Reverse Proxy

The purpose of a reverse proxy (or frontend web server) is to provide a single point of entry for one or more services from outside the network. The reverse proxy receives all requests from the clients and forwards them to the Axon Ivy Engine which handles them. This allows to integrate the processes and applications that you are running on an Axon Ivy Engine into a company or web portal. The use of a reverse proxy provides more security. The reverse proxy can and must be updated at any time to receive the latest security updates, because this is also the entry point for attackers. In addition, access to critical resources such as the Engine Cockpit can be blocked.

We always recommend to run a productive Axon Ivy Engine behind a reverse proxy. You should terminate the SSL traffic (HTTPS) on the reverse proxy and let the reverse proxy communicate with the Axon Ivy Engine over plain HTTP, because the setup is more easy and this will also increase the performance.

It’s still possible to use AJP as the protocol between the reverse proxy and the Axon Ivy Engine, but this is deprecated and will be removed in future versions of Axon Ivy Engine. Start using HTTP or HTTPS instead of AJP.


digraph overview {
  browser [ label="Browser", pos = "0,2.5!", width="1.3" height="0.8"];
  reverseproxy [ label="Reverse\nProxy", pos="3,2.5!" width="1.3" height="0.8"]
  engine [label="Axon Ivy\nEngine", pos="6,2.5!", height="0.8", width="1.3", color="#C7D426", fontcolor="black"];
  
  browser -> reverseproxy [ label="HTTPS"];
  reverseproxy -> engine [ label="HTTP\nHTTPS" ];
}

We have described how to integrate the Axon Ivy Engine with the following reverse proxy servers:

Read carefully how to improve security by restricting the access to an Axon Ivy Engine when using a reverse proxy. Some reverse proxy servers provides Single Sign-on (SSO) functionality. The reverse proxy then is responsible to authenticate the user.

The Engine Cockpit is providing web server view for debugging purpose while integrating a reverse proxy.


Base URL

Beside the setup of the reverse proxy itself you always need to configure the base url in the ivy.yaml. The Axon Ivy Engine will use this configuration to create absolute links that are accessible to clients (e.g. for links in task mails).

# sample ivy.yaml that configures the base url for clients.
# https://acme.com will be the absolute URL prefix for links generated by Axon Ivy Engine.
BaseUrl: https://acme.com