I don't *think* that's possible, but I am interested in what Time has to
say, as he knows approximately 1000x more than I do about APEX and how to
configure and deploy it. :-)
-Mark
On Wed, Jun 19, 2019 at 5:42 PM Jeff Chirco <backseatdba@xxxxxxxxx> wrote:
Thanks Tim this was helpful and is similar to what we are planing on doing
minus the docker portion.
But I am still confused how to seperate an APEX application within same
database. Say I have 1 database running APEX and I have a Workspace with
Application "A" and Application 'B". App "A" we want available on the Web
but App "B" we only want to be access from our internal network?
On Tue, Jun 18, 2019 at 11:56 PM Tim Hall <tim@xxxxxxxxxxxxxxx> wrote:
What we do:
- We have load balancers (F5 Big IP) that act as a proxy (
my-app.example.com -> server1.example.com) and also provides SSL
Termination (the real certificates are on the load balancer). It then
re-encrypts traffic to send to the actual server. The actual server (docker
container) just uses a self-signed certificate, because it's internal
traffic only. The load balancer is in a "web zone" of the network.
- Each functional area (roughly per database) has its own Tomcat+ORDS
running inside a Docker Container. Each container is exposed on a different
port. This sits in an "application server" network zone. A real firewall
provides point-to-point rules, as well as the local firewall on the servers
(that host the containers). This means a specific alias is DNSed to a
specific VIP on the load balancers, which is routed to the relevant pool of
servers. Comms from the load balancer use a specific SNAT per service
(sometimes groups of services), which can talk to a specific port on the
destination server(s). There is no cross-site-scripting possible.
- Connections from Tomcat+ORDS to the database use Native Network
Encryption. The databases are kept in a separate database zone of the
network.
The net result, assuming we've not made mistakes of course :), is that
any specific alias "my-app.example.com" can be made available
externally, campus/company only or available to individuals without
allowing access to other services. In ORDS is pretty lightweight, so we can
pile a bunch of these containers on each server.
We *never* allow direct access to any application server, and rarely
allow direct access to a web server. It always goes via a load balancer,
even if there is no load balancing required. It just makes certificate
management, proxying and error management a lot easier to do it that way.
I'm sure people will come up with a bunch of different solutions, but
that's what we do. :)
Cheers
Tim...
On Tue, Jun 18, 2019 at 6:43 PM Jeff Chirco <backseatdba@xxxxxxxxx>
wrote:
We are working on getting our first APEX application up and running with
Tomcat/ORDS running on a separate server from the database. The database
that this runs on is a multi-purpose database and we are planning on having
many different APEX applications in it. Some we will want to have
externally available from our network while others we only want to be
accessible from inside our network. What are some suggestions to achieve
this? Just let the network guys create rules if this URL then allow or
not allow? Or something better?
Thanks,
Jeff
