Hi,
I’m looking for guidance on the best way to secure access to a JasperReports endpoint /jri/ in an environment where the application is behind a reverse proxy that we do not control.
More details below:
- Our application (Oracle APEX) is hosted on a PaaS environment.
- It is behind a reverse proxy
- We use Nginx to expose the JasperReports endpoint /jri/ used to generate reports from within the application.
Current setup:
We currently rely on IP-based access control:
- set_real_ip_from to trust the proxy
- X-Forwarded-for to identify the real client IP
- allow/deny rules to restrict access
for example:
location ^~ /jri/ {
set_real_ip_from <proxy_range>;
real_ip_header X-Forwarded-For;
allow <db_network_1>;
allow <db_network_2>;
allow <db_network_3>;
deny all;
proxy_pass http://127.0.0.1:8080/jri/;
}
Problem:
The proxy IP changed recently (due to infrastructure changes), which broke our access control because the new IP was not included in set_real_ip_from.
After updating the configuration, everything worked again, but this approach is fragile since:
we do not control the proxy layer also the proxy IPs may change without notice
We would like to:
completely block external access to /jri/
ensure that reports can only be generated through the application
avoid relying on IP-based rules (allow/deny, set_real_ip_from)
The application currently triggers report generation via APEX/PLSQL
The Jasper endpoint is accessed via HTTP (/jri/report?..)
And we cannot control or guarantee stable proxy IPs
What would be the recommended approach in Nginx for this scenario?
In particular:
Is there a way to expose /jri/ only for internal use (application backend) while blocking direct external access?
Any guidance or recommended architecture would be greatly appreciated.
Thanks in advance!