>
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Important

Replace nodinite.yourdomain.com with your actual DNS name. If your Web Client is in a virtual directory (e.g., /nodinite-test/WebClient), adjust the redirect paths accordingly.

Note

If your IIS does not allow the HTTP protocol, additional web.config configuration may be required.

HTTPS Using DNS Name with Redirection (v6 Only)

Note

Skip this section. Configure your DNS name in the Nodinite Portal TLS tab, and the installation handles site creation automatically.

If you host your IIS server in the cloud (Azure, AWS) or need to use a DNS name with redirection in Nodinite v6, follow these steps.

For development or testing environments, you can generate a self-signed certificate.

Warning

Self-Signed Certificates are for Development Only! Do not use in production. Browsers will show security warnings, and clients will not trust the certificate.

Generate Self-Signed Certificate (PowerShell)

Simple Example (Minimal):

# Localhost certificate (minimal configuration)
New-SelfSignedCertificate `
    -DnsName "localhost" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -NotAfter (Get-Date).AddYears(2)

Production-Quality Development Certificate (Recommended):

# Configure your DNS name(s)
$dnsNames = @("nodinite.dev.local", "nodinite")

# Create certificate with security best practices
$cert = New-SelfSignedCertificate `
    -DnsName $dnsNames `
    -Subject "CN=$($dnsNames[0])" `
    -FriendlyName "Dev Local SSL ($($dnsNames[0]))" `
    -KeyAlgorithm RSA -KeyLength 2048 `
    -HashAlgorithm SHA256 `
    -KeyExportPolicy Exportable `
    -NotAfter (Get-Date).AddYears(2) `
    -CertStoreLocation "Cert:\LocalMachine\My"

# Display certificate details
$cert | Format-List Subject, DnsNameList, Thumbprint, NotAfter

# Export certificate for backup and trust
New-Item -ItemType Directory -Force -Path C:\certs | Out-Null
$pfxPassword = Read-Host -AsSecureString -Prompt "Enter PFX password (for backup)"
Export-PfxCertificate -Cert $cert -FilePath "C:\certs\$($dnsNames[0]).pfx" -Password $pfxPassword | Out-Null
Export-Certificate -Cert $cert -FilePath "C:\certs\$($dnsNames[0]).cer" | Out-Null
Import-Certificate -FilePath "C:\certs\$($dnsNames[0]).cer" -CertStoreLocation Cert:\LocalMachine\Root | Out-Null

Write-Host "Certificate created successfully!" -ForegroundColor Green
Write-Host "Thumbprint: $($cert.Thumbprint)" -ForegroundColor Cyan
Write-Host "Files created in C:\certs\" -ForegroundColor Yellow

What This Script Does:

1. Creates certificate with SHA-256 (secure), 2048-bit RSA key
2. Sets Subject Alternative Names (SANs) - Certificate valid for all specified DNS names
3. Exports to .pfx format - Includes private key, password-protected (for backup/migration)
4. Exports to .cer format - Public certificate only (for distribution to clients)
5. Automatically trusts certificate - Imports .cer to Trusted Root Certification Authorities
6. Displays thumbprint - Copy this for IIS binding and Portal configuration

After generating, note the thumbprint from the output. The certificate is created in the Personal store (cert:\LocalMachine\My) and automatically copied to Trusted Root Certification Authorities (cert:\LocalMachine\Root).

Important

1. Personal Store (cert:\LocalMachine\My) - Used by IIS for the HTTPS binding (requires private key)
2. Trusted Root Certification Authorities (cert:\LocalMachine\Root) - Same certificate copied here so browsers trust it

The recommended PowerShell script above automatically handles both locations. If you used the minimal example, follow the manual trust steps below.

Trust the Self-Signed Certificate (Manual Method)

If you used the minimal certificate example (not the recommended script), manually copy the certificate to Trusted Root:

Option 1: Using PowerShell

# Get the certificate thumbprint (from script output or find it)
$certificateThumbprint = "YOUR_CERTIFICATE_THUMBPRINT_HERE"

# Get certificate from Personal store
$certificate = Get-ChildItem -Path "Cert:\LocalMachine\My\$certificateThumbprint"

# Export to file
Export-Certificate -Cert $certificate -FilePath "C:\Temp\nodinite-dev.cer"

# Import to Trusted Root Certification Authorities
Import-Certificate -FilePath "C:\Temp\nodinite-dev.cer" `
    -CertStoreLocation "Cert:\LocalMachine\Root"

Option 2: Using Certificate Manager (GUI)

1. Press Win+R, type certlm.msc, press Enter
2. Navigate to Personal → Certificates
3. Find your certificate (e.g., CN=nodinite.dev.local)
4. Right-click → Copy
5. Navigate to Trusted Root Certification Authorities → Certificates
6. Right-click in the right pane → Paste

Tip

Why copy to Trusted Root? Self-signed certificates act as their own Certificate Authority. Browsers check the Trusted Root store to determine if they should trust a certificate. Without this step, browsers will show "Your connection is not private" warnings.

