Force ORDS to HTTPS
That actually breaks things if they are not using tomcat in https mode. Since ORDS will refuse the http request from nginx.
Since all service requests ended in 403. I had to move it back to <entry key=“security.forceHTTPS”>false</entry> and modify nginx
proxy_set_header Host $http_host;
in the location clause.
After that we where getting correct "href" links.
ps. I also write away the base /ords/ also so that the apex login page is not exposed. i.e. /ords/basepath/ is only accessible as /basepath/ from nginx
hopefully everyone is in HTTPS today
Well, with complex network setups where the frontend and application server are on a closed VPN, you don't really have any snooping. Other than that, I agree, everything should be using https. Even if it's only a self signed certificate.
The original problem description implies that their tomcat is running on http and that the communication from nginx is using http, otherwise the links would be https by default.
One potential approach would be to set the header HSTS.
while this is not changing the response from ORDS your browser will
force to HTTPS.
This assume you have control over the first requesto to your web app and that this is browserland.
Our app terminates TLS at our front end firewalls, we have our own framework on top of ORDS where we control the response object including the pagination array.