Re: APEX externally available question
Date: Wed, 19 Jun 2019 14:41:19 -0700
Message-ID: <CAKsxbLpr15yrpip1pqONa8oEQ8Zqtsy62Usbj9X7fXSA_0tVeA_at_mail.gmail.com>
Thanks Tim this was helpful and is similar to what we are planing on doing
minus the docker portion.
On Tue, Jun 18, 2019 at 11:56 PM Tim Hall <tim_at_oracle-base.com> wrote:
> What we do:
But I am still confused how to seperate an APEX application within same
database. Say I have 1 database running APEX and I have a Workspace with
Application "A" and Application 'B". App "A" we want available on the Web
but App "B" we only want to be access from our internal network?
>
> - We have load balancers (F5 Big IP) that act as a proxy (
> my-app.example.com -> server1.example.com) and also provides SSL
> Termination (the real certificates are on the load balancer). It then
> re-encrypts traffic to send to the actual server. The actual server (docker
> container) just uses a self-signed certificate, because it's internal
> traffic only. The load balancer is in a "web zone" of the network.
> - Each functional area (roughly per database) has its own Tomcat+ORDS
> running inside a Docker Container. Each container is exposed on a different
> port. This sits in an "application server" network zone. A real firewall
> provides point-to-point rules, as well as the local firewall on the servers
> (that host the containers). This means a specific alias is DNSed to a
> specific VIP on the load balancers, which is routed to the relevant pool of
> servers. Comms from the load balancer use a specific SNAT per service
> (sometimes groups of services), which can talk to a specific port on the
> destination server(s). There is no cross-site-scripting possible.
> - Connections from Tomcat+ORDS to the database use Native Network
> Encryption. The databases are kept in a separate database zone of the
> network.
>
> The net result, assuming we've not made mistakes of course :), is that any
> specific alias "my-app.example.com" can be made available externally,
> campus/company only or available to individuals without allowing access to
> other services. In ORDS is pretty lightweight, so we can pile a bunch of
> these containers on each server.
>
> We *never* allow direct access to any application server, and rarely allow
> direct access to a web server. It always goes via a load balancer, even if
> there is no load balancing required. It just makes certificate management,
> proxying and error management a lot easier to do it that way.
>
> I'm sure people will come up with a bunch of different solutions, but
> that's what we do. :)
>
> Cheers
>
> Tim...
>
> On Tue, Jun 18, 2019 at 6:43 PM Jeff Chirco <backseatdba_at_gmail.
>
>> We are working on getting our first APEX application up and running with
>> Tomcat/ORDS running on a separate server from the database. The database
>> that this runs on is a multi-purpose database and we are planning on having
>> many different APEX applications in it. Some we will want to have
>> externally available from our network while others we only want to be
>> accessible from inside our network. What are some suggestions to achieve
>> this? Just let the network guys create rules if this URL then allow or
>> not allow? Or something better?
>>
>> Thanks,
>> Jeff
>>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Jun 19 2019 - 23:41:19 CEST