Recently we configured an Apache http as reverse proxy in front of an Axon.ivy Engine and fell into some pitfalls 💩.
What is a reverse proxy?
The purpose of a reverse proxy (or frontend web server) is to provide a single point of entry for one or more services from outside the network. The reverse proxy receives all requests from the clients and forwards them to the Axon.ivy Engine which handles them. This allows to integrate the processes and applications that you are running on an Axon.ivy Engine into a company or web portal.
Why should I use a reverse proxy?
The reverse proxy is the entry point - increased security applies here 👮! You always want to have this infrastructure component running with the latest security patches! And the release cycle of an Axon.ivy Engine does not allow this! In addition, it is possible to control exactly which pages of the Axon.ivy Engine should be accessible for the clients.
What is recommended?
I personally use NGINX as a reverse proxy. Known as a smart, secure and fast reverse proxy. But in the end this doesn't matter so much. But we always recommend that the clients communicate with HTTPS up to the reverse proxy and to terminate SSL (HTTPS) on the reverse proxy. Let the reverse proxy communicate with the Axon.ivy Engine via HTTP. This leads to a simplified setup and increases the performance 🏎 if the Axon.ivy Engine does not have to encrypt and decrypt the data.
Also make sure that access to the Axon.ivy Engine is exclusive. Only the reverse proxy should have access especially within an single sign on setup. However, administrators may should have direct access to access system tools like the engine cockpit.
Pitfalls we struggled in
When configuring the reverse proxy, some settings must be set correctly. If this is not the case, it can happen that the Axon.ivy Engine sends wrong redirects to the browser 🤯. For Apache, for example, we had to set this correctly:
RequestHeader set X-Forwarded-Proto "https".
RequestHeader set X-Forwarded-Port "443".
We have now fully documented the reverse proxy configuration for Apache and NGINX 🤙:
In addition, the docker 🐳 samples have also been adapted accordingly: