Expand my Community achievements bar.

Dispatcher will not deny content paths

Avatar

Level 1
Level 1
5/31/17 9:42:16 AM

We have one instance of AEM 6.2 running an external facing website.  We will call it " sitea " external

We are in the process of adding an internal facing site that will be served from the same AEM instance. We will call that site "siteb" internal

We have an external facing webserver and dispatcher configuration as well as an internal webserver and dispatcher configuration

We are trying to deny access to any paths to site b internal on the external dispatcher it is not working.

#/0022 { /type "allow" /url "/content/*" }  # disable this rule to allow mapped content only

/0022 { /type "allow" /url "/content/sitea/*" }  # disable this rule to allow mapped content only

/0023 { /type "allow" /url "/etc/designs/sitea/*"   }

/0024 { /type "allow" /url "/content/dam/sitea/*" }

# Deny access to internal

/0029 { /type "deny" /url "/content/siteb/*" }  # disable this rule to allow mapped content only

/0030 { /type "deny" /url "/etc/designs/siteb/*"   }

Please advise

Views

1.8K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
5 Replies

Avatar

Level 1
Level 1
5/31/17 10:20:52 AM

What part is not working?  Does sites still serve and siteb as well, or do neither work?  Is there anything in the dispatcher cache for siteb already?

Views

923

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
5/31/17 11:39:00 AM

The problem is Site B and any of its content / assets should NOT be reachable via the external facing webserver / dispatcher instance.

I placed deny filters in the dispatcher conf, but I am still able to get to resources of site b.

I commented dispatcher cache to isolate the issue and cleared cache.

Views

922

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
5/31/17 12:15:52 PM

Check dispatcher.log to see what farm it is being served from.  It would say something like this:

Found farm siteb for siteb.company.com

It is possible it is getting through using another farm definition.  I have seen invalidation_only serve content when it should not.

Views

925

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
6/1/17 7:30:20 AM

We have two separate webservers.  One exposed to the internet with references for "sitea" only.  There is only one farm on that server and in the dispatcher configuration we are trying to deny access to /siteb path.  This is something that should be a simple deny rule but is not working.

We have an internal facing webserver with siteb configuration only, that is not exposed to the public.

The dispatcher is reacting to other changes, but not the deny rules.

Views

923

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
6/1/17 8:12:11 AM

I would still say double check the dispatcher logs to see what messaging you get when you hit it.  Set debugging for a few, hit the path for siteb through sitea url and see if there is any messaging on the path.  You might also try changing your deny from url to glob to see if that will block it.

Views

923

Replies

0
Sign in to like this content

Total Likes

Translate
Translate