Re: APEX externally available question

From: Mark J. Bobak <mark_at_bobak.net>
Date: Wed, 19 Jun 2019 18:34:08 -0400
Message-ID: <CAFQ5ACKea4dCncF3kXa9HhS8tNoKNzbwxErDjg0r-GYtSf8OEg_at_mail.gmail.com>



I don't *think* that's possible, but I am interested in what Time has to say, as he knows approximately 1000x more than I do about APEX and how to configure and deploy it. :-)

-Mark

On Wed, Jun 19, 2019 at 5:42 PM Jeff Chirco <backseatdba_at_gmail.com> wrote:

> Thanks Tim this was helpful and is similar to what we are planing on doing
> minus the docker portion.
> But I am still confused how to seperate an APEX application within same
> database. Say I have 1 database running APEX and I have a Workspace with
> Application "A" and Application 'B". App "A" we want available on the Web
> but App "B" we only want to be access from our internal network?
>
> On Tue, Jun 18, 2019 at 11:56 PM Tim Hall <tim_at_oracle-base.com> wrote:
>
>> What we do:
>>
>> - We have load balancers (F5 Big IP) that act as a proxy (
>> my-app.example.com -> server1.example.com) and also provides SSL
>> Termination (the real certificates are on the load balancer). It then
>> re-encrypts traffic to send to the actual server. The actual server (docker
>> container) just uses a self-signed certificate, because it's internal
>> traffic only. The load balancer is in a "web zone" of the network.
>> - Each functional area (roughly per database) has its own Tomcat+ORDS
>> running inside a Docker Container. Each container is exposed on a different
>> port. This sits in an "application server" network zone. A real firewall
>> provides point-to-point rules, as well as the local firewall on the servers
>> (that host the containers). This means a specific alias is DNSed to a
>> specific VIP on the load balancers, which is routed to the relevant pool of
>> servers. Comms from the load balancer use a specific SNAT per service
>> (sometimes groups of services), which can talk to a specific port on the
>> destination server(s). There is no cross-site-scripting possible.
>> - Connections from Tomcat+ORDS to the database use Native Network
>> Encryption. The databases are kept in a separate database zone of the
>> network.
>>
>> The net result, assuming we've not made mistakes of course :), is that
>> any specific alias "my-app.example.com" can be made available
>> externally, campus/company only or available to individuals without
>> allowing access to other services. In ORDS is pretty lightweight, so we can
>> pile a bunch of these containers on each server.
>>
>> We *never* allow direct access to any application server, and rarely
>> allow direct access to a web server. It always goes via a load balancer,
>> even if there is no load balancing required. It just makes certificate
>> management, proxying and error management a lot easier to do it that way.
>>
>> I'm sure people will come up with a bunch of different solutions, but
>> that's what we do. :)
>>
>> Cheers
>>
>> Tim...
>>
>> On Tue, Jun 18, 2019 at 6:43 PM Jeff Chirco <backseatdba_at_gmail.com>
>> wrote:
>>
>>> We are working on getting our first APEX application up and running with
>>> Tomcat/ORDS running on a separate server from the database. The database
>>> that this runs on is a multi-purpose database and we are planning on having
>>> many different APEX applications in it. Some we will want to have
>>> externally available from our network while others we only want to be
>>> accessible from inside our network. What are some suggestions to achieve
>>> this? Just let the network guys create rules if this URL then allow or
>>> not allow? Or something better?
>>>
>>> Thanks,
>>> Jeff
>>>
>>

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jun 20 2019 - 00:34:08 CEST

Original text of this message