Skip to main content

Configuring Inbound Traffic

HTTP Configuration

The port parameter(s) in the IQ Server config.yml allow you to set the port(s) to access the application and/or operational menu. Each port can be freely changed to other values, as long as it is not used and in the allowed range of values greater than 1024. The following examples show how to set these port parameter(s).

For IQ Server version 1.43 and higher

HTTP Configuration in config.yml

server:
    applicationConnectors:
        - type: http
          port: 8070
    adminConnectors:
        - type: http
          port: 8071

For IQ Server version 1.42 and lower

HTTP Configuration in config.yml

http:
    port: 8070
    adminPort: 8071
    adminUsername: user1234
    adminPassword: pass5678

Access to the operational services available on the adminPort can optionally be restricted with HTTP basic authentication by specifying adminUsername and adminPassword.

Warning

Note that adminUsername and adminPassword are only available in IQ Server version 1.42 and lower. Additionally, the credentials are vulnerable to a timing attack, see CVE-2017-9735 for details. In environments where this risk is not tolerable, please use a reverse proxy instead to shield and authenticate access to the operational services.

HTTPS/SSL Configuration

One option to expose the IQ Server via https, is to use an external server like Apache httpd or nginx and configure it for reverse proxying the external connections via https to internal http connection. This reverse proxy can be installed on the same server as the IQ Server or a different server and numerous tutorials for this setup are available on the internet.

A second option is to directly configure SSL support for Dropwizard by modifying the relevant segment in the config.yml file. The following examples show how to do this. Note that the keystore file can be generated and managed with the keytool.

For IQ Server version 1.43 and higher

HTTPS Configuration in config.yml

server:
    applicationConnectors:
        - type: https
          port: 8443
          keyStorePath: /path/to/your/keystore/file
          keyStorePassword: yourpassword
    adminConnectors:
        - type: https
          port: 8471
          keyStorePath: /path/to/your/keystore/file
          keyStorePassword: yourpassword

Further documentation is available in the newer Dropwizard manual and reference.

For IQ Server version 1.42 and lower

HTTPS Configuration in config.yml

http:
  port: 8443
  adminPort: 8471
 
  connectorType: nonblocking+ssl
 
  ssl:
    keyStore: /path/to/your/keystore/file
    keyStorePassword: yourpassword

Further documentation is available in the old 0.6.2 Dropwizardmanual and reference under the section ssl:

HSTS Configuration:

From IQ Server 136 onwards, HSTS is enabled by default.

It can be enabled/disabled by editing the following sections of the config.yml

HSTS Configuration in config.yml

# HTTP Strict Transport Security (HSTS) is supported using dropwizard-web configuration
# HSTS headers are enabled by default, uncomment web: section below and set enabled: false to disable
# Refer to https://github.com/dropwizard/dropwizard-web#supports for detailed configuration guide
#web:
#  hsts:
#    enabled: true
#    maxAge: 365 days
#    includeSubDomains: true

Web Application Context Path

For IQ Server 1.43 and newer the context path at which the web application is accessible can be customized using the option shown below:

server:
    # The context path for the application. Note that this must have a leading slash.
    applicationContextPath: /

While the application context path does control the base path the IQ server web application is served at, the value is not appended to whatever baseUrl config value you may already have set. When customizing the applicationContextPath, be sure check if the Base URL value also needs adjustment.

CSRF Protection

Attacks on the IQ Server could occur via a cross-site request forgery (CSRF). To protect against this, a configuration item csrfProtection has been provided. This option is set to true by default.

You can change this as follows:

For IQ Server Release 142 and later

Via the configuration REST API.

For IQ Server Release 141 and prior

# Enables/disables cross-site request forgery protection. Defaults to true for increased security.
#csrfProtection: true

Note

In cases where the HTTP headers are stripped (e.g. a proxy configuration), this protection would block usage of the UI. To address this, you can disable this protection by setting the configuration item to false.