diff --git a/changes.xml b/changes.xml
index 23d1ed2..0bc49bb 100644
--- a/changes.xml
+++ b/changes.xml
@@ -23,17 +23,32 @@
xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
+
+
+ Role aem-dispatcher-cloud: Introduce httpd.rewrites (ported from aem-dispatcher-ams role).
+
+
+ Role aem-dispatcher-cloud: Introduce httpd.rewriteIncludes (ported from aem-dispatcher-ams role).
+
+
+ Role aem-dispatcher-cloud: Introduce httpd.generateAvailableVhost and httpd.generateEnabledVhost to control vhost generation.
+
+
+ Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Revert #83, move "security-related" deny rules back to dispatcher.filter.
+
+
+
-
+
Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce dispatcher.filterAppend filter list.
-
+
Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Block form selector with a non-empty suffix on all URLs in order to fix form validator bypass issue.
-
+
Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Move "security-related" existing deny rules e.g. to prevent content grabbing to dispatcher.filterAppend filter list.
-
+
Role aem-dispatcher-cloud: Sync with default dispatcher configuration from Adobe project archetype 36 to 39.
diff --git a/conga-aem-definitions/pom.xml b/conga-aem-definitions/pom.xml
index 0d4f2f1..1e1a5a9 100644
--- a/conga-aem-definitions/pom.xml
+++ b/conga-aem-definitions/pom.xml
@@ -25,13 +25,13 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.parent
- 1.14.0
+ 1.15.0
../parent/pom.xml
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem
- 1.14.0
+ 1.15.0
config-definition
CONGA AEM Definitions
diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml
index f1110ac..c9ef744 100644
--- a/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml
+++ b/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml
@@ -75,12 +75,6 @@ variants:
- url: /libs/cq/personalization(/.*)?
method: "GET"
type: allow
- # Allow current user [from default_filters.any]
- - url: /libs/granite/security/currentuser.json
- type: allow
-
- # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
- filterAppend:
# Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any]
- selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)
extension: (json|xml|html|feed)
@@ -90,6 +84,9 @@ variants:
type: deny
- query: wcmmode=.*
type: deny
+ # Allow current user [from default_filters.any]
+ - url: /libs/granite/security/currentuser.json
+ type: allow
# Deny content grabbing for /content - additional selectors not included in default dispatcher.any
- path: /content(/.*)?
selectors: (ambits|assetsearch|assignments|childrenlist|cloudservices|contentfinder|context|emailservice|exacttarget|ext|form|media|missingpages|mobileapps|pages|paragraphs|payloadsummary|permissions|publications|referencelist|savedsearch|skippedpages|search|social|style|tags|tagtree|timezones)
@@ -106,6 +103,9 @@ variants:
- path: /content(/.*)?
selectors: (overlay)
type: deny
+
+ # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
+ filterAppend:
# block form validator bypass
- url: '/.*'
selectors: "(form)"
diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml
index 832dbde..67699c2 100644
--- a/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml
+++ b/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml
@@ -78,6 +78,15 @@ variants:
- url: /libs/cq/personalization(/.*)?
method: GET
type: allow
+ # Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any]
+ - selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)
+ extension: (json|xml|html|feed)
+ type: deny
+ # Deny authoring query params [from default_filters.any]
+ - query: debug=.*
+ type: deny
+ - query: wcmmode=.*
+ type: deny
# Allow current user [from default_filters.any]
- url: /libs/granite/security/currentuser.json
type: allow
@@ -96,18 +105,6 @@ variants:
- url: /graphql/execute.json*
method: (GET|POST|OPTIONS)
type: allow
-
- # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
- filterAppend:
- # Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any]
- - selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)
- extension: (json|xml|html|feed)
- type: deny
- # Deny authoring query params [from default_filters.any]
- - query: debug=.*
- type: deny
- - query: wcmmode=.*
- type: deny
# Deny content grabbing for /content - additional selectors not included in default dispatcher.any
- path: /content(/.*)?
selectors: (ambits|assetsearch|assignments|childrenlist|cloudservices|contentfinder|context|emailservice|exacttarget|ext|form|media|missingpages|mobileapps|pages|paragraphs|payloadsummary|permissions|publications|referencelist|savedsearch|skippedpages|search|social|style|tags|tagtree|timezones)
@@ -124,6 +121,9 @@ variants:
- path: /content(/.*)?
