Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Unable to Run Dispatcher Flush Invalidate.cache

Avatar

Level 4

HI,

I am trying to run a jenkins job to flush dispatcher cache and getting below error.

<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /dispatcher/invalidate.cache
on this server.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Command I ran:

curl -H "CQ-Action: Delete" -H "CQ-Handle: /content/" -H "CQ-Path: /content/" -H "Content-Length: 0" -H "Content-Type: application/octet-stream" -H "Host:My_env_host_name" http://IP_OF_Dispatcher/dispatcher/invalidate.cache

 

When I login to that dispatcher machine as root user and try to execute that command (or using localhost), I get same error. I know the curl command is good as it works for other AEM Dispatchers.

 

Anybody have any suggestion what can be issue here..?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@Mayukh007 have a look at this easy to follow the guide, https://sourcedcode.com/blog/aem/how-to-setup-the-aem-dispatcher-flush-agent

- How is the /dispatcher/invalidate.cache generated

- How do we securely allow only specific IP addresses to make a flush cache request?

- How to configure a basic dispatcher flush agent on the AEM publish?

 

As a quick test, please try:

 

# The allowedClients section restricts the client IP addresses that are
# allowed to issue activation requests.
/allowedClients
{
# deny all clients
/0000 { /glob "*" /type "allow" }
}

 

 

View solution in original post

10 Replies

Avatar

Level 4
Just a point to mention, the host "My_env_host_name" is not created yet, is it giving 403 due to that..?

Avatar

Level 4
Hmm...this post does not talk about the issue I have having. i am using similar curl command for specific path which works in all other existing dispatchers, so command is good.

Avatar

Community Advisor

Hi @Mayukh007 

 

You will need to allow the Jenkins IP from your dispatcher allowedClients section in .any file where you have allowed the publish IP already.

 

/allowedClients{
/0000 {
/glob "*.*.*.*"
/type "deny"
}
/0001 {
/glob "10.000.12.00" /* AEM PUBLISH IP */
/type "allow"
}
/0002 {
/glob "10.000.12.98" /* Jenkins IP */
/type "allow"
}
}   

 Thanks!

Avatar

Level 4
Hi Asutosh, This does not work even when I login to dispatcher machine and run curl command. I get same 403 error. So I think issue is actually in dispatcher permission. Also like I mentioned in my command, the domain does not exist, that might be a reason..

Avatar

Community Advisor

Hi @Mayukh007 

Please use the below command:

 

curl -k -H "CQ-Action: DELETE" -H "CQ-Handle:/content/abc" -H "Content-Length: 0" -H "Content-Type: application/octet-stream" https://10.xx.56.xx/dispatcher/invalidate.cache

 

Please make sure your instance is accessible with HTTPS else you need to switch to HTTP in the above request.

You can run this from the Jenkins script it self under the Execute Shell option and need not to be as root user.

 

Thanks!

Avatar

Level 4
Hi Asutosh, I dont see your post here, but I did try this as well "curl -k -H "CQ-Action: DELETE" -H "CQ-Handle:/content/abc" -H "Content-Length: 0" -H "Content-Type: application/octet-stream" https://10.xx.56.xx/dispatcher/invalidate.cache". With http I get same 403 and with https I get connection refused.

Avatar

Employee Advisor

The forbidden(403) error means the Publish IP is not allowed to make flush requests to the dispatcher. Basically, the dispatcher checks all the allowedclients and if publish IP is not there, It does not allow any requests from that IP to be run on the dispatcher.

 

Although it seems like a user permissions issue but Its related to allowedlist of IP's

Avatar

Level 4

Thank you for the suggestions jbrar and asutosh.

 

Here is what I see/did:

1. In my .any file under /allowedclients, I do have allowed PUBLISH_IP from /etc/sysconfig/httpd file and the value is correct in that file and set to my publisher ip. I have still added new rule to explicitly add published ip and restarted apache:

/2
{
/glob "10.238.32.42"
/type "allow"
}

still curl command does not work.

 

2. Also when I check the dispatcher flush agents in Author and Publisher they are also not working and giving 403. One thing i noticed which I mentioned earlier, that I do not have the host name for this environment yet. So the Host name we need to mention in the Dispatcher FLush in Publisher is blank.

 

3. I also tried to run curl command from publisher and did not work.

Avatar

Correct answer by
Community Advisor

@Mayukh007 have a look at this easy to follow the guide, https://sourcedcode.com/blog/aem/how-to-setup-the-aem-dispatcher-flush-agent

- How is the /dispatcher/invalidate.cache generated

- How do we securely allow only specific IP addresses to make a flush cache request?

- How to configure a basic dispatcher flush agent on the AEM publish?

 

As a quick test, please try:

 

# The allowedClients section restricts the client IP addresses that are
# allowed to issue activation requests.
/allowedClients
{
# deny all clients
/0000 { /glob "*" /type "allow" }
}