This is more an apache question than a ORDS question, but it is related.
We have a working apache reverse proxy in front of an ORDS in our OCI VCN. Traffic from the internet for an application is DNS'ed to the reverse proxy, traffic from the LAN is routed trough a DRG to the VCN; bypassing the RP.
Lets say we are serving application 165 to the internet. So everything is rewritten to /ords/f?p=165:*****
But now someone can replace 165 with e.g. 4000 and we are in the builder or any other application. This is of course not wat we want.
Every other application ID, accessed from the RP should be forbidden.
Anyone who knows how to fixate the virtual host in the RP to just application_id 165?
Presumably all your other applications require authentication and you have page access protection, session state protection, etc., in which case it doesn't matter if some decides to change the URL?
Otherwise, this sounds like an Apache issue - maybe something like LocattionMatch to only proxy things that look like 165?