1 Reply Latest reply: Oct 26, 2011 1:38 PM by joelkallman-Oracle RSS

    internal and external facing applicaitons on same infrastructure

      I'm looking for suggestions on the best way to architect an apex production environment where you may have two or three apps open to the public and 10 or more for internal access only. All of the apps (regardless of public or private) are running on the same APEX instance, DB, app tier and web tier.

      We are using the APEX Listener on Weblogic for the app tier with an OHS webserver and Load Balancer in front of everything.
      The Load Balancer houses all of our certificates and has the ability to perform iRules to make more friendly urls.
      Our approach is to assign each app (ie https://someurl.com/apex/f?p=APPID) a static IP from the load balancer and then firewall public/private based on APPID to prevent internal only apps from being reached outside the network.
      Unfortunately the iRule friendly url rewrite isn't able to mask the APPID from the URL (https://someurl.com/apex/f?p=200) which currently allows anyone the ability to change the APPID parameter of the URL and cycle through all the apps regardless of the firewall rule in place to prevent it from being publicly accessible.
      For example, if we have the following apps deployed and the only one which is allowed open to the internet is app 100, the url rewrite isn't able to mask APPID of 100 (or the APP Alias if used).
      Publicly accessible:
      https://someurl.com/apex/f?p=100 (

      Internal only access:
      https://somedifferenturl.com/apex/f?p=200 (
      https://anotherurl.com/apex/f?p=250 (
      https://subdomain.someurl.com/apex/f?p=300 (

      I could navigate to the publicly accessible url https://someurl.com/apex/f?p=100 and change the APPID for one of (200,250,300) and still access those apps which should not be open to the internet.
      from the internet browsing directly to https://somedifferenturl.com/apex/f?p=200 or https://anotherurl.com/apex/f?p=250 or https://subdomain.someurl.com/apex/f?p=300 would all result in a page not found error since their ip's are not accessible directly from the internet.

      What is the best practice to overcome the above scenario and utilize shared infrastructure for internal and external facing applications? Is mod_rewrite my only other option to accomplish this setup and bypass the load balancer?
        • 1. Re: internal and external facing applicaitons on same infrastructure
          Hi Jeff,

          I'm not sure if this is the ideal recommendation, but I know of a way you could block the "internal-only" applications from being accessed externally.

          1) Create a function which inspects the CGI environment variables, e.g., HTTP_HOST, HTTP_PORT, etc. Using this information, you determine if the request is emanating from an internal server name or an external server name.

          2) Create an authorization scheme which returns FALSE if the host/port/other CGI isn't what you expect.

          3) Apply this authorization scheme to every application you wish to keep from an external site.

          I know this isn't ideal, as you have to add this to every "internal-only" application. And if you forget an application, then this application suddenly becomes available on the Internet. But it's one way. If all of the applications are in the same workspace, you could define this authorization scheme in one application and subscribe to it from the other applications.


          P.S. From SQL Commands, you can see all of the CGI environment variables at your disposal using: