How to whitelist allow block IP through AEM Dispatcher ?

-

How to Allow Block IP through AEM Dispatcher ?
 

AEM Dispatcher works as last man standing for your AEM servers. Many business has the requirement to allow only their internal network IP for Author or publish servers.
To achieve this use case for the customer we can use dispatcher configuration explained below.

The dispatcher is used as a load balancing/caching tool by AEM. It can also be used to block anyone from accessing your AEM author instance. This is to ensure that no one outside the client’s network can access it. AEM Author and publisher should never be exposed directly. In most cases, clients may also require a block to be put on AEM pub dispatchers before going live. This is to ensure that no one can see the site except for the client so performance, penetration, and UAT testing can be performed before going live.

In this article, we will see, 5 easy steps to enable IP whitelisting in Apache so only the allowed list of IPs have access to AEM through the dispatcher. Or you can block dedicated IP's block access form those IP's

Whitelisting Approach , Allow IP's :

1) In Apache to enable whitelisting, the Require directive is used which is provided by the mod_authz_host module. Make sure that you have the module enabled first in

 /dispatcher/src/conf.modules.do/00-base.conf

LoadModule authz_host_module modules/mod_authz_host.so


2) In the ams default variable file /dispatcher/src/conf.d.variables/ams_default.vars enable whitelisting either on author or publish by changing the value from 0 to 1. In the example below I want it enabled on the author dispatcher.

# Enable IP whitelisting by setting to 1.  Then put your whitelist rules in

Then put your whitelist rules in /etc/httpd/conf.d/whitelists/*_whitelist.rules

Define AUTHOR_WHITELIST_ENABLED 1

Define PUBLISH_WHITELIST_ENABLED 0

Define LIVECYCLE_WHITELIST_ENABLED 0


3) Since src/conf.d/available_vhost/aem_author.vhost file is immutable we will create our own client_aem_author.vhost file by copying the original aem_author.vhost file according to https://helpx.adobe.com/experience-manager/kb/ams-dispatcher-manual/immutable-files.html. This is in case we want to enable disable any additional features. For now no need to make any additional changes to client_aem_author.vhost. The line Include in the line below will load all whitelist rules as long as they end with “_whitelist.rules” and exist under conf.d/whitelists/ path.

  • cp  aem_author.vhost client_aem_author.vhost
  • make sure you have loded the - conf.d/whitelists/ path in it.

<If "${AUTHOR_WHITELIST_ENABLED} == 1">
     Include conf.d/whitelists/*_whitelist.rules
</If>






4) Since 000_base_whitelist.rules file is immutable we will create a new whitelist file under 
/conf.d/whitelists/001_client _whitelist.rules 
where we will put in our IP ranges.
5) The last step is to make use of Require directive to add IP ranges so anyone requesting resources from these IPs will have access to the author instance. Everyone else outside of the range will get a 403 Forbidden error. NOTE: Changes will only take affect after restarting dispatcher.
<RequireAny>
   10.2.3.41/24 
   10.10.1.32/27
   #  Target IP addresses
   Require ip 111.11.11.11
   Require ip 111.11.11.11
   Require ip 111.11.11.11
   Require ip 111.11.11.11
   Require ip 111.11.11.11
   Require ip 111.11.11.11
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
</RequireAny>

NOTE:
If you are using any monitoring tool.  you’ll have to put in monitoring tool IP addresses in this list otherwise monitoring will fail. In addition to that, you’ll also have to put in the Basic auth token and user-agent provided by your infra team in the same file which is used by the performance testing step (otherwise it will fail). You do that by taking advantage of SetEnvIf directive which defines environment variables based on attributes of the request. This is so we can use logic outside of IP in this situation. We first set the “Basic” token and also the “User-Agent” then we add let_me_in variable to RequireAny directive. Please see the code below which shows how to add Basic Authorization and the User-Agent in 001_client _whitelist.rules. To get more details around SetEnvIf please go to
 https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requiredirectives

#Needed for Assets
SetEnvIf Authorization "Basic Y2xvhOPndasdfasdfasdfasdfZ2NU16c3RIdkQ/YUpEd0=" let_me_in
# adding User agent so AMS can connect and do perf testing
SetEnvIf User-Agent "CloudPerformanceTest" let_me_in
<RequireAny>
   Require env let_me_in
   #  Target IP addresses
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
   Require ip xx.xx.xx.x
</RequireAny>

Block List Approach : 
For business use case where you may need to block the certain IP's , you can follow below approach -  
if you are running Apache HTTP Server and would like to block IPs immediately, follow these steps:
  • Create a file named block-offending-ips.conf on your server.
                
  • Open the file in an editor and add a Location 
directive that blocks all offending IPs from accessing whatever URLs you
 want to block.  There are two options for the contents of the file 
below: 
    • If the request is proxied (via CDN, Load Balancer, etc.) and the remote user’s IP is only in a Header such as X-Forwarded-For then this configuration can be used.  Note that this configuration doesn’t apply if the remoteip_module is configured. 
    <LocationMatch "/.*">
Order Allow,Deny
Allow from all
SetEnvif X-Forwarded-For "123\.123\.123\.123" DenyAccess
     #Repeat the "SetEnvlf X-Forwarded-For ..." for each IP you want to block
Deny from env=DenyAccess 
    </LocationMatch>

    

    

    • Alternatively, if the remote user is directly accessing Apache or you are using remoteip_module (see [ 1] ) to extract and set it within Apache then you can use mod_authz_core’s Require feature directly (Apache 2.4):
    <LocationMatch "/.*">
<RequireAll>
Require all granted
Require not ip 123.123.123.123
#Repeat the "Require not ip ..." for each IP you want to block 
    </RequireAll> 
    </LocationMatch>

    

    



    # Extract true client IP from header added by load balancer/CDN
    <IfModule remoteip_module>
        # valid for ELB or ELB+CloudFront
        RemoteIPHeader X-Forwarded-For
    </IfModule>

    

    

    • Drop the file block-offending-ips.conf in /etc/conf.d folder of the Apache Web server.
    • Make sure do not forget to Restart the Apache HTTP Server. 
    
                


    

    
                      

    

    

    

    












    

    


    

    

    

    


    Comments
    

    

    

    

    


    Post a Comment
    





    

    

    

    

    

    

    
Popular Posts

    

    

    

    

    How to Increase Apache Request Per Second ?
    

    

    

-






    

    

    

    

Image


    

    

    
How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker  or mpm_event  module for this, instead of mpm_prefork  module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so  by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apach...

    


    

    

Read more


    

    

    

    

    Configure/Decoding AEM AuditLogs
    

    

    

-






    

    

    

    

Image


    

    

    
  AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM.   Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom.   This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs.   This article covers the following -     How can we enable Audit logs in AEM.  How can we read and understand the Audit logs/ tools to use it.  Audit log on file system in crx-quickstart/logs folder.    Audit logs for User creation / Modification.  How can you archive/purge the audit logs.         How can we enable Audit logs in AEM?              By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages ...

    


    

    

Read more


    

    

    

    

    Caching Strategy - CDN-APACHE - Example Headers
    

    

    

-






    

    

    

    

Image


    

    

    
Caching Strategy - CDN/APACHE - Internal working & Example Headers Imagine a company is hosting a website on a server in any cloud provider like AWS, AZUR, GCP . It may take around 100ms to load for users in US, but it takes 3–5 seconds to load for users in Finland. Fortunately, there are strategies to minimize this request latency for far-away users.       These are called Caching and Content Delivery Networks (CDNs), which are two important concepts in modern web development and systems design.     CDN are of different-different type   based on cloud service provider below are few most used ones –     Cloud Front , by AWS   Azure Front Door   Content delivery solution from Akamai   Different Caching Strategies   Caching data can greatly improve the performance of applications. There are typically 4 common places where we can store cached data. Browser Caching   Browser caching involves storing website resources on a user’s local computer. When a user revisits a site, the brow...

    


    

    

Read more


    

    

    

    

    Migrating from AEM 6.x to AEM as a Cloud Service: What Developers Should Expect
    

    

    

-






    

    

    

    

Image


    

    

    
Migrating from AEM 6.x to AEM as a Cloud Service: What to Expect ?  Introduction                          If you're currently managing an AEM 6.x project, chances are you’ve heard about AEM as a Cloud Service (AEMaaCS). Adobe is clearly shifting toward this cloud-native model for low/medium complex customers and while there are definite benefits, developers should be prepared for a few surprises too.   I recently worked on a migration project and wanted to share what developers should expect , from code refactoring and CI/CD changes to losing root access and dealing with strict dispatcher rules.           Whats is Great about AEMaaCS                     1. Automatic Upgrades   Say goodbye to manual patching. AEMaaCS updates automatically.  Adobe handles the platform updates, with no need to plan downtime or test service packs.   2. CI/CD with Cloud Manager   Deployments go through Adobe Cloud Manager, which checks for code quality, security, and performance before pu...

    


    

    

Read more


    

    

    

    

    how to clear dispatcher cache in aem ?
    

    

    

-






    

    

    

    

Image


    

    

    
How to clear dispatcher cache in aem ?                    As you may know, the Dispatcher cache in Adobe Experience Manager (AEM) is used to improve the performance of your website by caching static resources and pages. However, sometimes you may need to clear the cache to ensure that the latest content and changes are displayed on your website. In this blog post, we'll show you how to clear the Dispatcher cache in AEM.     This method will clear the entire Dispatcher cache, including all cached pages and resources. Keep in mind that clearing the cache may affect the performance of your website, as it may take some time to rebuild the cache.        Clear Cache using the Dispatcher Flush Agent                    You can use the Dispatcher Flush Agent. Follow these steps:       Log in to your AEM instance and navigate to      http://localhost:4502/etc/replication/agents.author.html . Click on the "Dispatcher Flush"      agent to open the agent's configuration page. Clic...

