This blog was originally published on Sept 21, 2021.
With recent advancements in Oracle Autonomous Database on Shared Infrastructure (ADB) that enable customers to run applications at a “Vanity URL”, you may be wondering how to block access to Oracle APEX developer and administrator tools at this URL while continuing to expose app runtimes to your users. In this blog post, I will describe optional extensions to the ADB Vanity URL architecture to block certain APEX pages at your Vanity URL while continuing to provide users access to runtime APEX apps.
Prerequisites
You must have a few things in place before proceeding. If you have not already done so, configure a Vanity URL on ADB as described in the blog post Introducing Vanity URLs for APEX and ORDS on Oracle Autonomous Database. The configuration steps below are an addendum to that post.
Confirm that your ADB and Load Balancer are running and reachable. Check the status of ADB and Load Balancer in OCI Console. Verify that ADB is reachable in your Virtual Cloud Network (VCN). Confirm that you can load the APEX Sign In page outside of your VCN at the Vanity URL.
You must also perform one-time APEX setup steps on ADB. Upon completion, you should have an APEX workspace, a developer account with access to the workspace, and at least one app running in the workspace. If you are new to APEX, follow the setup steps described in Get Started with APEX.
Demonstrations in this blog post will use the HRApps workspace, ProjectTasks app, DevUser account, and apex.example.com domain.
Setting a Default APEX App
Initially, your base Vanity URL displays an APEX Sign In page that provides access to developer tools including APEX App Builder, SQL Workshop, and more. This Sign In page also displays a link to APEX Administration Services. Later, you will block access to all such developer and administrator tools at the Vanity URL – but first we must begin by replacing the default Sign In page with a live APEX app.
Step 1 – Pick Default App
In a new browser tab, navigate to the Vanity URL, sign in into your APEX workspace, and open App Builder. Review the list of apps deployed in the workspace. If your APEX instance has more than one workspace, sign into the others and review their app lists in App Builder.
You must pick a specific app to display at the base Vanity URL. If your APEX instance has only one app, it should be the default. If your APEX instance has multiple important apps, consider creating a new app with a page containing references and links to these apps and selecting it to be your default. Note that your decision can be changed later if needed. Once you have decided on a default app, drill into this app in App Builder to open it for editing.
Step 2 – Find Application Alias
On your app homepage in App Builder, click Edit Application Properties.
On the Edit Application Definition page, locate Application Alias. Remember this alias because it will be needed later. Note that aliases are not case sensitive. Click Cancel to discard any changes and exit.
Step 3 – Determine App URL
Using the Application Alias from Step #2, determine the Vanity URL for launching your APEX app and displaying its landing page. This URL will have the following format:
https://<domain>/ords/r/<workspace>/<alias>
EXAMPLE-https://apex.example.com/ords/r/hrapps/projecttasks
Fill in this format with your own domain, workspace, and alias. Verify that you can access the app at this URL. Make note of the full URL before continuing.
Step 4 – Create URL Redirect Rule
Next, you will create a Load Balancer Rule Set that instructs Load Balancer to replace your base Vanity URL page (the APEX Sign In page) with the APEX app that you picked in Step #1. This Rule Set will contain a single server-side URL Redirect Rule that passes requests to the base Vanity URL on to your chosen app.
Start by opening another browser tab, signing into OCI Console, and navigating to your Load Balancer Details page.
Scroll down to Resources, select Rule Sets, and click Create Rule Set.
In the Create Rule Set dialog, give the Rule Set a Name, select Specify URL Redirect Rules, and create a rule for the /ords/ Source Path as shown below. Select Suffix Match in Match Type and HTTPS in Protocol. Enter your Vanity URL domain in Host and your URL path from Step #3 in Path. This path should start with /ords and end with your alias. You can leave the other fields set to their defaults. Click Create when done.
Soon you will see a Work Request Submitted message box. Wait for the displayed Status to change to Succeeded, then click Close to proceed.
Back at Rule Sets, verify that your new Rule Set appears in the list. Note that your rules will not take effect until after the Load Balancer Listener has been updated, which you will do in an upcoming step.
