Enable HTTPS/TLS on Nodinite v6 (Deprecated)
Warning
Nodinite v6 is deprecated and no longer receives active development or support. This guide is maintained for existing v6 installations only.
We strongly recommend upgrading to Nodinite v7 for:
- ✅ Automated HTTPS configuration - No manual web.config edits needed
- ✅ OAuth 2.0 / OIDC support - Modern authentication methods
- ✅ Improved security - Enhanced encryption and authentication
- ✅ Active support - Bug fixes, updates, and new features
- ✅ Simplified management - Portal-based configuration
This guide provides instructions for enabling HTTPS/TLS on existing Nodinite v6 installations that were initially configured with HTTP. If you're installing Nodinite for the first time, use Nodinite v7 instead.
Quick Navigation
- Prerequisites
- Option A: Simple HTTPS Setup
- Option B: Advanced Setup
- HTTP to HTTPS Redirect
- DNS Name with Redirection
- Development Certificates
- IP Address Restrictions
Tip
For modern HTTPS configuration guidance, certificate management, and architecture overview, see the main How to perform hardening guide for Nodinite v7.
Prerequisites
Before enabling HTTPS on your Nodinite v6 installation, ensure you have:
- ✅ Valid SSL/TLS certificate installed in IIS
- For production: Certificate from trusted CA (DigiCert, Let's Encrypt, internal PKI)
- For development: Self-signed certificate (see development certificates)
- ✅ Certificate thumbprint - Copy from IIS Server Certificates
- ✅ DNS record pointing to your Nodinite server (optional but recommended)
- ✅ URL Rewrite Module 2.1 installed on IIS
- ✅ Administrative access to IIS server
- ✅ Backup of current configuration and databases
Tip
Need help obtaining a certificate? See the How to perform hardening guide for certificate sources, installation instructions, and DNS configuration.
Enable HTTPS on Nodinite v6
The process involves configuring IIS bindings, adding HTTP-to-HTTPS redirection, and updating web.config files.
Option A: Simple HTTPS Setup (Shared Port)
Use this approach when:
- All Nodinite services (Web Client, Web API, Log API) share port 443
- You have a single DNS name for all services
- You want the simplest configuration
Step 1: Add HTTPS Binding in IIS
- Open IIS Manager
- Expand the server node → Sites
- Right-click Default Web Site → Edit Bindings
- Click Add
- Configure:
- Type:
https - Port:
443 - SSL certificate: Select your installed certificate
- Type:
- Click OK
Step 2: Configure HTTP-to-HTTPS Redirect
Follow the instructions in Redirect Traffic from HTTP to HTTPS below.
Step 3: Test Configuration
- Open browser:
https://your-server-name/WebClient - Verify padlock icon appears in address bar
- Confirm you can log in successfully
Option B: Advanced Setup (Separate Ports)
Use this approach when:
- Different services need different ports or bindings
- You have external DNS name with special routing requirements
- You need IP-based access restrictions for Log API
Step 1: Configure Log API (Legacy v1-v6)
The Log API v1-v6 uses anonymous authentication. See Restrict Access by IP Address for security configuration.
Step 2: Configure Web API and Web Client
- Follow Option A for HTTPS binding
- Configure HTTP-to-HTTPS redirection (see below)
Step 3: External DNS Configuration
If you have a DNS name hosted externally, see HTTPS Using DNS Name with Redirection for additional configuration.
Redirect Traffic from HTTP to HTTPS
Automatically redirect HTTP requests to HTTPS using IIS URL Rewrite.
Prerequisites
- URL Rewrite Module 2.1 installed on IIS
Configuration
Edit the web.config file in the root of your IIS site (typically C:\inetpub\wwwroot\web.config):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS for Web API and Web Client" stopProcessing="true">
<match url="^((?!logapi).*)$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="nodinite.yourdomain.com" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
<rule name="Redirect to Web Client" stopProcessing="true">
<match url="(webclient|logapi|webapi)/{0,1}" negate="true" />
<action type="Redirect" url="https://{HTTP_HOST}/WebClient/" redirectType="SeeOther" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
</rule>
</rules>
</rewrite>
<security>
<requestFiltering>
<hiddenSegments>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Important
Replace
nodinite.yourdomain.comwith your actual DNS name. If your Web Client is in a virtual directory (e.g.,/nodinite-test/WebClient), adjust the redirect paths accordingly.
Verification
- Browse to
http://your-server-name/WebClient - Confirm automatic redirect to
https://your-server-name/WebClient - Verify padlock icon in browser address bar
HTTPS Using DNS Name with Redirection
If you host your IIS server in the cloud (Azure, AWS) or need a custom DNS name with redirection, follow these steps.