The .pfx file contains your private key (password-protected). Store it securely - you'll need it if you rebuild your server or move the certificate to another machine.

Restrict Users by IP Address (v6 Only)

Note

The new Log API in v7 supports proper authentication. Configure authentication in the Nodinite Portal instead of using IP restrictions.

Warning

Log API v1-v6 uses anonymous authentication, which can be a security risk. You can restrict access by IP address. Nodinite version 7 can still be configured with anonymous Log API, but it is recommended to upgrade to the new Log API with proper authentication. The latter requires reconfiguration of Log Agents to use authenticated access.

• Nodinite Azure Logic Apps Logging Agent
• Nodinite IBM Integration Bus Logging Agent
• Nodinite Pickup Log Events Service Logging Agent

Prerequisites:

• URL Rewrite Module 2.1 installed on IIS

Configuration

Edit the web.config file in the root of your IIS site (usually C:\inetpub\wwwroot\web.config):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
                    <match url="^((?!logapi).*)$" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                        <add input="{HTTP_HOST}" pattern="nodinite.yourdomain.com" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
                </rule>
                <rule name="Redirect to Web Client" stopProcessing="true">
                    <match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
                    <action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering>
                <hiddenSegments>
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Important

Replace nodinite.yourdomain.com with your actual DNS name. If your Web Client is in a virtual directory (e.g., /nodinite-test/WebClient), adjust the redirect paths accordingly.

Note

If your IIS does not allow the HTTP protocol, additional web.config configuration may be required.

Note

Skip this section. Configure your DNS name in the Nodinite Portal TLS tab, and the installation handles site creation automatically.

If you host your IIS server in the cloud (Azure, AWS) or need to use a DNS name with redirection in Nodinite v6, follow these steps.

Step 1: Prepare the Folder Structure

Create a dedicated folder for your DNS domain:

C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\nodinite.yourdomain.com

Step 2: Create a New IIS Website

1. Open IIS Manager
2. Right-click "Sites" → "Add Website"
3. Configure:
   • Site Name: nodinite.yourdomain.com
   • Application Pool: Create new pool with same name
   • Physical Path: Point to folder from Step 1
   • Binding Type: HTTPS
   • Port: 443
   • Host Name: nodinite.yourdomain.com (must match SSL certificate)
   • SSL Certificate: Select your certificate

IIS Bindings for HTTPS and DNS configuration

Step 3: Configure Authentication

Enable only these authentication methods:

• ASP.NET Impersonation
• Windows Authentication

Authentication settings for Nodinite Web Client

Step 4: Add the WebClient Application

1. Right-click your new site → "Add Application"
2. Configure:
   • Alias: WebClient
   • Application Pool: Same as Web Client application pool
   • Physical Path: C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
   • Authentication: Same as Step 3

Step 5: Redirect Users to WebClient Application

Create index.html in the folder from Step 1:

<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
        <script type="text/javascript">
            window.location.href = "https://nodinite.yourdomain.com/webclient/"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to the Web Client</a>.
    </body>
</html>

Step 6: Test Your Configuration

From a client browser (not the server), navigate to https://nodinite.yourdomain.com. You should be redirected to the Web Client application.

Tip

Repeat these steps for each environment if you host multiple Nodinite instances on the same IIS server.

Shared Configuration Sections

These sections apply to both Nodinite v7 and v6.

Development Certificates for Testing

Warning

Log API v1-v6 uses anonymous authentication, which can be a security risk. You can restrict access by IP address. Nodinite version 7 can still be configured with anonymous Log API, but it is recommended to upgrade to the new Log API with proper authentication. The latter requires reconfiguration of Log Agents to use authenticated access.

• Nodinite Azure Logic Apps Logging Agent
• Nodinite IBM Integration Bus Logging Agent
• Nodinite Pickup Log Events Service Logging Agent

Option 1: IIS IP Address and Domain Restrictions

1. Open IIS Manager
2. Select your site → Double-click "IP Address and Domain Restrictions"
3. Click "Add Allow Entry" or "Add Deny Entry" in the Actions pane
4. Configure allowed/denied IP ranges

Option 2: Windows Firewall Rules

# Allow only specific IP range to access port 443
New-NetFirewallRule -DisplayName "Nodinite HTTPS - Allowed IPs" `
    -Direction Inbound -LocalPort 443 -Protocol TCP `
    -Action Allow -RemoteAddress 192.168.1.0/24

Note

Version 7 introduces a new Log API with proper authentication, eliminating the need for IP restrictions. Consider upgrading for better security.

Next Step

Install Nodinite

Related Topics

• Install Nodinite v7
• Post Installation Steps
• Secret Management
• Roles
• Users