Path

We recommend to provide only your ivy applications trough the reverse proxy. The Axon Ivy Engine makes it easy to do that, because all URLs of an application comes at the root together. For example: If your application is named demo-app. Then you only need to allow access for the url https://ivyengine/demo-app.

Restrict system access

The Axon Ivy Engine itself provides administration functionally under the base url system e.g. https://ivyengine/system. Do not allow or explicit restrict the access to this url in your reverse proxy configuration.

Well appreciated redirect

A redirect from the root url / to your application home url will be much appreciated by your end users. E.g. when a user is accessing https://ivyengine/ then they should be redirected to https://ivyengine/demo-app.

Examples

The configuration examples for NGINX and for Apache http follows all these recommendations. The provided configuration script for Microsoft IIS routes all traffic to the Axon Ivy Engine. We recommend to only route specific applications by manually modifing the rules in URL Rewrite.

Block URLs on the Axon Ivy Engine

Alternatively, URLs can also be blocked directly on the Axon Ivy Engine which utilizes and underlying Apache Tomcat for serving HTTP requests. Open the web.xml file in [engineDir]/configuration/ and add the following configuration inside the <web-app> tag to block system access:

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app>
   ...
    <security-constraint>
      <display-name>Restrict access to system</display-name>
        <web-resource-collection>
          <web-resource-name>System</web-resource-name>
          <url-pattern>/system/*</url-pattern>
        </web-resource-collection>
      <auth-constraint />
    </security-constraint>
   ...
</web-app>

After changing the configuration restart the Axon Ivy Engine.