Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Unable to Run Dispatcher Flush Invalidate.cache

Avatar

Level 4
Level 4
3/31/21 10:25:45 AM

HI,

I am trying to run a jenkins job to flush dispatcher cache and getting below error.

<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /dispatcher/invalidate.cache
on this server.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Command I ran:

curl -H "CQ-Action: Delete" -H "CQ-Handle: /content/" -H "CQ-Path: /content/" -H "Content-Length: 0" -H "Content-Type: application/octet-stream" -H "Host:My_env_host_name" http://IP_OF_Dispatcher/dispatcher/invalidate.cache

 

When I login to that dispatcher machine as root user and try to execute that command (or using localhost), I get same error. I know the curl command is good as it works for other AEM Dispatchers.

 

Anybody have any suggestion what can be issue here..?

Views

4.5K

Replies

10
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
4/1/21 9:57:58 AM

@Mayukh007 have a look at this easy to follow the guide, https://sourcedcode.com/blog/aem/how-to-setup-the-aem-dispatcher-flush-agent

- How is the /dispatcher/invalidate.cache generated

- How do we securely allow only specific IP addresses to make a flush cache request?

- How to configure a basic dispatcher flush agent on the AEM publish?

 

As a quick test, please try:

 

# The allowedClients section restricts the client IP addresses that are
# allowed to issue activation requests.
/allowedClients
{
# deny all clients
/0000 { /glob "*" /type "allow" }
}

 

 

View solution in original post

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
10 Replies

Avatar

Level 4
Level 4
3/31/21 11:51:35 AM
Just a point to mention, the host "My_env_host_name" is not created yet, is it giving 403 due to that..?

Views

4.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
3/31/21 5:22:20 PM
In response to Pawan-Gupta
Hmm...this post does not talk about the issue I have having. i am using similar curl command for specific path which works in all other existing dispatchers, so command is good.

Views

4.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
3/31/21 7:03:10 PM

Hi @Mayukh007 

 

You will need to allow the Jenkins IP from your dispatcher allowedClients section in .any file where you have allowed the publish IP already.

 

/allowedClients{
    /0000 {
        /glob "*.*.*.*"
        /type "deny"
    }
    /0001 {
        /glob "10.000.12.00" /* AEM PUBLISH IP */
        /type "allow"
    }
    /0002 {
        /glob "10.000.12.98" /* Jenkins IP */
        /type "allow"
    }
}   

 Thanks!

Views

4.4K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
3/31/21 7:10:18 PM
In response to Asutosh_Jena_
Hi Asutosh, This does not work even when I login to dispatcher machine and run curl command. I get same 403 error. So I think issue is actually in dispatcher permission. Also like I mentioned in my command, the domain does not exist, that might be a reason..

Views

4.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
3/31/21 7:29:50 PM
In response to Asutosh_Jena_

Hi @Mayukh007 

Please use the below command:

 

curl -k -H "CQ-Action: DELETE" -H "CQ-Handle:/content/abc" -H "Content-Length: 0" -H "Content-Type: application/octet-stream" https://10.xx.56.xx/dispatcher/invalidate.cache

 

Please make sure your instance is accessible with HTTPS else you need to switch to HTTP in the above request.

You can run this from the Jenkins script it self under the Execute Shell option and need not to be as root user.

 

Thanks!

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
3/31/21 8:23:50 PM
In response to Asutosh_Jena_
Hi Asutosh, I dont see your post here, but I did try this as well "curl -k -H "CQ-Action: DELETE" -H "CQ-Handle:/content/abc" -H "Content-Length: 0" -H "Content-Type: application/octet-stream" https://10.xx.56.xx/dispatcher/invalidate.cache". With http I get same 403 and with https I get connection refused.

Views

4.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
4/1/21 8:29:34 AM

The forbidden(403) error means the Publish IP is not allowed to make flush requests to the dispatcher. Basically, the dispatcher checks all the allowedclients and if publish IP is not there, It does not allow any requests from that IP to be run on the dispatcher.

 

Although it seems like a user permissions issue but Its related to allowedlist of IP's

Views

4.3K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
4/1/21 1:20:00 PM
In response to Jaideep_Brar

Thank you for the suggestions jbrar and asutosh.

 

Here is what I see/did:

1. In my .any file under /allowedclients, I do have allowed PUBLISH_IP from /etc/sysconfig/httpd file and the value is correct in that file and set to my publisher ip. I have still added new rule to explicitly add published ip and restarted apache:

/2
{
/glob "10.238.32.42"
/type "allow"
}

still curl command does not work.

 

2. Also when I check the dispatcher flush agents in Author and Publisher they are also not working and giving 403. One thing i noticed which I mentioned earlier, that I do not have the host name for this environment yet. So the Host name we need to mention in the Dispatcher FLush in Publisher is blank.

 

3. I also tried to run curl command from publisher and did not work.

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
4/1/21 9:57:58 AM

@Mayukh007 have a look at this easy to follow the guide, https://sourcedcode.com/blog/aem/how-to-setup-the-aem-dispatcher-flush-agent

- How is the /dispatcher/invalidate.cache generated

- How do we securely allow only specific IP addresses to make a flush cache request?

- How to configure a basic dispatcher flush agent on the AEM publish?

 

As a quick test, please try:

 

# The allowedClients section restricts the client IP addresses that are
# allowed to issue activation requests.
/allowedClients
{
# deny all clients
/0000 { /glob "*" /type "allow" }
}

 

 

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
I want to disable the delete copy move and all the other options for the child components Solved

Views

137

Likes

0

Replies

5
How to propagate template code changes to sites using that template

Views

74

Likes

0

Replies

3
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

92

Likes

0

Replies

2
Sharing common data to multiple features in Tab component

Views

215

Likes

0

Replies

13
Ability to preview or thumbnail to preview for XF

Views

82

Likes

0

Replies

2