selectors: (overlay)
type: deny
+
+ # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
+ filterAppend:
# block form validator bypass
- url: '/.*'
selectors: "(form)"
@@ -169,6 +169,7 @@ files:
template: conf.d/available_vhosts/tenant.vhost.hbs
multiply: tenant
fileHeader: conf
+ condition: ${httpd.generateAvailableVhost}
# enabled vhosts
- file: ${new('java.text.DecimalFormat','0000').format(multiplyIndex)}_${tenant}.vhost
@@ -177,6 +178,7 @@ files:
variants:
- aem-publish
multiply: tenant
+ condition: ${httpd.generateEnabledVhost}
# global rewrite rules
- file: rewrite.rules
@@ -357,6 +359,17 @@ config:
# Set the default experiation time for text/html responses (enabled by default in AEM Cloud Service webserver)
htmlExpirationTimeMin: 5
+ # List of rewrite rules to include in the vhost
+ rewriteIncludes:
+ - conf.d/rewrites/rewrite.rules
+
+ # These rewrite rules are evaluated before the mapping rules
+ # rewrites:
+ # - rule: ^/crx/(.*)$ - [R=404,L]
+ # - conditions:
+ # - '%{REQUEST_URI} !^/system/sling/logout(.*)$'
+ # rule: ^/system/(.*)$ - [R=404,L]
+
# Request URI patterns for Sling maping short URL configuration
mapping:
uriExcludeFromMapping:
@@ -385,6 +398,12 @@ config:
# Placed at the bottom of the vhost confign file
after:
+ # Controls the generation of available_vhosts files
+ generateAvailableVhost: true
+
+ # Controls the generation of enabled_vhosts files
+ generateEnabledVhost: true
+
# Allows to define different server names/alias names per environment in a single dispatcher configuration
#cloudManagerConditional:
# targetEnvironment: # to be substituted with e.g. "dev"
diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml
index 25397b7..5195536 100644
--- a/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml
+++ b/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml
@@ -53,15 +53,6 @@ variants:
# Enable features [from default dispatcher.any]
- url: /libs/cq/personalization(/.*)?
type: allow
- # Allow access to client libraries and designs at /etc
- - url: (/etc/clientlibs|/etc.clientlibs|/etc/designs/.*/clientlibs)(/.*)?
- type: allow
- # open consoles (access is controlled in httpd config)
- - url: /(admin|crx|system)(/.*)?
- type: allow
-
- # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
- filterAppend:
# Deny content grabbing, on all accessible pages [from default dispatcher.any]
- selectors: ((sys|doc)view|query|[0-9-]+)
extension: (json|xml)
@@ -87,6 +78,15 @@ variants:
- path: /content(/.*)?
selectors: (overlay)
type: deny
+ # Allow access to client libraries and designs at /etc
+ - url: (/etc/clientlibs|/etc.clientlibs|/etc/designs/.*/clientlibs)(/.*)?
+ type: allow
+ # open consoles (access is controlled in httpd config)
+ - url: /(admin|crx|system)(/.*)?
+ type: allow
+
+ # list of filters that will be appended after the "normal" filter list to ensure denied content is not accidentally allowed again by other selectors
+ filterAppend:
# block form validator bypass
- url: '/.*'
selectors: "(form)"
diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs
index 9060930..d6c11d4 100644
--- a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs
+++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs
@@ -73,7 +73,9 @@ AllowEncodedSlashes NoDecode
RewriteEngine on
- Include conf.d/rewrites/rewrite.rules
+ {{~#each httpd.rewriteIncludes}}
+ Include {{ this }}
+ {{~/each}}
# Do not allow RFC 2616 trace requests
@@ -171,6 +173,17 @@ Header set X-XSS-Protection "{{httpd.headers.xssProtection}}"
{{~/if}}
{{/block}}
+{{~#block "rewrites"}}
+{{~#if httpd.rewrites}}
+# Rewrites
+{{~#each httpd.rewrites}}
+{{~#each this.conditions}}
+RewriteCond {{this}}
+{{~/each}}
+RewriteRule {{this.rule}}
+{{~/each}}
+{{/if ~}}
+{{/block}}
{{~#block "rewriteSlingShortUrlMapping"}}
{{~#if sling.mapping.rootPath}}
diff --git a/example/pom.xml b/example/pom.xml
index 7a85419..51133ec 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -32,7 +32,7 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.example
config
- 1.14.0
+ 1.15.0
CONGA AEM Definitions Example
Example environment definition.
@@ -43,7 +43,7 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem
- 1.14.0
+ 1.15.0
diff --git a/example/src/main/environments/test.yaml b/example/src/main/environments/test.yaml
index 302674f..5f862a8 100644
--- a/example/src/main/environments/test.yaml
+++ b/example/src/main/environments/test.yaml
@@ -310,11 +310,15 @@ tenants:
prod:
serverName: www.prod-sample3.com
rootRedirect.url: /en.html
+ rewrites:
+ - rule: ^/subpage/?$ /subpage.html [NC,R=301,L]
sling.mapping.rootPath: /content/sample3
- tenant: cloud-sample4.com
config:
httpd:
+ generateEnabledVhost: false
+ generateAvailableVhost: false
cloudManagerConditional:
dev:
serverName: www.dev-sample4.com
@@ -326,6 +330,9 @@ tenants:
prod:
serverName: www.prod-sample4.com
rootRedirect.url: /content/sample4/en.html
+ rewriteIncludes:
+ - _merge_
+ - conf.d/rewrites/additional_rewrite.rules
- tenant: ams-sample5.com
config:
diff --git a/parent/pom.xml b/parent/pom.xml
index d2b9c99..e91b2b9 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -31,7 +31,7 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.parent
- 1.14.0
+ 1.15.0
pom
CONGA AEM Definitions
@@ -40,7 +40,12 @@
GitHub Actions
https://github.com/wcm-io-devops/conga-aem-definitions/actions
-
+
+
+ GitHub
+ https://github.com/wcm-io-devops/conga-aem-definitions/issues/
+
+
diff --git a/pom.xml b/pom.xml
index 4dfb839..aef391d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,13 +23,13 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.parent
- 1.14.0
+ 1.15.0
parent/pom.xml
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.root
- 1.14.0
+ 1.15.0
pom
CONGA AEM Definitions