Port

It is very important that the communication between the reverse proxy and the Axon Ivy Engine is exclusive or restricted for administrators - especially when Single Sign-on is activated. This means no one else should be able to communicate directly with the Axon Ivy Engine using its ports e.g. 8080, 8443 or 8009 from the outside. How to configure this properly depends on the setup.

Same host

If the reverse proxy and the Axon Ivy Engine run on the same host


digraph overview { layout=neato; node [shape=box, height="0.8", width="2", color="#007095", style=filled, fixedsize="true", margin=0, fontname="Roboto,Helvetica Neue,Arial,sans-serif", fontcolor="white", fontsize=15 ]; /* nodes */ browser [label="Browser", pos="0.0,2.5!", height="0.8", width="1.5"]; reverseproxy [label="Reverse\nProxy", pos="3.0,2.5!", height="0.8", width="1.5"]; engine [label="Axon Ivy\nEngine", pos="6.0,2.5!", height="0.8", width="1.5", color="#C7D426", fontcolor="black"]; host [label="Host", pos="4.5,2.6!", height="1.4", width="5.2", style="dashed", fontcolor="black", labelloc="t"]; /* edges */ browser -> reverseproxy; reverseproxy -> engine; /* edge labels */ browser_reverseproxy [label="HTTPS\n \n ", pos="1.5,2.5!", height="0.8", width="1.7",shape=none,fillcolor=none,fontcolor="black",fontsize="11"]; reverseproxy_engine [label="HTTP\n \nHTTPS", pos="4.5,2.5!", height="0.8", width="1.7",shape=none,fillcolor=none,fontcolor="black",fontsize="11"]; }


then you just need to bind the connector - the protocol between the reverse proxy and the Axon Ivy Engine - to localhost. For example when using HTTP then you need to bind the HTTP connector to localhost (same for HTTPS). This ensures that the Axon Ivy Engine can only be accessed via localhost.

# bind the HTTP connector to localhost exclusively
Connector:
  HTTP:
    Address: localhost

Different Host

If the reverse proxy and the Axon Ivy Engine run on two different hosts:


digraph overview { layout=neato; node [shape=box, height="0.8", width="2", color="#007095", style=filled, fixedsize="true", margin=0, fontname="Roboto,Helvetica Neue,Arial,sans-serif", fontcolor="white", fontsize=15 ]; /* nodes */ browser [label="Browser", pos="0.0,2.5!", height="0.8", width="1.5"]; reverseproxy [label="Reverse\nProxy", pos="3.0,2.5!", height="0.8", width="1.5"]; engine [label="Axon Ivy\nEngine", pos="6.0,2.5!", height="0.8", width="1.5", color="#C7D426", fontcolor="black"]; hostProxy [label="Host Reverse Proxy", pos="3.0,2.6!", height="1.4", width="2.0", style="dashed" fontcolor="black" labelloc="t"]; hostEngine [label="Host Axon Ivy Engine", pos="6.0,2.6!", height="1.4", width="2.0", style="dashed" fontcolor="black" labelloc="t"]; /* edges */ browser -> reverseproxy; reverseproxy -> engine; /* edge labels */ browser_reverseproxy [label="HTTPS\n \n ", pos="1.5,2.5!", height="0.8", width="1.7", shape=none, fillcolor=none, fontcolor="black", fontsize="11"]; reverseproxy_engine [label="HTTP\n \nHTTPS", pos="4.5,2.5!", height="0.8", width="1.7", shape=none, fillcolor=none, fontcolor="black", fontsize="11"]; }


You have to use one of the following approaches:

  1. Configure your network such that only the reverse proxy can communicate with the Axon Ivy Engine.

  2. Setup a firewall rule on the Axon Ivy Engine host, which blocks all requests but those from the IP address of the reverse proxy.