Secure Your Nodinite Installation with HTTPS/TLS
Protect your Nodinite installation with industry-standard HTTPS/TLS encryption. This guide provides clear, version-specific instructions to ensure your environment meets security and compliance requirements.
Understanding the HTTPS Architecture
When you enable HTTPS for Nodinite, several components work together to provide secure communication:
Windows AD or OAuth"] App[" Nodinite Services"] User -->|"1. Resolve DNS"| DNS DNS -->|"2. Return IP"| User User -->|"3. HTTPS Request
Port 443"| FW FW -->|"4. Forward"| IIS IIS -->|"5. Retrieve Cert"| Cert Cert -->|"6. Certificate
(matches DNS)"| IIS IIS -->|"7. TLS Handshake"| User User -->|"8. Encrypted Request"| IIS IIS -->|"9. Authenticate"| Auth Auth -->|"10. User Identity"| IIS IIS -->|"11. Process Request"| App App -->|"12. Response Data"| IIS IIS -->|"13. Encrypted Response"| User style User fill:#e1f5ff style DNS fill:#fff4e1 style FW fill:#ffe1e1 style IIS fill:#e1ffe1 style Cert fill:#f0e1ff style Auth fill:#ffe1f5 style App fill:#e1fff4
Diagram: HTTPS communication flow between user, DNS, firewall, IIS, certificate, authentication, and Nodinite services.
Key Components Explained
| Component | Role | Requirements |
|---|---|---|
| DNS Server | Resolves hostname to IP address | DNS A record: nodinite.yourdomain.com → 192.168.1.100 |
| SSL/TLS Certificate | Proves server identity, encrypts traffic | Must match DNS name (e.g., CN=nodinite.yourdomain.com) |
| Firewall | Controls network access | Allow inbound port 443 (HTTPS) |
| IIS Web Server | Hosts Nodinite applications | Certificate installed, HTTPS binding configured |
| Authentication | Verifies user identity | Windows Authentication (Active Directory) or OAuth 2.0/OIDC (Identity Provider) |
| Nodinite Services | Process requests securely | Web Client, Web API, Log API, Logging Service, Monitoring Service |
Important
DNS Name MUST Match Certificate: The DNS name users type in their browser (e.g.,
nodinite.yourdomain.com) must exactly match the Common Name (CN) or Subject Alternative Name (SAN) on your SSL certificate. Mismatches cause browser security warnings.
Understanding the Difference: v7 vs v6
The approach to security has fundamentally changed between versions:
| Aspect | New 7.x Nodinite v7 | Nodinite v6 |
|---|---|---|
| When to Configure HTTPS | Before installation - Configure in Portal during setup | After installation - Manual IIS configuration required |
| Configuration Method | Automated through Portal Environment setup | Manual web.config and IIS configuration |
| OAuth 2.0 / OIDC Support | ✅ Supported (requires HTTPS) | ❌ Not supported |
| Certificate Management | Simplified - Configure once in Portal | Manual - Configure per service |
| Recommendation | Configure HTTPS from day one | Enable HTTPS as soon as possible |
Important
Nodinite v7 Users: You should configure HTTPS/TLS BEFORE running the installation script. This is configured in the Nodinite Portal when registering your Environment.
Nodinite v6 Users: If you didn't enable HTTPS during installation, follow the Nodinite v6 hardening steps to enable it now.
What You Need Before Starting
Before configuring HTTPS for Nodinite, ensure you have:
Certificate Requirements
- ✅ Valid SSL/TLS certificate from a trusted Certificate Authority (CA)
- For production: Commercial CA (DigiCert, Let's Encrypt, etc.)
- For development: Self-signed certificate (see development certificates)
- ✅ Certificate includes private key - Required for IIS binding
- ✅ Certificate matches your DNS name - Subject Alternative Name (SAN) or wildcard
- ⚠️ Avoid SHA-1 certificates - Use SHA-256 or higher (see Microsoft guidance)
Infrastructure Requirements
- ✅ Static IP address or DNS name for your IIS server
- ✅ Firewall rules allowing HTTPS traffic (port 443)
- ✅ Administrative access to IIS server and Nodinite Portal (v7)
- ✅ DNS record pointing to your Nodinite server
Common Certificate Sources
Option 1: Internal PKI (Most Common) Use your organization's existing certificate infrastructure (Active Directory Certificate Services, internal PKI).
Option 2: Commercial Certificate Authority Purchase from vendors like DigiCert, Sectigo, or GlobalSign.
