Path
We recommend providing only the Axon Ivy application(s) that your users need to access
via the reverse proxy. The Axon Ivy Engine makes it easy to do that because all
URLs of an application share the left-hand side of their URL. For example: If
your application is named demo-app
, then you only need to allow access
for the URL https://ivyengine/demo-app
.
Restrict system access
The Axon Ivy Engine itself provides administration functionality under the base
url system
e.g. https://ivyengine/system
. Do not allow or
explicitly restrict the access to this URL in your reverse proxy configuration.
Well appreciated redirect
A redirect from the root URL /
to your application home URL will be much
appreciated by your end users. E.g. when a user is accessing
https://ivyengine/
then they should be redirected to
https://ivyengine/demo-app
.
Examples
The configuration examples for NGINX and for Apache HTTP Server follow all of these recommendations. The configuration script provided for Microsoft IIS routes all traffic to the Axon Ivy Engine. We recommend to only route specific applications by manually modifing the rules in URL Rewrite.
Block URLs on the Axon Ivy Engine
Alternatively, URLs can also be blocked directly on the Axon Ivy Engine which
utilizes and underlying Apache Tomcat for serving HTTP requests. Open the
web.xml file in [engineDir]/configuration/
and add the following
configuration inside the <web-app>
tag to block system access:
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<web-app>
3 ...
4 <security-constraint>
5 <display-name>Restrict access to system</display-name>
6 <web-resource-collection>
7 <web-resource-name>System</web-resource-name>
8 <url-pattern>/system/*</url-pattern>
9 </web-resource-collection>
10 <auth-constraint />
11 </security-constraint>
12 ...
13</web-app>
After changing the configuration restart the Axon Ivy Engine. Note: Using this scheme reduces engine performance slightly, as the Axon Ivy Engine has to check every incoming request if it needs to be blocked. Reverse proxies are better suited for this task.