    


    

    

Read more


    

    

    

    

    How to prevent DDoS in Apache ? 
    

    

    

-






    

    

    

    

Image


    

    

    
Prevent DDoS in Apache & IP Block Automation              DDoS (Distributed Denial of Service) attacks are a type of cyberattack that can cause serious damage to your web server. These attacks involve flooding your server with a huge volume of traffic, overwhelming its resources and causing it to crash. In this blog post, we'll discuss how to prevent DDoS attacks in Apache, without using any third part tool/application.         Available Options to Prevent DDoS :    You can use various mentioned methods to achieve the same. But using WAF, CDN, etc will cost extra dollars. Which might not be necessary for a small scale application.       Use a Web Application Firewall (WAF): A WAF      can help detect and block malicious traffic before it reaches your Apache      server. It can also help block common attack vectors, such as SQL      injection and cross-site scripting (XSS). Install mod_evasive: mod_evasive is an      Apache module that helps detect and block DDoS attac...

    


    

    

Read more


    

    

    

    

    Difference between Adobe AEM Enterprise vs Adobe AEM as a Cloud Service
    

    

    

-






    

    

    

    

Image


    

    

    
Difference between Adobe AEM Enterprise VS Adobe AEM as a Cloud Service. ( AEMaaCS)                    Adobe Manages Services Enterprise (AMS) and AEM as a Cloud Service (AEMaaCS) are two different offering by Adobe for AEM.       While AMS is more of a hosting offers for AEM (similar to on-premise setups but run managed by Adobe), While AEMaaCS is a SaaS offering.      In AMS you can have access of your servers , can login and check the required files by your self & will have a dedicated Customer Success Engineer, while in AEMaaCS is completely SAS and you won’t have any access of servers , for everything you need Cloud manager.       Below are the Major difference between AMS Enterprise and AEMaaCS. Please note these difference are as of March 2023. Post this things may differ.  The following article can be referred for AEMaaCS details   AEM as a Cloud Service  

    


    

    

Read more


    

    

    

    

    How to protect AEM against CSRF Attack ?
    

    

    

-






    

    

    

    

Image


    

    

    
How to protect AEM against CSRF Attack ? Adobe Experience Manager (AEM) is a popular content management system that is widely used to develop and manage websites, mobile apps, and other digital experiences. However, like any other web application, AEM is vulnerable to cross-site request forgery (CSRF) attacks. CSRF attacks are malicious attacks where an attacker tricks a user into performing an action they did not intend to perform by exploiting the user's active session on a website. In this blog, we will discuss some measures that can be taken to protect AEM from CSRF attacks.       Implement CSRF protection in AEM:       The first and most important step to protect AEM from CSRF attacks is to implement CSRF protection in the application. AEM provides a built-in CSRF protection mechanism that can be enabled by setting the "sling.filter.methods" property in the OSGi configuration.  Navigate to the OSGi Web Console (/system/console/configMgr). Search for Apache Sling Refe...

    


    

    

Read more


    

    

    

    

     How to Configure CSP header in AEM , Dispatcher  ?
    

    

    

-






    

    

    

    

Image


    

    

    
How to Configure CSP header in AEM ? Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by restricting the sources from which a page can load resources. To implement a CSP header in an Apache web server, you can use the Header  directive in your Apache configuration. Here are the steps to implement a CSP header in Apache: Determine your CSP policy: First, you need to determine your CSP policy. This policy defines the rules for what types of content can be loaded from which sources. You can use a CSP policy generator like the one available on the Mozilla Developer Network (MDN) website to generate a policy that meets your needs. Add the CSP header to your Apache configuration: Once you have your CSP policy, you can add the CSP header to your Apache configuration. To do this, open your Apache configuration file (usually located at /etc/httpd/conf/httpd.conf  or a similar location depending on your setup) and ...

    


    

    

Read more


    

    

    

    

    OakAccess0000: Access denied
    

    

    

-






    

    

    

    

Image


    

    

    
ERROR :-   OakAccess0000: Access denied We often observe while doing the AEM development or in live running environment we get the error code  OakAccess0000 , especially while running a workflow or any asset upload. This issue disrupts normal operation. As content authors are unable to perform essential task like uploading or managing content, leading to business impact.   This impact the business as content author are unable to upload any content.  Error stack trace :- Javax.jcr.AccessDeniedException: OakAccess0000: Access denied  at   org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:232)  [org.apache.jackrabbit.oak-api:1.10.6]  at  org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213)  [org.apache.jackrabbit.oak-api:1.10.6]  at  org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:669)  [org.apache...

    


    

    

Read more