Reverse Proxy

The purpose of a reverse proxy (or frontend web server) is to provide a single point of entry for one or more services from outside the network. The reverse proxy receives all requests from the clients and forwards them to the Axon Ivy Engine which handles them. This allows integrating the processes and applications that you are running on an Axon Ivy Engine into a company or web portal. The use of a reverse proxy provides higher security. You have to keep the reverse proxy up-to-date at any time with the latest security updates because this is also the entry point for attackers. In addition, we recommend that you block access to critical resources such as the Engine Cockpit.

We strongly recommend running a productive Axon Ivy Engine behind a reverse proxy. You should terminate the SSL traffic (HTTPS) on the reverse proxy and let the reverse proxy communicate with the Axon Ivy Engine via plain HTTP. This makes the setup easier and increases performance.

If you still use the AJP protocol between reverse proxy and the Axon Ivy Engine, start using HTTP or HTTPS instead of AJP. AJP development has ceased, and its use with Axon Ivy is deprecated.


digraph overview { layout=neato; node [shape=box, height="0.8", width="2", color="#007095", style=filled, fixedsize="true", margin=0, fontname="Roboto,Helvetica Neue,Arial,sans-serif", fontcolor="white", fontsize=15 ]; /* nodes */ browser [ label="Browser", pos="0,0!", height="0.8", width="1.3"]; reverseproxy [ label="Reverse\nProxy", pos="3,0!", height="0.8", width="1.3"]; engine [label="Axon Ivy\nEngine", pos="6,0!", height="0.8", width="1.3", color="#C7D426", fontcolor="black"]; /* edges */ browser -> reverseproxy; reverseproxy -> engine; /* edge labels */ browserreverseproxy [ label="HTTPS\n \n ", pos="1.5,0!", height="0.8", width="1.7", shape=none, fillcolor=none, fontcolor="black", fontsize="11" ]; reverseproxyengine [ label="HTTP\n \nHTTPS",pos="4.5,0!", height="0.8", width="1.7", shape=none, fillcolor=none, fontcolor="black", fontsize="11" ]; }


We have described how to integrate the Axon Ivy Engine with the following reverse proxy servers:

Read carefully how to improve security by restricting the access to an Axon Ivy Engine when using a reverse proxy. Some reverse proxy servers provide Single Sign-on (SSO) functionality. The reverse proxy then is responsible to authenticate users.

The Engine Cockpit provides the web server view for debugging purposes while integrating a reverse proxy.


Base URL

Besides the setup of the reverse proxy itself, you always need to configure the base URL in ivy.yaml. The Axon Ivy Engine will use this configuration to create absolute links that are accessible to clients (e.g. for links in task mails).

# sample ivy.yaml that configures the base URL for clients.
# https://acme.com will be the absolute URL prefix for links generated by Axon Ivy Engine.
BaseUrl: https://acme.com

Host Header

To successfully integrate a reverse proxy with the Axon Ivy Engine you need to pass the host which the client itself initally has requested, so that the Axon Ivy Engine can generate correct URLs based on the request. All documented examples preserving this host header, but if you integrate the Axon Ivy Engine with any other reverse proxy you need to pass the host header to the Axon Ivy Engine.