Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

Dispatcher- publisher System/console is giving 500 error.

Avatar

Level 2
Level 2
3/11/19 1:21:07 PM

Hi -

I am trying to restrict system/console url in the publisher by applying the filter in the dispatcher something as below

/0001 { /type "deny" /glob "*" }

/0204 { /type "deny" /url "/system/*" }

But still, I am getting 500 error instead of the 404. Anybody have any idea what I am missing?

Configuring Dispatcher

Views

2.3K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
3/12/19 5:16:26 AM

Ideally the deny everything rule should work. Below is a sample filters.any which works fine to deny access to any request to /system/*.

# Deny everything first and then allow specific entries

/0001 { /type "deny" /glob "*" }

# Open consoles

#     /0011 { /type "allow" /url "/admin/*"  }  # allow servlet engine admin

#     /0012 { /type "allow" /url "/crx/*"    }  # allow content repository

#     /0013 { /type "allow" /url "/system/*" }  # allow OSGi console

# Allow non-public content directories

#     /0021 { /type "allow" /url "/apps/*"   }  # allow apps access

#     /0022 { /type "allow" /url "/bin/*"    }

/0023 { /type "allow" /url "/content*" }  # disable this rule to allow mapped content only

#     /0024 { /type "allow" /url "/libs/*"   }

#     /0025 { /type "deny"  /url "/libs/shindig/proxy*" } # if you enable /libs close access to proxy

#     /0026 { /type "allow" /url "/home/*"   }

#     /0027 { /type "allow" /url "/tmp/*"    }

#     /0028 { /type "allow" /url "/var/*"    }

# Enable extensions in non-public content directories, using a regular expression

/0041

  {

  /type "allow"

  /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?|ttf|txt)'

  }

# Enable features

/0062 { /type "allow" /url "/libs/cq/personalization/*"  }  # enable personalization

#CSRF Token:

/0088 { /type "allow" /path "/libs/granite/csrf/token" /method "GET" /extension "json" }

/0099 { /type "allow" /path "/libs/dam/viewers/*" /method "GET"}

Also in rewrite .conf add the path of 404 page like below

ErrorDocument 404 ${AEM_CONTENT_ROOT_PATH}/error/404.html

ErrorDocument 500 ${AEM_CONTENT_ROOT_PATH}/error/500.html

View solution in original post

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 10
Level 10
3/11/19 7:46:17 PM

Check if you can access the same url on publish directly w/o any error?

Could you share your dispatcher.any filter section?

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
3/11/19 8:10:07 PM

Higauravb41175071 -

I tried to access publish domain with system/console and it is giving 500 error. Ideal case it should return 404.

Here is the content of the filter section file(please see highlighted below:

/0200 { /type "allow" /method "GET" /url "/bin/external*"   }

          /0201 { /type "allow" /url "/etc/designs/*" }

          /0202 { /type "allow" /url "/etc/dam/*" }

          /0203 { /type "allow" /url "/content/*" }

        /0204 { /type "deny" /url "/system/*" }

          /0205 { /type "allow" /url "/useradmin/*" }

          /0206 { /type "allow" /url "/crx/*" }

          /0207 { /type "allow" /url "/lib/*" }

          /0208 { /type "allow" /url "/bin/*" }

          /0209 { /type "allow" /url "/dotcom/*" }

          /0210 { /type "allow" /url "/etc/acs-commons/lists*" }

          /0212 { /type "allow" /method "POST" /url "/lp/*"}

          /0213 { /type "allow" /url "/system/sling/logout*"}

/0214 { /type "allow" /url "/etc.clientlibs/*" }

/0215 { /type "allow" /url "/libs/granite/csrf/token.json" }

        /0217 {/type "allow" /url "/apps/onup/counter/external*"}

/0220 { /type "allow" /url "/etc/cloudsettings*" }

       /0221 { /type "allow" /url "/etc/segmentation*" }

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 2
Level 2
3/12/19 5:16:26 AM

Ideally the deny everything rule should work. Below is a sample filters.any which works fine to deny access to any request to /system/*.

# Deny everything first and then allow specific entries

/0001 { /type "deny" /glob "*" }

# Open consoles

#     /0011 { /type "allow" /url "/admin/*"  }  # allow servlet engine admin

#     /0012 { /type "allow" /url "/crx/*"    }  # allow content repository

#     /0013 { /type "allow" /url "/system/*" }  # allow OSGi console

# Allow non-public content directories

#     /0021 { /type "allow" /url "/apps/*"   }  # allow apps access

#     /0022 { /type "allow" /url "/bin/*"    }

/0023 { /type "allow" /url "/content*" }  # disable this rule to allow mapped content only

#     /0024 { /type "allow" /url "/libs/*"   }

#     /0025 { /type "deny"  /url "/libs/shindig/proxy*" } # if you enable /libs close access to proxy

#     /0026 { /type "allow" /url "/home/*"   }

#     /0027 { /type "allow" /url "/tmp/*"    }

#     /0028 { /type "allow" /url "/var/*"    }

# Enable extensions in non-public content directories, using a regular expression

/0041

  {

  /type "allow"

  /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?|ttf|txt)'

  }

# Enable features

/0062 { /type "allow" /url "/libs/cq/personalization/*"  }  # enable personalization

#CSRF Token:

/0088 { /type "allow" /path "/libs/granite/csrf/token" /method "GET" /extension "json" }

/0099 { /type "allow" /path "/libs/dam/viewers/*" /method "GET"}

Also in rewrite .conf add the path of 404 page like below

ErrorDocument 404 ${AEM_CONTENT_ROOT_PATH}/error/404.html

ErrorDocument 500 ${AEM_CONTENT_ROOT_PATH}/error/500.html

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply