Port
It is very important that the communication between the reverse proxy and the Axon Ivy Engine is exclusive or restricted for administrators - especially when Single Sign-on is activated. This means no one else should be able to communicate directly with the Axon Ivy Engine over ports e.g. 8080, 8443 or 8009 from the outside. How to configure this properly depends on the setup.
Same host
If the reverse proxy and the Axon Ivy Engine runs on the same host.
![digraph overview {
browser [ label="Browser", pos = "0,2.5!", width="1.3" height="0.6"];
reverseproxy [ label="Reverse\nProxy", pos="3,2.5!" width="1.3" height="0.6"]
engine [label="Axon Ivy\nEngine", pos="6,2.5!", height="0.6", width="1.3", color="#C7D426", fontcolor="black"];
host [ label="Host",pos = "4.5,2.6!" width=4.8 height=1.6 style="dotted" fontcolor="black" labelloc="t"];
browser -> reverseproxy [ label="HTTPS"];
reverseproxy -> engine [ label="HTTP\nHTTPS" ];
}](../../../../_images/graphviz-1295bb8773f8feb9deec70ebfdb17c74f1eb0cab.png)
Then you just need to bind the connector - protocol between the reverse proxy and the Axon Ivy Engine - to localhost. For example when using HTTP then you need to bind the HTTP connector to localhost (same for HTTPS). This ensures that the Axon Ivy Engine can only be accessed via localhost.
# example to bind the HTTP connector to localhost
Connector:
HTTP:
Address: localhost
Different Host
If the reverse proxy and the Axon Ivy Engine runs on two different hosts.
![digraph overview {
browser [ label="Browser", pos = "0,2.5!", width="1.3" height="0.6"];
reverseproxy [ label="Reverse\nProxy", pos="3,2.5!" width="1.3" height="0.6"]
engine [label="Axon Ivy\nEngine", pos="6,2.5!", height="0.6", width="1.3", color="#C7D426", fontcolor="black"];
hostProxy [ label="Host Reverse Proxy",pos = "3.0,2.6!" height=1.4 style="dotted" fontcolor="black" labelloc="t"];
hostEngine [ label="Host Axon Ivy Engine",pos = "6.0,2.6!" height=1.4 style="dotted" fontcolor="black" labelloc="t"];
browser -> reverseproxy [ label="HTTPS"];
reverseproxy -> engine [ label="HTTP\nHTTPS" ];
}](../../../../_images/graphviz-a181e3d3bc0037b21bf27210c285fb432b64950f.png)
You can do this with one of the following approaches:
Configure your network so that only the reverse proxy can communicate with the Axon Ivy Engine.
Setup a firewall rule on the Axon Ivy Engine host, which blocks all requests from another IP address other than the reverse proxy.