Step 1: Prepare Folder Structure
Create a dedicated folder for your DNS domain:
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\nodinite.yourdomain.com
Replace %ENVIRONMENT% with your environment name (e.g., Production, Test).
Step 2: Create New IIS Website
- Open IIS Manager
- Right-click Sites → Add Website
- Configure:
- Site Name:
nodinite.yourdomain.com - Application Pool: Create new pool with same name
- Physical Path: Point to folder from Step 1
- Binding Type:
https - Port:
443 - Host Name:
nodinite.yourdomain.com(must match SSL certificate CN or SAN) - SSL Certificate: Select your certificate
- Site Name:
IIS Bindings for HTTPS and DNS configuration
Step 3: Configure Authentication
- Select your new site in IIS Manager
- Double-click Authentication
- Enable only these methods:
- ASP.NET Impersonation: Enabled
- Windows Authentication: Enabled
- Disable all other authentication methods
Authentication settings for Nodinite Web Client
Step 4: Add WebClient Application
- Right-click your new site → Add Application
- Configure:
- Alias:
WebClient - Application Pool: Same as Web Client application pool
- Physical Path:
C:\Program Files\Nodinite\%ENVIRONMENT%\Nodinite Core Services\WebClient
- Alias:
- Click OK
- Configure authentication (same as Step 3)
Step 5: Create Redirect Page
Create index.html in the folder from Step 1:
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0; url=https://nodinite.yourdomain.com/webclient/">
<script type="text/javascript">
window.location.href = "https://nodinite.yourdomain.com/webclient/"
</script>
<title>Redirecting to Nodinite Web Client</title>
</head>
<body>
<p>If you are not redirected automatically, follow this <a href='https://nodinite.yourdomain.com/webclient/'>link to the Nodinite Web Client</a>.</p>
</body>
</html>
Important
Replace
nodinite.yourdomain.comwith your actual DNS name.
Step 6: Test Configuration
- From a client browser (not the server), navigate to
https://nodinite.yourdomain.com - Verify automatic redirect to Web Client
- Confirm you can log in successfully
Tip
Repeat these steps for each environment if you host multiple Nodinite instances on the same IIS server.
Development Certificates for Testing
For development or testing environments, you can generate self-signed certificates.
Warning
Self-Signed Certificates are for Development Only! Do not use in production. Browsers will show security warnings, and clients will not trust the certificate without additional configuration.
Generate Self-Signed Certificate (PowerShell)
Simple Example (Minimal Configuration)
# Localhost certificate (minimal configuration)
New-SelfSignedCertificate `
-DnsName "localhost" `
-CertStoreLocation "cert:\LocalMachine\My" `
-NotAfter (Get-Date).AddYears(2)
Production-Quality Development Certificate (Recommended)
# Configure your DNS name(s)
$dnsNames = @("nodinite.dev.local", "nodinite")
# Create certificate with security best practices
$cert = New-SelfSignedCertificate `
-DnsName $dnsNames `
-Subject "CN=$($dnsNames[0])" `
-FriendlyName "Nodinite Dev SSL ($($dnsNames[0]))" `
-KeyAlgorithm RSA -KeyLength 2048 `
-HashAlgorithm SHA256 `
-KeyExportPolicy Exportable `
-NotAfter (Get-Date).AddYears(2) `
-CertStoreLocation "Cert:\LocalMachine\My"
# Display certificate details
$cert | Format-List Subject, DnsNameList, Thumbprint, NotAfter
# Export certificate for backup and trust
New-Item -ItemType Directory -Force -Path C:\certs | Out-Null
$pfxPassword = Read-Host -AsSecureString -Prompt "Enter PFX password (for backup)"
Export-PfxCertificate -Cert $cert -FilePath "C:\certs\$($dnsNames[0]).pfx" -Password $pfxPassword | Out-Null
Export-Certificate -Cert $cert -FilePath "C:\certs\$($dnsNames[0]).cer" | Out-Null
Import-Certificate -FilePath "C:\certs\$($dnsNames[0]).cer" -CertStoreLocation Cert:\LocalMachine\Root | Out-Null
Write-Host "Certificate created successfully!" -ForegroundColor Green
Write-Host "Thumbprint: $($cert.Thumbprint)" -ForegroundColor Cyan
Write-Host "Files created in C:\certs\" -ForegroundColor Yellow
What This Script Does
- Creates certificate with SHA-256 (secure), 2048-bit RSA key
- Sets Subject Alternative Names (SANs) - Certificate valid for all specified DNS names
- Exports to
.pfxformat - Includes private key, password-protected (for backup/migration) - Exports to
.cerformat - Public certificate only (for distribution to clients) - Automatically trusts certificate - Imports
.certo Trusted Root Certification Authorities - Displays thumbprint - Copy this for IIS binding configuration
Certificate Storage Locations
- Personal Store (
cert:\LocalMachine\My) - Used by IIS for HTTPS binding (requires private key) - Trusted Root Certification Authorities (
cert:\LocalMachine\Root) - Same certificate copied here so browsers trust it
Important
The recommended PowerShell script above automatically handles both locations. If you used the minimal example, follow the manual trust steps below.