Option 3: Free Certificates
- Let's Encrypt - Free, automated, renewable
- Certify SSL - Let's Encrypt GUI for IIS
Option 4: Development Only Self-signed certificates (see development certificates)
New 7.x Nodinite v7: Configure HTTPS Before Installation
The Modern Approach: With Nodinite v7, you configure HTTPS during environment registration in the Nodinite Portal. The installation script then applies these settings automatically.
Why Configure HTTPS Before Installation?
- ✅ Automated configuration - No manual web.config edits needed
- ✅ OAuth 2.0 / OIDC support - Required for modern authentication
- ✅ Consistent security - All services configured identically
- ✅ No reconfiguration - Avoid uninstalling/reinstalling later
- ✅ Immediate compliance - Production-ready from day one
Step-by-Step: Enable HTTPS in Nodinite v7
Step 1: Obtain and Install Your Certificate
Before configuring Nodinite, install your SSL/TLS certificate in IIS:
- Obtain certificate (see Certificate Requirements above)
- Install certificate in IIS:
- Open IIS Manager
- Select your server node
- Double-click "Server Certificates"
- Click "Import" (if you have a .pfx file) or "Complete Certificate Request"
- Note the certificate thumbprint (you'll need this for the Portal)
See Microsoft IIS Certificate Installation Guide
Step 2: Create DNS Record
Create a DNS A record pointing to your Nodinite server:
nodinite.yourdomain.com → 192.168.1.100
Step 3: Configure HTTPS in Nodinite Portal
- Log in to the Nodinite Portal
- Navigate to your Customer → Environments
- Click "Add Environment" or edit existing environment
- Navigate to the TLS tab
- Configure the following settings:
| Setting | Value | Description |
|---|---|---|
| Host / Domain | nodinite.yourdomain.com |
Your DNS name (must match certificate) |
| Certificate Thumbprint | 9b27c9d1939b821bb... |
Thumbprint from Step 1 (optional but recommended) |
Example of the TLS tab configuration in Nodinite Portal.
Important
OAuth 2.0 / OIDC requires HTTPS: If you plan to use OAuth 2.0 / OIDC authentication, you MUST enable TLS. See Install Nodinite v7 - OpenID for details.
Step 4: Complete Environment Setup and Install
- Complete the remaining environment configuration tabs (Database, Authentication, Agents)
- Save your environment configuration
- Download the installation package
- Run the PowerShell installation script
The script will automatically configure all Nodinite services with HTTPS bindings on port 443.
Step 5: Verify HTTPS is Working
After installation completes:
- Open browser and navigate to
https://nodinite.yourdomain.com - Verify the padlock icon appears in the address bar
- Check that HTTP redirects to HTTPS (try
http://nodinite.yourdomain.com)
Nodinite v6: Enable HTTPS Post-Installation
For Existing Installations: If you installed Nodinite v6 without HTTPS (because you "cheated in the past"), you can enable it now. This requires manual IIS configuration.
Warning
Nodinite v6 is Legacy: We strongly recommend upgrading to Nodinite v7 for simplified HTTPS configuration and modern authentication support. See Updating from v6 to v7.
Prerequisites for v6 HTTPS
Before starting, ensure you have:
- ✅ Valid SSL/TLS certificate installed in IIS (see Certificate Requirements)
- ✅ DNS record pointing to your server
- ✅ URL Rewrite Module 2.1 installed on IIS
- ✅ Administrative access to IIS server
- ✅ Backup of your current configuration
Step-by-Step: Enable HTTPS in Nodinite v6
The process involves configuring IIS bindings and adding HTTP-to-HTTPS redirection.
Option A: Simple HTTPS Setup (Shared Port)
This approach uses port 443 for all Nodinite services (Web Client, Web API, Log API).
Add HTTPS Binding in IIS:
- Open IIS Manager
- Right-click "Default Web Site" → "Edit Bindings"
- Click "Add" → Select "https"
- Select your SSL certificate
- Click "OK"
Configure HTTP-to-HTTPS Redirect:
Follow the instructions in Redirect Traffic from HTTP to HTTPS below.
Option B: Advanced Setup (Separate Ports)
If you need different ports for different services:
- Configure Log API (Legacy v1-v6):
The Log API v1-v6 uses anonymous authentication and requires special configuration. See Restrict Users by IP Address.
- Configure Web API and Web Client:
Follow Option A for HTTPS binding and redirection.
Tip
For Cloud/Domain Hosting: If you have a DNS name hosted externally, see HTTPS Using DNS Name with Redirection for additional configuration.
Shared Configuration Sections
These sections apply to both Nodinite v7 and v6.
Development Certificates for Testing
For development or testing environments, you can generate a self-signed certificate.
Warning
Self-Signed Certificates are for Development Only! Do not use in production. Browsers will show security warnings, and clients will not trust the certificate.
