Use NGINX or Apache http as reverse proxy for Axon.ivy Engine

Alexander Suter

Recently we configured an Apache http as reverse proxy in front of an Axon.ivy Engine and fell into some pitfalls 💩.

What is a reverse proxy?
The purpose of a reverse proxy (or frontend web server) is to provide a single point of entry for one or more services from outside the network. The reverse proxy receives all requests from the clients and forwards them to the Axon.ivy Engine which handles them. This allows to integrate the processes and applications that you are running on an Axon.ivy Engine into a company or web portal.

Why should I use a reverse proxy?
The reverse proxy is the entry point - increased security applies here 👮! You always want to have this infrastructure component running with the latest security patches! And the release cycle of an Axon.ivy Engine does not allow this! In addition, it is possible to control exactly which pages of the Axon.ivy Engine should be accessible for the clients.

What is recommended?
I personally use NGINX as a reverse proxy. Known as a smart, secure and fast reverse proxy. But in the end this doesn't matter so much. But we always recommend that the clients communicate with HTTPS up to the reverse proxy and to terminate SSL (HTTPS) on the reverse proxy. Let the reverse proxy communicate with the Axon.ivy Engine via HTTP. This leads to a simplified setup and increases the performance 🏎 if the Axon.ivy Engine does not have to encrypt and decrypt the data.

Secure setup
Also make sure that access to the Axon.ivy Engine is exclusive. Only the reverse proxy should have access especially within an single sign on setup. However, administrators may should have direct access to access system tools like the engine cockpit.

Pitfalls we struggled in
When configuring the reverse proxy, some settings must be set correctly. If this is not the case, it can happen that the Axon.ivy Engine sends wrong redirects to the browser 🤯. For Apache, for example, we had to set this correctly:

ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https".
RequestHeader set X-Forwarded-Port "443".

We have now fully documented the reverse proxy configuration for Apache and NGINX 🤙:
https://developer.axonivy.com/doc/dev/engine-guide/integration/reverse-proxy/index.html

In addition, the docker 🐳 samples have also been adapted accordingly:
https://github.com/ivy-samples/docker-samples

Christian Strebel

Check your Reverse-Proxy Settings

You can check the Reverse-Proxy configuration on the Web Server Settings page in the Engine Cockpit:

Please check the Evaluated URL. It should be the same as the URL you see in the browser navigation (including scheme, host, port, ...).

If something is miss configured in your Reverse-Proxy you should see it here.
Most of the time one of this HTTP header was not correctly set by your Reverse-Proxy:

Host
Upgrade
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Proto
X-Forwarded-Ssl
X-Real-IP

To see the actual values of all HTTP Headers just click on Show Headers.