web analytics
Press "Enter" to skip to content

Securing Composable with HTTPS for Operational Security

Ryan O'Shea 0

Getting Started

IT Pros know how important information security can be for meeting compliance rules and delivering your projects on time. Serving a web application like Composable over HTTPS is crucial to maintaining the confidentiality and integrity of your critical data streams. Luckily, in Composable Enterprise, it’s easy to get a modern HTTPS configuration up and running in just a few steps. Let’s walk through how.

First, you’ll want to configure IIS on your server to serve the Composable WebApp over HTTPS with a certificate. You can purchase a certificate from any signing authority, or obtain a free one through the Let’s Encrypt project. We’ll assume you have a TLS/SSL certificate ready to go.

When you’re ready to start, open the IIS Configuration Manager on your server. Navigate as shown to the right, into Sites and to the Default Web Site, under which the Composable application is installed. Then, from the right-hand Actions toolbar, choose the link the says “Bindings”. You should see a single entry, binding port 80 on the server to the plain HTTP protocol. We’ll need to add a binding for HTTPS. Choose “Add…” and set “https” as the type and ensure the port is set to 443. In “Host name”, type the domain name for your Composable instance, for which you acquired a certificate. Then, choose “Select…” and locate your certificate file. Then click OK, and your instance should be configured to use HTTPS!

Hardening your Secure Composable Enterprise Instance

If you’re anything like me, you’ll want to make sure your server is using best practices for HTTPS. Composable offers a few extra configuration options to help you get the most out of your HTTPS setup. These are advanced settings, so be sure you’re confident about what you’re doing before beginning.

Require Secure Connections

To force all connections to use HTTPS, you’ll need to edit your WebApp configuration file. This file, Web.config, is located under your Composable Enterprise install directory, typically  C:\Program Files\CompAnalytics\WebApp. Open this file in a text editor of your choice.

Inside this file, you should see a line like the one below:

If you don’t see this line, you can add it under the path  /configuration/appSettings. Once you’ve located this setting, change the value from “True” to “False”. Enabling the “RequireHttps” setting will cause your Composable Enterprise instance to automatically redirect any plaintext HTTP traffic to HTTPS. It will also utilize HSTS, or the  Strict-Transport-Security header, which tells any browser connecting to the server to remember that this server only accepts secure connections. If you’re looking to secure your Composable instance, enabling this setting is an important step in preventing any non-secure information leakage.

Upgrade to Secure Ciphers & Protocols

Another key step in securing your HTTPS configuration is to limit the types of ciphers and SSL/TLS versions that your server will accept. This protects against security downgrade attacks by refusing to send data to clients who are not capable of using a modern, secure cipher to protect the data flowing to and from your server. The whitelist of accepted ciphers & protocols is a setting native to Windows itself, so you’ll need to use a third-party tool to edit the registry keys that control these settings. We recommend using IIS Crypto. Simply select “Templates” from the sidebar and pick from the available options based on your needs, be it best practices, FIPS, or PCI compliance. Or, you can dig deeper and customize the whitelist yourself.

Wrap-up

Once you’ve completed these steps, your Composable Enterprise instance should be equipped to protect even the most sensitive data. We’ve applied these rules to our demo instance at cloud.composableanalytics.com, and just through these simple steps, we’ve achieved an A-rating from the industry-standard Qualys SSL Labs scan.

Ryan O'Shea

Ryan O'Shea

Ryan is a software engineer at Composable with a degree in Electrical Engineering from Princeton University.
Ryan O'Shea