Re: APEX externally available question

From: Tim Hall <tim_at_oracle-base.com>
Date: Thu, 20 Jun 2019 08:37:38 +0100
Message-ID: <CAP=5zEgHv7Fa0NJkKrxzDp=kafpzb3hPPSYt9RHj3n7Sww=48A_at_mail.gmail.com>

Somehow people believe I know something about APEX. :)

I think Mark is correct from an APEX perspective. Ultimately, if it gets to the same database, it will be capable of accessing the application URL. For example, I don't believe (cringe as I don't really know) APEX can prevent you altering the number of the application using the same base URL.

https://my-app.example.com/ords/f?p=100     (the app I present to them)
https://my-app.example.com/ords/f?p=101     (they guess this to get to

another application)

But I absolutely can control this in my load balancer. In an iRule I check what host was requested "my-app.example.com" and I test for a valid URI containing "f?p=100". If that's not present, the request gets directed to a error page. So the load balancer is preventing the cross site scripting. You can do exactly the same thing in Apache, but it's been a while so I would have to Google a solution. :) I remember having to do it to prevent cross site scripting of mod_plsql stuff back in the day before we started to use APEX.

We have a company policy that the load balancer shouldn't be used as a firewall, but it can be used to prevent this cross-site stuff.

Presumably your APEX applications have authentication also, so getting to the URL still requires authentication to be able to use the application...

Cheers

Tim...

On Wed, Jun 19, 2019 at 11:34 PM Mark J. Bobak <mark_at_bobak.net> wrote:

> I don't *think* that's possible, but I am interested in what Time has to
> say, as he knows approximately 1000x more than I do about APEX and how to
> configure and deploy it. :-)
>
> -Mark
>
> On Wed, Jun 19, 2019 at 5:42 PM Jeff Chirco <backseatdba_at_gmail.com> wrote:
>
>> Thanks Tim this was helpful and is similar to what we are planing on
>> doing minus the docker portion.
>> But I am still confused how to seperate an APEX application within same
>> database. Say I have 1 database running APEX and I have a Workspace with
>> Application "A" and Application 'B". App "A" we want available on the Web
>> but App "B" we only want to be access from our internal network?
>>
>> On Tue, Jun 18, 2019 at 11:56 PM Tim Hall <tim_at_oracle-base.com> wrote:
>>
>>> What we do:
>>>
>>> - We have load balancers (F5 Big IP) that act as a proxy (
>>> my-app.example.com -> server1.example.com) and also provides SSL
>>> Termination (the real certificates are on the load balancer). It then
>>> re-encrypts traffic to send to the actual server. The actual server (docker
>>> container) just uses a self-signed certificate, because it's internal
>>> traffic only. The load balancer is in a "web zone" of the network.
>>> - Each functional area (roughly per database) has its own Tomcat+ORDS
>>> running inside a Docker Container. Each container is exposed on a different
>>> port. This sits in an "application server" network zone. A real firewall
>>> provides point-to-point rules, as well as the local firewall on the servers
>>> (that host the containers). This means a specific alias is DNSed to a
>>> specific VIP on the load balancers, which is routed to the relevant pool of
>>> servers. Comms from the load balancer use a specific SNAT per service
>>> (sometimes groups of services), which can talk to a specific port on the
>>> destination server(s). There is no cross-site-scripting possible.
>>> - Connections from Tomcat+ORDS to the database use Native Network
>>> Encryption. The databases are kept in a separate database zone of the
>>> network.
>>>
>>> The net result, assuming we've not made mistakes of course :), is that
>>> any specific alias "my-app.example.com" can be made available
>>> externally, campus/company only or available to individuals without
>>> allowing access to other services. In ORDS is pretty lightweight, so we can
>>> pile a bunch of these containers on each server.
>>>
>>> We *never* allow direct access to any application server, and rarely
>>> allow direct access to a web server. It always goes via a load balancer,
>>> even if there is no load balancing required. It just makes certificate
>>> management, proxying and error management a lot easier to do it that way.
>>>
>>> I'm sure people will come up with a bunch of different solutions, but
>>> that's what we do. :)
>>>
>>> Cheers
>>>
>>> Tim...
>>>
>>> On Tue, Jun 18, 2019 at 6:43 PM Jeff Chirco <backseatdba_at_gmail.com>
>>> wrote:
>>>
>>>> We are working on getting our first APEX application up and running
>>>> with Tomcat/ORDS running on a separate server from the database. The
>>>> database that this runs on is a multi-purpose database and we are planning
>>>> on having many different APEX applications in it. Some we will want
>>>> to have externally available from our network while others we only want to
>>>> be accessible from inside our network. What are some suggestions to achieve
>>>> this? Just let the network guys create rules if this URL then allow
>>>> or not allow? Or something better?
>>>>
>>>> Thanks,
>>>> Jeff
>>>>
>>>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jun 20 2019 - 09:37:38 CEST

This message: [ Message body ]
Next message: Phillip Jones: "Re: APEX externally available question"
Previous message: Jack van Zanen: "Re: sending a copy of database to vendor"
In reply to Mark J. Bobak: "Re: APEX externally available question"
Next in thread: Phillip Jones: "Re: APEX externally available question"
Reply: Phillip Jones: "Re: APEX externally available question"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message