IT Pros know how important information security can be for meeting compliance rules and delivering your projects on time. Serving a web application like Composable over HTTPS is crucial to maintaining the confidentiality and integrity of your critical data streams. Luckily, in Composable Enterprise, it’s easy to get a modern HTTPS configuration up and running in just a few steps. Let’s walk through how.
First, you’ll want to configure IIS on your server to serve the Composable WebApp over HTTPS with a certificate. You can purchase a certificate from any signing authority, or obtain a free one through the Let’s Encrypt project. We’ll assume you have a TLS/SSL certificate ready to go.
When you’re ready to start, open the IIS Configuration Manager on your server. Navigate as shown to the right, into Sites and to the Default Web Site, under which the Composable application is installed. Then, from the right-hand Actions toolbar, choose the link the says “Bindings”. You should see a single entry, binding port 80 on the server to the plain HTTP protocol. We’ll need to add a binding for HTTPS. Choose “Add…” and set “https” as the type and ensure the port is set to 443. In “Host name”, type the domain name for your Composable instance, for which you acquired a certificate. Then, choose “Select…” and locate your certificate file. Then click OK, and your instance should be configured to use HTTPS!
Hardening your Secure Composable Enterprise Instance
If you’re anything like me, you’ll want to make sure your server is using best practices for HTTPS. Composable offers a few extra configuration options to help you get the most out of your HTTPS setup. These are advanced settings, so be sure you’re confident about what you’re doing before beginning.
Require Secure Connections
To force all connections to use HTTPS, you’ll need to edit your WebApp configuration file. This file, Web.config, is located under your Composable Enterprise install directory, typically C:\Program Files\CompAnalytics\WebApp. Open this file in a text editor of your choice.
Inside this file, you should see a line like the one below:
<add key="RequireHttps" value="False" />
If you don’t see this line, you can add it under the path /configuration/appSettings. Once you’ve located this setting, change the value from “True” to “False”. Enabling the “RequireHttps” setting will cause your Composable Enterprise instance to automatically redirect any plaintext HTTP traffic to HTTPS. It will also utilize HSTS, or the Strict-Transport-Security header, which tells any browser connecting to the server to remember that this server only accepts secure connections. If you’re looking to secure your Composable instance, enabling this setting is an important step in preventing any non-secure information leakage.
Upgrade to Secure Ciphers & Protocols
Another key step in securing your HTTPS configuration is to limit the types of ciphers and SSL/TLS versions that your server will accept. This protects against security downgrade attacks by refusing to send data to clients who are not capable of using a modern, secure cipher to protect the data flowing to and from your server. The whitelist of accepted ciphers & protocols is a setting native to Windows itself, so you’ll need to use a third-party tool to edit the registry keys that control these settings. We recommend using IIS Crypto. Simply select “Templates” from the sidebar and pick from the available options based on your needs, be it best practices, FIPS, or PCI compliance. Or, you can dig deeper and customize the whitelist yourself.
Once you’ve completed these steps, your Composable Enterprise instance should be equipped to protect even the most sensitive data. We’ve applied these rules to our demo instance at cloud.composableanalytics.com, and just through these simple steps, we’ve achieved an A-rating from the industry-standard Qualys SSL Labs scan.
Latest posts by Ryan O'Shea (see all)
- Correcting Pesky Timezones in a DataFlow - June 21, 2018
- Coming soon to WebApps in Composable: Web Analytics - May 17, 2018
- Securing Composable with HTTPS for Operational Security - February 8, 2018