Generate Self-Signed Certificate (PowerShell)
# Simple localhost certificate
New-SelfSignedCertificate `
-DnsName "localhost" `
-CertStoreLocation "cert:\LocalMachine\WebHosting" `
-NotAfter (Get-Date).AddYears(2)
# Certificate with custom DNS name
New-SelfSignedCertificate `
-DnsName "nodinite.dev.local", "nodinite" `
-CertStoreLocation "cert:\LocalMachine\WebHosting" `
-NotAfter (Get-Date).AddYears(2)
After generating, note the thumbprint and bind it to your site in IIS.
Trust the Certificate (Windows)
# Get the certificate thumbprint
$certificateThumbprint = "YOUR_CERTIFICATE_THUMBPRINT_HERE"
# Export from Web Hosting store
$certificate = Get-ChildItem -Path "Cert:\LocalMachine\WebHosting\$certificateThumbprint"
Export-Certificate -Cert $certificate -FilePath "C:\Temp\nodinite-dev.cer"
# Import to Trusted Root
Import-Certificate -FilePath "C:\Temp\nodinite-dev.cer" `
-CertStoreLocation "Cert:\LocalMachine\Root"
Redirect Traffic from HTTP to HTTPS
To automatically redirect HTTP requests to HTTPS, configure URL rewriting in your web.config.
Prerequisites:
- URL Rewrite Module 2.1 installed on IIS
Configuration
Edit the web.config file in the root of your IIS site (usually C:\inetpub\wwwroot\web.config):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
<match url="^((?!logapi).*)$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="nodinite.yourdomain.com" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
<rule name="Redirect to Web Client" stopProcessing="true">
<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
</rule>
</rules>
</rewrite>
<security>
<requestFiltering>
<hiddenSegments>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Important
Replace
nodinite.yourdomain.comwith your actual DNS name. If your Web Client is in a virtual directory (e.g.,/nodinite-test/WebClient), adjust the redirect paths accordingly.
Note
IIS Protocol Restrictions: If your IIS does not allow the HTTP protocol, additional web.config configuration may be required.
HTTPS Using DNS Name with Redirection
If you host your IIS server in the cloud (Azure, AWS) or need to use a DNS name with redirection, follow these steps.
Step 1: Prepare the Folder Structure
Create a dedicated folder for your DNS domain:
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\nodinite.yourdomain.com
Step 2: Create a New IIS Website
- Open IIS Manager
- Right-click "Sites" → "Add Website"
- Configure:
- Site Name:
nodinite.yourdomain.com - Application Pool: Create new pool with same name
- Physical Path: Point to folder from Step 1
- Binding Type: HTTPS
- Port: 443
- Host Name:
nodinite.yourdomain.com(must match SSL certificate) - SSL Certificate: Select your certificate
- Site Name:
IIS Bindings for HTTPS and DNS configuration
Step 3: Configure Authentication
Enable only these authentication methods:
- ASP.NET Impersonation
- Windows Authentication
Authentication settings for Nodinite Web Client
Step 4: Add the WebClient Application
- Right-click your new site → "Add Application"
- Configure:
- Alias:
WebClient - Application Pool: Same as Web Client application pool
- Physical Path:
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient - Authentication: Same as Step 3
- Alias:
Step 5: Redirect Users to WebClient Application
Create index.html in the folder from Step 1:
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
<script type="text/javascript">
window.location.href = "https://nodinite.yourdomain.com/webclient/"
</script>
<title>Page Redirection</title>
</head>
<body>
If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to the Web Client</a>.
</body>
</html>
Step 6: Test Your Configuration
From a client browser (not the server), navigate to https://nodinite.yourdomain.com. You should be redirected to the Web Client application.
Tip
Multiple Environments: Repeat these steps for each environment if you host multiple Nodinite instances on the same IIS server.
Restrict Users by IP Address
Log API v1-v6 uses anonymous authentication, which can be a security risk. You can restrict access by IP address.
Option 1: IIS IP Address and Domain Restrictions
- Open IIS Manager
- Select your site → Double-click "IP Address and Domain Restrictions"
- Click "Add Allow Entry" or "Add Deny Entry" in the Actions pane
- Configure allowed/denied IP ranges
Option 2: Windows Firewall Rules
# Allow only specific IP range to access port 443
New-NetFirewallRule -DisplayName "Nodinite HTTPS - Allowed IPs" `
-Direction Inbound -LocalPort 443 -Protocol TCP `
-Action Allow -RemoteAddress 192.168.1.0/24
Note
Nodinite v7 Log API: Version 7 introduces a new Log API with proper authentication, eliminating the need for IP restrictions. Consider upgrading for better security.