It's really easy to do this using nginx too, and to add upstream SSL. In
fact, I'd recommend using it over apache these days.
Cheers,
Phil
On Thu, Jun 20, 2019 at 8:39 AM Tim Hall <tim@xxxxxxxxxxxxxxx> wrote:
Somehow people believe I know something about APEX. :)
I think Mark is correct from an APEX perspective. Ultimately, if it gets
to the same database, it will be capable of accessing the application URL.
For example, I don't believe (cringe as I don't really know) APEX can
prevent you altering the number of the application using the same base URL.
https://my-app.example.com/ords/f?p=100 ;(the app I present to them)
https://my-app.example.com/ords/f?p=101 ;(they guess this to get to
another application)
But I absolutely can control this in my load balancer. In an iRule I check
what host was requested "my-app.example.com" and I test for a valid URI
containing "f?p=100". If that's not present, the request gets directed to a
error page. So the load balancer is preventing the cross site scripting.
You can do exactly the same thing in Apache, but it's been a while so I
would have to Google a solution. :) I remember having to do it to prevent
cross site scripting of mod_plsql stuff back in the day before we started
to use APEX.
We have a company policy that the load balancer shouldn't be used as a
firewall, but it can be used to prevent this cross-site stuff.
Presumably your APEX applications have authentication also, so getting to
the URL still requires authentication to be able to use the application...
Cheers
Tim...
On Wed, Jun 19, 2019 at 11:34 PM Mark J. Bobak <mark@xxxxxxxxx> wrote:
I don't *think* that's possible, but I am interested in what Time has to
say, as he knows approximately 1000x more than I do about APEX and how to
configure and deploy it. :-)
-Mark
On Wed, Jun 19, 2019 at 5:42 PM Jeff Chirco <backseatdba@xxxxxxxxx>
wrote:
Thanks Tim this was helpful and is similar to what we are planing on
doing minus the docker portion.
But I am still confused how to seperate an APEX application within same
database. Say I have 1 database running APEX and I have a Workspace with
Application "A" and Application 'B". App "A" we want available on the Web
but App "B" we only want to be access from our internal network?
On Tue, Jun 18, 2019 at 11:56 PM Tim Hall <tim@xxxxxxxxxxxxxxx> wrote:
What we do:
- We have load balancers (F5 Big IP) that act as a proxy (
my-app.example.com -> server1.example.com) and also provides SSL
Termination (the real certificates are on the load balancer). It then
re-encrypts traffic to send to the actual server. The actual server (docker
container) just uses a self-signed certificate, because it's internal
traffic only. The load balancer is in a "web zone" of the network.
- Each functional area (roughly per database) has its own Tomcat+ORDS
running inside a Docker Container. Each container is exposed on a different
port. This sits in an "application server" network zone. A real firewall
provides point-to-point rules, as well as the local firewall on the servers
(that host the containers). This means a specific alias is DNSed to a
specific VIP on the load balancers, which is routed to the relevant pool of
servers. Comms from the load balancer use a specific SNAT per service
(sometimes groups of services), which can talk to a specific port on the
destination server(s). There is no cross-site-scripting possible.
- Connections from Tomcat+ORDS to the database use Native Network
Encryption. The databases are kept in a separate database zone of the
network.
The net result, assuming we've not made mistakes of course :), is that
any specific alias "my-app.example.com" can be made available
externally, campus/company only or available to individuals without
allowing access to other services. In ORDS is pretty lightweight, so we can
pile a bunch of these containers on each server.
We *never* allow direct access to any application server, and rarely
allow direct access to a web server. It always goes via a load balancer,
even if there is no load balancing required. It just makes certificate
management, proxying and error management a lot easier to do it that way.
I'm sure people will come up with a bunch of different solutions, but
that's what we do. :)
Cheers
Tim...
On Tue, Jun 18, 2019 at 6:43 PM Jeff Chirco <backseatdba@xxxxxxxxx>
wrote:
We are working on getting our first APEX application up and running
with Tomcat/ORDS running on a separate server from the database. The
database that this runs on is a multi-purpose database and we are planning
on having many different APEX applications in it. Some we will want
to have externally available from our network while others we only want to
be accessible from inside our network. What are some suggestions to
achieve
this? Just let the network guys create rules if this URL then allow
or not allow? Or something better?
Thanks,
Jeff
