Configuring Inbound Traffic

HTTP Configuration

The port parameter(s) in the IQ Server config.yml allow you to set the port(s) to access the application and/or operational menu. Each port can be freely changed to other values, as long as it is not used and in the allowed range of values greater than 1024. The following examples show how to set these port parameter(s).

For IQ Server version 1.42 and lower

http:
    port: 8070
    adminPort: 8071
    adminUsername: user1234
    adminPassword: pass5678

Access to the operational services available on the adminPort can optionally be restricted with HTTP basic authentication by specifying adminUsername and adminPassword.

Note that adminUsername and adminPassword are only available in IQ Server version 1.42 and lower. Additionally the credentials are vulnerable to a timing attack, see CVE-2017-9735 for details. In environments where this risk is not tolerable, please use a reverse proxy instead to shield and authenticate access to the operational services.

For IQ Server version 1.43 and higher

server:
    applicationConnectors:
        - type: http
          port: 8070
    adminConnectors:
        - type: http
          port: 8071

HTTPS/SSL Configuration

One option to expose the IQ Server via https, is to use an external server like Apache httpd or nginx and configure it for reverse proxying the external connections via https to internal http connection. This reverse proxy can be installed on the same server as the IQ Server or a different server and numerous tutorials for this setup are available on the internet.

A second option is to directly configure SSL support for Dropwizard by modifying the relevant segment in the config.yml file. The following examples show how to do this. Note that the keystore file can be generated and managed with the keytool.

For IQ Server version 1.42 and lower

http:
  port: 8443
  adminPort: 8471
 
  connectorType: nonblocking+ssl
 
  ssl:
    keyStore: /path/to/your/keystore/file
    keyStorePassword: yourpassword

 Further documentation is available in the old 0.6.2 Dropwizard manual and reference under the section ssl: .

For IQ Server version 1.43 and higher

server:
    applicationConnectors:
        - type: https
          port: 8443
          keyStorePath: /path/to/your/keystore/file
          keyStorePassword: yourpassword
    adminConnectors:
        - type: https
          port: 8471
          keyStorePath: /path/to/your/keystore/file
          keyStorePassword: yourpassword

Further documentation is available in the newer Dropwizard manual and reference.

Web Application Context Path

For IQ Server 1.43 and newer the context path at which the web application is accessible can be customized using the option shown below:

server:
    # The context path for the application. Note that this must have a leading slash.
    applicationContextPath: /

CSRF Protection

Attacks on the IQ Server could occur via a cross-site request forgery (CSRF). To protect against this, a configuration item csrfProtection has been provided. This option is set to true by default.

# Enables/disables cross-site request forgery protection. Defaults to true for increased security.
#csrfProtection: true

In cases where the HTTP headers are stripped (e.g. a proxy configuration), this protection would block usage of the UI. To address this, you can disable this protection by setting the configuration item to false.