Configuring Inbound Traffic
HTTP Configuration
The port parameter(s) in the IQ Server config.yml allows you to set the port(s) to access the application and/or operational menu. Each port can be freely changed to other values, as long as it is not used and in the allowed range of values greater than 1024. The following examples show how to set these port parameter(s).
For IQ Server version 1.43 and higher
HTTP Configuration in config.yml
server:
applicationConnectors:
- type: http
port: 8070
adminConnectors:
- type: http
port: 8071For IQ Server version 1.42 and lower
HTTP Configuration in config.yml
http:
port: 8070
adminPort: 8071
adminUsername: user1234
adminPassword: pass5678Access to the operational services available on the adminPort can optionally be restricted with HTTP basic authentication by specifying adminUsername and adminPassword.
Warning
Note that adminUsername and adminPassword are only available in IQ Server version 1.42 and lower. Additionally, the credentials are vulnerable to a timing attack, see CVE-2017-9735 for details. In environments where this risk is not tolerable, please use a reverse proxy instead to shield and authenticate access to the operational services.
HTTPS/SSL Configuration
One option to expose the IQ Server via HTTPS is to use an external server like Apache HTTPD or nginx and configure it for reverse proxying the external connections via HTTPS to the internal HTTP connection. This reverse proxy can be installed on the same server as the IQ Server or a different server and numerous tutorials for this setup are available on the internet.
A second option is to directly configure SSL support for Dropwizard by modifying the relevant segment in the config.yml file. The following examples show how to do this. Note that the keystore file can be generated and managed with the keytool.
For IQ Server version 1.43 and higher
HTTPS Configuration in config.yml
server:
applicationConnectors:
- type: https
port: 8443
keyStorePath: /path/to/your/keystore/file
keyStorePassword: yourpassword
adminConnectors:
- type: https
port: 8471
keyStorePath: /path/to/your/keystore/file
keyStorePassword: yourpasswordDocumentation is available in the Dropwizard manual and reference.
For IQ Server version 1.42 and lower
HTTPS Configuration in config.yml
http:
port: 8443
adminPort: 8471
connectorType: nonblocking+ssl
ssl:
keyStore: /path/to/your/keystore/file
keyStorePassword: yourpasswordHSTS Configuration:
From IQ Server 136 onwards, HSTS is enabled by default.
It can be enabled/disabled by editing the following sections of the config.yml
HSTS Configuration in config.yml
# HTTP Strict Transport Security (HSTS) is supported using dropwizard-web configuration # HSTS headers are enabled by default, uncomment web: section below and set enabled: false to disable # Refer to https://github.com/dropwizard/dropwizard-web#supports for detailed configuration guide #web: # hsts: # enabled: true # maxAge: 365 days # includeSubDomains: true
Web Application Context Path
For IQ Server 1.43 and newer the context path at which the web application is accessible can be customized using the option shown below:
server:
# The context path for the application. Note that this must have a leading slash.
applicationContextPath: /While the application context path does control the base path the IQ server web application is served at, the value is not appended to whatever baseUrl config value you may already have set. When customizing the applicationContextPath, be sure to check if the Base URL value also needs adjustment.
CSRF Protection
Attacks on the IQ Server could occur via a cross-site request forgery (CSRF). To protect against this, a configuration item CSRF protection has been provided. This option is set to true by default and is updated through the Configuration REST API.
For IQ Server release 1.41 and prior
# Enables/disables cross-site request forgery protection. Defaults to true for increased security. #csrfProtection: true
Note
In cases where the HTTP headers are stripped (e.g. a proxy configuration), this protection would block usage of the UI. To address this, you can disable this protection by setting the configuration item to false.