Path
We recommend to provide only your ivy applications trough the reverse proxy. The
Axon Ivy Engine makes it easy to do that, because all URLs of an application
comes at the root together. For example: If your application is named
demo-app
. Then you only need to allow access for the url
https://ivyengine/demo-app
.
Restrict system access
The Axon Ivy Engine itself provides administration functionally under the base
url system
e.g. https://ivyengine/system
. Do not allow or
explicit restrict the access to this url in your reverse proxy configuration.
Well appreciated redirect
A redirect from the root url /
to your application home url will be much
appreciated by your end users. E.g. when a user is accessing
https://ivyengine/
then they should be redirected to
https://ivyengine/demo-app
.
Examples
The configuration examples for NGINX and for Apache http follows all these recommendations. The provided configuration script for Microsoft IIS routes all traffic to the Axon Ivy Engine. We recommend to only route specific applications by manually modifing the rules in URL Rewrite.
Block URLs on the Axon Ivy Engine
Alternatively, URLs can also be blocked directly on the Axon Ivy Engine which
utilizes and underlying Apache Tomcat for serving HTTP requests. Open the
web.xml file in [engineDir]/configuration/
and add the following
configuration inside the <web-app>
tag to block system access:
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<web-app>
3 ...
4 <security-constraint>
5 <display-name>Restrict access to system</display-name>
6 <web-resource-collection>
7 <web-resource-name>System</web-resource-name>
8 <url-pattern>/system/*</url-pattern>
9 </web-resource-collection>
10 <auth-constraint />
11 </security-constraint>
12 ...
13</web-app>
After changing the configuration restart the Axon Ivy Engine.