How to WhiteList IP through AEM Dispatcher ?


The dispatcher is used as a load balancing/caching tool by AEM. It can also be used to block anyone from accessing your AEM author instance. This is to ensure that no one outside the client’s network can access it. AEM Author and publisher should never be exposed directly. In most cases, clients may also require a block to be put on AEM pub dispatchers before going live. This is to ensure that no one can see the site except for the client so performance, penetration, and UAT testing can be performed before going live.

In this article, we will see, 5 easy steps to enable IP whitelisting in Apache so only the allowed list of IPs have access to AEM through the dispatcher.


1) In Apache to enable whitelisting, the Require directive is used which is provided by the mod_authz_host module. Make sure that you have the module enabled first in

 /dispatcher/src/conf.modules.do/00-base.conf

LoadModule authz_host_module modules/mod_authz_host.so


2) In the ams default variable file /dispatcher/src/conf.d.variables/ams_default.vars enable whitelisting either on author or publish by changing the value from 0 to 1. In the example below I want it enabled on the author dispatcher.

# Enable IP whitelisting by setting to 1.  Then put your whitelist rules in

Then put your whitelist rules in /etc/httpd/conf.d/whitelists/*_whitelist.rules

Define AUTHOR_WHITELIST_ENABLED 1

Define PUBLISH_WHITELIST_ENABLED 0

Define LIVECYCLE_WHITELIST_ENABLED 0


3) Since src/conf.d/available_vhost/aem_author.vhost file is immutable we will create our own client_aem_author.vhost file by copying the original aem_author.vhost file according to https://helpx.adobe.com/experience-manager/kb/ams-dispatcher-manual/immutable-files.html. This is in case we want to enable disable any additional features. For now no need to make any additional changes to client_aem_author.vhost. The line Include in the line below will load all whitelist rules as long as they end with “_whitelist.rules” and exist under conf.d/whitelists/ path.


<If "${AUTHOR_WHITELIST_ENABLED} == 1">

     Include conf.d/whitelists/*_whitelist.rules

</If>

4) Since 000_base_whitelist.rules file is immutable we will create a new whitelist file under 

/conf.d/whitelists/001_client _whitelist.rules 

where we will put in our IP ranges.

5) The last step is to make use of Require directive to add IP ranges so anyone requesting resources from these IPs will have access to the author instance. Everyone else outside of the range will get a 403 Forbidden error. NOTE: Changes will only take affect after restarting dispatcher.

<RequireAny>

   10.2.3.41/24 

   10.10.1.32/27

   #  Target IP addresses

   Require ip 34.253.100.20

   Require ip 34.248.100.23

   Require ip 52.49.228.246

   Require ip 54.205.42.123

   Require ip 107.22.177.39

   Require ip 52.201.5.105

   Require ip 52.193.211.177

   Require ip 18.180.24.249

   Require ip 52.194.154.154

</RequireAny>


NOTE:

If you are using any monitoring tool.  you’ll have to put in monitoring tool IP addresses in this list otherwise monitoring will fail. In addition to that, you’ll also have to put in the Basic auth token and user-agent provided by your infra team in the same file which is used by the performance testing step (otherwise it will fail). You do that by taking advantage of SetEnvIf directive which defines environment variables based on attributes of the request. This is so we can use logic outside of IP in this situation. We first set the “Basic” token and also the “User-Agent” then we add let_me_in variable to RequireAny directive. Please see the code below which shows how to add Basic Authorization and the User-Agent in 001_client _whitelist.rules. To get more details around SetEnvIf please go to

 https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requiredirectives


#Needed for Assets

SetEnvIf Authorization "Basic Y2xvhOPndasdfasdfasdfasdfZ2NU16c3RIdkQ/YUpEd0=" let_me_in

# adding User agent so AMS can connect and do perf testing

SetEnvIf User-Agent "CloudPerformanceTest" let_me_in

<RequireAny>

   Require env let_me_in

   #  Target IP addresses

   Require ip 34.253.100.20

   Require ip 34.248.100.23

   Require ip 52.49.228.246

   Require ip 54.205.42.123

   Require ip 107.22.177.39

   Require ip 52.201.5.105

   Require ip 52.193.211.177

   Require ip 18.180.24.249

   Require ip 52.194.154.154

</RequireAny>







Comments

Popular Posts

how to clear dispatcher cache in aem ?

How to Increase Apache Request Per Second ?

Configure/Decoding AEM AuditLogs

How to Configure CSP header in AEM , Dispatcher ?

How to prevent DDoS in Apache ?

How to protect AEM against CSRF Attack ?

How Does S3 works with AEM ?

Difference between Adobe AEM Enterprise vs Adobe AEM as a Cloud Service

Security best Practice in AEM

AdobeDispatcherHacks ".statfile"