- 6 minutes to read

How to perform hardening on your Nodinite installation

Important

Ensure you are running safe, use a certificate to enable the use of the HTTPS protocol.

graph LR subgraph "Consumers" roBrowser[fab:fa-chrome Chrome
fab:fa-firefox Firefox
fab:fa-edge Edge
fab:fa-safari Safari] end subgraph "Web Server" roWebClient(fal:fa-globe Web Client) --- |443| roWebAPI(fal:fa-cloud-sun Web API) roLA(fal:fa-cloud-download Log API) roBrowser --- | 443|roWebClient roBrowser -.- | 80|roWebClient roBrowser --- | 443|roLA roBrowser -.- | 80|roLA end

Restrict Users by IP Address

The Nodinite Log API (Versions 1-6) does not make use of an authentication scheme (Anonymous is allowed). Hence, you may need to apply TCP/IP restrictions (e.g. add firewall rules) to limit what clients can make access. Microsoft has a detailed instruction for configuring your IIS to restrict by IP Address; please review the following user guide IIS 8.0 Dynamic IP Address Restrictions

Do use HTTPS

We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Web Client and the client Browser.

Internet Information Services (IIS) Server Certificate Installation Instructions

The Nodinite Web Client, Log API and Web API all support HTTPS. There is some performance overhead using HTTPS; You need to decide if the Web Client and the Web API also need to be secured. One way to address this concern is to only allow local calls to the Web API and the Log API, isolating the various IIS Applications in different IIS Sites (with potentially different enabled protocols and bindings).

  1. Make sure the IIS server hosting the Web Client has a static IP address (dynamic assignment of IP addresses requires a dynamic DNS solution)
  2. Create a DNS record pointing to the Windows Server with the Web Client
  3. Create a valid certificate (Note: SHA1-based certificates are being deprecated, read more here)
    1. Reuse from existing company policies
    2. Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to use Certify SSL Manager that supports IIS.
  4. Install a valid certificate on the IIS
  5. Make sure to redirect incoming calls (multiple solutions exist to accomplish this task)
    1. Redirect traffic from HTTP to HTTPS
    2. HTTPS using a DNS name with redirection of the Web Client

Local development

On your local IIS Development environment, you can opt to use a self-signed cert.

Note

These need to be updated now and then.

New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

Make sure to put this cert in the Trusted Root Certification Authorities store as well (local computer).

This self-signed cert is operational if the hostname is localhost.

Redirect traffic from HTTP to HTTPS

Here you will find a web.config example, redirecting the inbound HTTP calls to HTTPS, and also, if the user is accessing the root folder, or any other folder the user is redirected to the Web Client

The web.config file must be placed in the root of the Nodinite installation folder, by default: C:\Program Files\Nodinite\ENVIRONMENT\Nodinite Core Services\. The subfolders should contain the LogAPI, WebAPI and WebClient folders.

Note

The redirect requires the following IIS plugin: URL Rewrite Module 2.1 scroll down to Download URL Rewrite Module 2.1 and download the x86 or x64 version.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
					<match url="^((?!logapi).*)$" />
					<conditions>
						<add input="{HTTPS}" pattern="^OFF$" />
						<add input="{HTTP_HOST}" pattern="demo.nodinite.com" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
				</rule>
				<rule name="Redirect to Web Client" stopProcessing="true">
					<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
					<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
					<conditions>
						<add input="{HTTPS}" pattern="^ON$" />
					</conditions>
				</rule>                  
			</rules>
		</rewrite>
		<security>
			<requestFiltering>
				<hiddenSegments>

				</hiddenSegments>
			</requestFiltering>
		</security>
	</system.webServer>
</configuration>

Note

Remember to change the demo.nodinite.com to your DNS name. And the path to the /WebClient/ if located in an virtual directory for example, like nodinite-test (http://demo.nodinite.com/nodinite-test/WebClient)

Note

If your IIS does not allow the HTTP protocol additional configuration of web.config files may be required

HTTPS using a DNS name with redirection of the Web Client

This documentation is very helpful if your IIS is hosted by a virtual machine in the cloud (Azure/AWS/...) (workgroup or domain joined)

  1. Create a new folder for your DNS domain name, for example, C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\%nodinite.yourdomain.com%

  2. Create a new website

    1. Enter the site name, in this example nodinite.yourdomain.com
    2. Select the default app pool
    3. Set the physical path to the path you provided in the first step (#1)
    4. From within the Bindings panel, set the type to HTTPS
    5. Change the port (if it is not already set to use 443)
    6. Change the domain name to the name you are using as the DNS name, and most probably also named in your certificate, in this example nodinite.yourdomain.com
    7. Select the appropriate certificate
      IIS Bindings
  3. Set the Authentication settings (enable the following two, all others must be set to disable)

    1. ASP.NET Impersonation
    2. Windows Authentication
      Authentication
  4. Create a new Web Application and call it WebClient

    1. Change the Application pool to use the existing application pool for the Web Client
    2. Set the path to the existing folder for the Web Client, for example, C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
    3. Set the same Authentication settings as in step 3.
  5. Redirect traffic from the new site to the WebClient application by creating a new file called index.html or default.html

    • Add the content below.
      • Replace https://nodinite.yourdomain.com/webclient/ as appropriate to your setup
      • This file must be placed in the folder in the first step (#1).
<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
        <script type="text/javascript">
            window.location.href = "https://nodinite.yourdomain.com/webclient/"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
        If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to an example</a>.
    </body>
</html>
  1. Perform a test by navigating to https://nodinite.yourdomain.com. This test should not be performed locally; but from a client browser on for example your laptop/device/desktop computer.

Note

If your Windows Server is domain joined, and the User is registered within the Nodinite instance, you should automatically get into the Nodinite Web Client's start page (Dashboard). Otherwise, a login prompt presents itself.

Tip

Repeat the steps above for each environment when co-hosting multiple instances of Nodinite on the same IIS server.


Next Step

Install Nodinite