Re: APEX externally available question

From: <niall.litchfield_at_gmail.com>
Date: Thu, 20 Jun 2019 10:06:21 +0100
Message-ID: <CABe10sbUcuDKte34RcFswPe=xafvRNnJbbC9wmAt3XS42SuSdw_at_mail.gmail.com>



That's correct, you can do smart mapping in ords using the map-url feature https://docs.oracle.com/cd/E56351_01/doc.30/e87809/configuring-REST-data-services.htm#AELIG7191 but
it still maps to a single workspace. I think you would either need to move the app to a new workspace, implement a proxy/load balancer which is probably the right thing to do, or handle it via application authorisation in apex (so they can guess the entry point as per Tim's example but they'd still need to authenticate.

On Wed, Jun 19, 2019 at 11:35 PM Mark J. Bobak <mark_at_bobak.net> wrote:

> I don't *think* that's possible, but I am interested in what Time has to
> say, as he knows approximately 1000x more than I do about APEX and how to
> configure and deploy it. :-)
>
> -Mark
>
> On Wed, Jun 19, 2019 at 5:42 PM Jeff Chirco <backseatdba_at_gmail.com> wrote:
>
>> Thanks Tim this was helpful and is similar to what we are planing on
>> doing minus the docker portion.
>> But I am still confused how to seperate an APEX application within same
>> database. Say I have 1 database running APEX and I have a Workspace with
>> Application "A" and Application 'B". App "A" we want available on the Web
>> but App "B" we only want to be access from our internal network?
>>
>> On Tue, Jun 18, 2019 at 11:56 PM Tim Hall <tim_at_oracle-base.com> wrote:
>>
>>> What we do:
>>>
>>> - We have load balancers (F5 Big IP) that act as a proxy (
>>> my-app.example.com -> server1.example.com) and also provides SSL
>>> Termination (the real certificates are on the load balancer). It then
>>> re-encrypts traffic to send to the actual server. The actual server (docker
>>> container) just uses a self-signed certificate, because it's internal
>>> traffic only. The load balancer is in a "web zone" of the network.
>>> - Each functional area (roughly per database) has its own Tomcat+ORDS
>>> running inside a Docker Container. Each container is exposed on a different
>>> port. This sits in an "application server" network zone. A real firewall
>>> provides point-to-point rules, as well as the local firewall on the servers
>>> (that host the containers). This means a specific alias is DNSed to a
>>> specific VIP on the load balancers, which is routed to the relevant pool of
>>> servers. Comms from the load balancer use a specific SNAT per service
>>> (sometimes groups of services), which can talk to a specific port on the
>>> destination server(s). There is no cross-site-scripting possible.
>>> - Connections from Tomcat+ORDS to the database use Native Network
>>> Encryption. The databases are kept in a separate database zone of the
>>> network.
>>>
>>> The net result, assuming we've not made mistakes of course :), is that
>>> any specific alias "my-app.example.com" can be made available
>>> externally, campus/company only or available to individuals without
>>> allowing access to other services. In ORDS is pretty lightweight, so we can
>>> pile a bunch of these containers on each server.
>>>
>>> We *never* allow direct access to any application server, and rarely
>>> allow direct access to a web server. It always goes via a load balancer,
>>> even if there is no load balancing required. It just makes certificate
>>> management, proxying and error management a lot easier to do it that way.
>>>
>>> I'm sure people will come up with a bunch of different solutions, but
>>> that's what we do. :)
>>>
>>> Cheers
>>>
>>> Tim...
>>>
>>> On Tue, Jun 18, 2019 at 6:43 PM Jeff Chirco <backseatdba_at_gmail.com>
>>> wrote:
>>>
>>>> We are working on getting our first APEX application up and running
>>>> with Tomcat/ORDS running on a separate server from the database. The
>>>> database that this runs on is a multi-purpose database and we are planning
>>>> on having many different APEX applications in it. Some we will want
>>>> to have externally available from our network while others we only want to
>>>> be accessible from inside our network. What are some suggestions to achieve
>>>> this? Just let the network guys create rules if this URL then allow
>>>> or not allow? Or something better?
>>>>
>>>> Thanks,
>>>> Jeff
>>>>
>>>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jun 20 2019 - 11:06:21 CEST

Original text of this message