• Rough draft

    • Exposing Tax Balance

    Owned by CBE
    Last updated: Sept 04, 2023
    2 min read

    Inbound Requests

    The Tax Balance Server hosts an HTTP API and the Tax Balance Web Application which you can configure to use standard TCP ports (80/443) or non-standard ports.

    Configure bindings

    1. Open the appsettings.json file located at the Tax Balance installation directory.

    2. Change the value of the key Urls. Separate multiple binding URLs with a colon (;)

    Top-level wildcard bindings (http://*:80/ and http://+:80) should not be used. Top-level wildcard bindings create app security vulnerabilities. This applies to both strong and weak wildcards. Use explicit host names or IP addresses rather than wildcards.

    Preregister URL prefixes

    The built-in tool for configuring HTTP.sys is netsh.exe. Use this tool to reserve URL prefixes and assign X.509 certificates. The tool requires administrator privileges.

    Use netsh.exe tool to register URLs for Tax Balance:

    netsh http add urlacl url=<tax-balance-url-prefix> user=<tax-balance-user>

    • Replacing <tax-balance-url-prefix> with the URL prefix from appsettings.json

    • Replacing <tax-balance-user> with the account that will use the URL prefix

    It is possible to use windows groups for the user parameter, e.g., Everyone, Users. Be aware to use German terminology on systems that are set in the German language, e.g., Jeder, Benutzer

    When a URL is registered, the tool responds with URL reservation successfully added.

    To delete a registered URL, use the delete urlacl command:

    netsh http delete urlacl url=<url-prefix-to-delete>

    Register X.509 certificate

    Use the netsh.exe tool to register a certificate for Tax Balance Server.

    netsh http add sslcert ipport=<tax-balance-url-prefix> certhash=<tax-balance-certificate-thumbprint> appid="{23842322-71a0-4aed-9852-eb1e5cea2c17}"

    • Replacing <tax-balance-url-prefix> with the URL prefix from appsettings.json

    • Replacing <tax-balance-certificate-thumbprint> with the X.509 certificate thumbprint from a certificate stored in the Windows certificate for the local machine.

    Use ipport parameter when binding X.509 to IP adress and port combination, e.g, 0.0.0.0:443. Use hostnameport when binding X.509 certificate to host name and port combination, e.g., localhost:443.