Blocking APEX Tools
It is straightforward to block Vanity URL access to APEX App Builder, SQL Workshop, Administration Services, and other tools by combining Load Balancer Rules Sets with a special feature of APEX. You will create a new Request Header Rule that adds a header to all requests coming to Load Balancer. You also will set a parameter in APEX that blocks attempts to access developer and administrator tools when the header is present.
Step 5 – Create Request Header Rule
At the list of Rules Sets, drill into your new Rule Set to see its Rule Set Details page. Locate the Edit button near the top. Click it to proceed.
In the Edit Rule Set dialog, select Specify Request Header Rules, and create a new rule as shown below. Verify that Add Request Header is selected. Enter a name in Header and set its Value to 1. Click Save Changes when done and wait for your Work Request to succeed.
Back at the Rule Set Details page, under Resources, verify that the Request Header Rules count gets incremented by one. Note that your rule will not take effect until after the Load Balancer Listener has been updated.
Step 6 – Set APEX Parameter
Here you will run a short PL/SQL script to set the required APEX parameter. You will execute this script using SQL Developer Web, which is a component of Database Actions.
Open Database Actions in a new browser tab. The direct link to Database Actions at your Vanity URL will look like:
https://<domain>/ords/sql-developer
EXAMPLE - https://apex.example.com/ords/sql-developer
At the prompt, sign into ADB using your administrator account. Enter ADMIN in Username. Enter the password you set when creating the database in Password.
On the Database Actions Launchpad page, click SQL.
Now you see SQL Developer Web. The Worksheet pane contains an empty worksheet for developing and executing SQL statements and PL/SQL scripts. Copy and paste the code snippet below into this worksheet.
begin
apex_instance_admin.set_parameter('RESTRICT_DEV_HEADER', 'ADB-Public-Access');
commit;
end;
/
Locate the Run Script button at the top of Worksheet pane and click it to proceed. Wait a few seconds for your script to execute.
In the Query Result pane, verify that your script successfully completed.
Deploying Changes
Step 7 – Attach Rule Set to Listener
You must attach your Rule Set to the Load Balancer Listener for it to take effect. In your browser, navigate to Load Balancer Details. Scroll down to Resources and select Listeners. Locate your Listener in this list, click the dropdown menu at its far right, and select Edit.
In the Edit Listener dialog, scroll down to Rule Sets and add your new Rule Set. Click Save Changes when done and wait a minute for your Work Request to complete.
Testing and Verifying
Step 8 – Attempt to Access Tools
You are now ready to test. Open a different browser than the one you have been using and clear its cache. Attempt to access the blocked tools at your Vanity URL. Verify that:
- The base Vanity URL displays your default APEX app
- Navigate to
https://<domain>andhttps://<domain>/ords/and verify that your default app is shown at its full URL including app alias - EXAMPLE —
https://apex.example.com
- Navigate to
- It is not possible to access APEX Administration Services, App Builder, or SQL Workshop
- Navigate to
https://<domain>/ords/f?p=4500andhttps://<domain>/ords/f?p=4050and verify that you get 404 errors - EXAMPLE —
https://apex.example.com/ords/f?p=4500
- Navigate to
Congratulations, you have now blocked access to APEX developer and administrator tools at your Vanity URL!
Conclusion
Blocking access to APEX developer and administrator tools is an important optional extension to the Oracle Autonomous Database Vanity URL architecture. It is now possible to do this using Load Balancer Rule Sets and a special APEX parameter. Once you have created the rules and set the parameter, the tools are blocked at your Vanity URL while runtime APEX apps remain accessible.
Although this blog post focuses on one possible ADB Vanity URL extension, there are many ways that your configuration can be extended and adapted. For example, you can optionally restrict access to additional developer and administrator tools at your Vanity URL that are exposed by ORDS. To learn more about that, proceed to the next article in this blog series here.
* * * * * * * * * * * * *
For a live demonstration of blocking APEX administrator and developer tools, see the end of this APEX Office Hours recording on YouTube:
Navigation Links for This Blog Series
Introducing Vanity URLs for APEX and ORDS on Oracle Autonomous Database
ADB Vanity URLs Part 2: Blocking APEX Developer and Administrator Tools
ADB Vanity URLs Part 3: Blocking ORDS-Provided Developer and Administrator Tools
ADB Vanity URLs Part 4: Multiple Domain Names