Trust Self-Signed Certificate (Manual Method)
If you used the minimal certificate example (not the recommended script), manually copy the certificate to Trusted Root:
Option 1: Using PowerShell
# Get the certificate thumbprint (from script output or find it)
$certificateThumbprint = "YOUR_CERTIFICATE_THUMBPRINT_HERE"
# Get certificate from Personal store
$certificate = Get-ChildItem -Path "Cert:\LocalMachine\My\$certificateThumbprint"
# Export to file
Export-Certificate -Cert $certificate -FilePath "C:\Temp\nodinite-dev.cer"
# Import to Trusted Root Certification Authorities
Import-Certificate -FilePath "C:\Temp\nodinite-dev.cer" `
-CertStoreLocation "Cert:\LocalMachine\Root"
Option 2: Using Certificate Manager (GUI)
- Press
Win+R, typecertlm.msc, press Enter - Navigate to Personal → Certificates
- Find your certificate (e.g.,
CN=nodinite.dev.local) - Right-click → Copy
- Navigate to Trusted Root Certification Authorities → Certificates
- Right-click in the right pane → Paste
Tip
Why copy to Trusted Root? Self-signed certificates act as their own Certificate Authority. Browsers check the Trusted Root store to determine if they should trust a certificate. Without this step, browsers will show "Your connection is not private" warnings.
Certificate Backup
The .pfx file contains your private key (password-protected). Store it securely - you'll need it if you:
- Rebuild your server
- Move the certificate to another machine
- Recover from a disaster
Restrict Access by IP Address (Log API Only)
Warning
Log API v1-v6 uses anonymous authentication, which is a security risk. You can mitigate this by restricting access to specific IP addresses.
Nodinite v7 introduces a new Log API with proper authentication. This eliminates the need for IP restrictions. Consider upgrading to v7 for better security.
Affected Logging Agents
If you restrict Log API access by IP, ensure your logging agents can still connect:
- Nodinite Azure Logic Apps Logging Agent
- Nodinite IBM Integration Bus Logging Agent
- Nodinite Pickup Log Events Service Logging Agent
Option 1: IIS IP Address and Domain Restrictions
- Open IIS Manager
- Select your site or Log API application
- Double-click IP Address and Domain Restrictions
- Click Add Allow Entry or Add Deny Entry in the Actions pane
- Configure allowed/denied IP addresses or ranges
Example: Allow only specific subnet:
- Deny all by default
- Allow
192.168.1.0/24(your internal network)
Option 2: Windows Firewall Rules
# Allow only specific IP range to access Log API port
New-NetFirewallRule -DisplayName "Nodinite Log API - Allowed IPs" `
-Direction Inbound -LocalPort 443 -Protocol TCP `
-Action Allow -RemoteAddress 192.168.1.0/24
Replace 192.168.1.0/24 with your trusted IP range.
Important
Firewall rules apply server-wide. If you use separate ports for different services, adjust the
-LocalPortparameter accordingly.
Upgrade Recommendation
Why Upgrade to Nodinite v7?
| Feature | v6 (Deprecated) | v7 (Current) |
|---|---|---|
| HTTPS Configuration | Manual web.config editing | Automated via Portal |
| Authentication | Windows only, Log API anonymous | Windows, OAuth 2.0, OIDC |
| Certificate Management | Manual IIS configuration | Portal-based, centralized |
| Security Features | Basic TLS, IP restrictions | Modern TLS, authenticated APIs |
| Support Status | ❌ Deprecated, no updates | ✅ Active development |
| Configuration Complexity | ❌ High (manual steps) | ✅ Low (automated) |
Start your upgrade to Nodinite v7
Next Steps
- How to perform hardening - Modern v7 HTTPS configuration guide
- Updating from v6 to v7 - Complete upgrade guide
- Install Nodinite v7 - Fresh v7 installation