Path

We recommend providing only the Axon Ivy application(s) that your users need to access via the reverse proxy. The Axon Ivy Engine makes it easy to do that because all URLs of an application share the left-hand side of their URL. For example: If your application is named demo-app, then you only need to allow access for the URL https://ivyengine/demo-app.


Restrict system access

The Axon Ivy Engine itself provides administration functionality under the base url system e.g. https://ivyengine/system. Do not allow or explicitly restrict the access to this URL in your reverse proxy configuration.


Well appreciated redirect

A redirect from the root URL / to your application home URL will be much appreciated by your end users. E.g. when a user is accessing https://ivyengine/ then they should be redirected to https://ivyengine/demo-app.


Examples

The configuration examples for NGINX and for Apache HTTP Server follow all of these recommendations. The configuration script provided for Microsoft IIS routes all traffic to the Axon Ivy Engine. We recommend to only route specific applications by manually modifing the rules in URL Rewrite.

Block URLs on the Axon Ivy Engine

Alternatively, URLs can also be blocked directly on the Axon Ivy Engine which utilizes and underlying Apache Tomcat for serving HTTP requests. Open the web.xml file in [engineDir]/configuration/ and add the following configuration inside the <web-app> tag to block system access:

 1<?xml version="1.0" encoding="ISO-8859-1"?>
 2<web-app>
 3   ...
 4    <security-constraint>
 5      <display-name>Restrict access to system</display-name>
 6        <web-resource-collection>
 7          <web-resource-name>System</web-resource-name>
 8          <url-pattern>/system/*</url-pattern>
 9        </web-resource-collection>
10      <auth-constraint />
11    </security-constraint>
12   ...
13</web-app>

After changing the configuration restart the Axon Ivy Engine. Note: Using this scheme reduces engine performance slightly, as the Axon Ivy Engine has to check every incoming request if it needs to be blocked. Reverse proxies are better suited for this task.