The dispatcher is used as a load balancing/caching tool by AEM. It can also be used to block anyone from accessing your AEM author instance. This is to ensure that no one outside the client’s network can access it. AEM Author and publisher should never be exposed directly. In most cases, clients may also require a block to be put on AEM pub dispatchers before going live. This is to ensure that no one can see the site except for the client so performance, penetration, and UAT testing can be performed before going live.
In this blog, I’m going to walk you through 5 easy steps to enable IP whitelisting in Apache so only the allowed list of IPs have access to AEM through the dispatcher.
1) In Apache to enable whitelisting, the Require directive is used which is provided by the mod_authz_host module. Make sure that you have the module enabled first in /dispatcher/src/conf.modules.do/00-base.conf
LoadModule authz_host_module modules/mod_authz_host.so
2) In the ams default variable file /dispatcher/src/conf.d.variables/ams_default.vars enable whitelisting either on author or publish by changing the value from 0 to 1. In the example below I want it enabled on the author dispatcher.
# Enable IP whitelisting by setting to 1. Then put your whitelist rules in /etc/httpd/conf.d/whitelists/*_whitelist.rules Define AUTHOR_WHITELIST_ENABLED 1 Define PUBLISH_WHITELIST_ENABLED 0 Define LIVECYCLE_WHITELIST_ENABLED 0
3) Since src/conf.d/available_vhost/aem_author.vhost file is immutable we will create our own client_aem_author.vhost file by copying the original aem_author.vhost file according to https://helpx.adobe.com/experience-manager/kb/ams-dispatcher-manual/immutable-files.html. This is in case we want to enable disable any additional features. For now no need to make any additional changes to client_aem_author.vhost. The line Include in the line below will load all whitelist rules as long as they end with “_whitelist.rules” and exist under conf.d/whitelists/ path.
<If "${AUTHOR_WHITELIST_ENABLED} == 1">
Include conf.d/whitelists/*_whitelist.rules
</If>
4) Since 000_base_whitelist.rules file is immutable we will create a new whitelist file under src/conf.d/whitelists/001_client _whitelist.rules where we will put in our IP ranges.
5) The last step is to make use of Require directive to add IP ranges so anyone requesting resources from these IPs will have access to the author instance. Everyone else outside of the range will get a 403 Forbidden error. NOTE: Changes will only take affect after restarting dispatcher.
<RequireAny> 10.2.3.41/24 10.10.1.32/27 # Adobe Target IP addresses Require ip 34.253.100.20 Require ip 34.248.100.23 Require ip 52.49.228.246 Require ip 54.205.42.123 Require ip 107.22.177.39 Require ip 52.201.5.105 Require ip 52.193.211.177 Require ip 18.180.24.249 Require ip 52.194.154.154 </RequireAny>
NOTE:
If your instance is on AMS you’ll have to put in New Relic IP addresses in this list otherwise monitoring will fail. In addition to that, you’ll also have to put in the Basic auth token and user-agent provided by your CSE in the same file which is used by the performance testing step (otherwise it will fail). You do that by taking advantage of SetEnvIf directive which defines environment variables based on attributes of the request. This is so we can use logic outside of IP in this situation. We first set the “Basic” token and also the “User-Agent” then we add let_me_in variable to RequireAny directive. Please see the code below which shows how to add Basic Authorization and the User-Agent in 001_client _whitelist.rules. To get more details around SetEnvIf please go to https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requiredirectives
#Needed for Assets SetEnvIf Authorization "Basic Y2xvhOPndasdfasdfasdfasdfZ2NU16c3RIdkQ/YUpEd0=" let_me_in # adding User agent so AMS can connect and do perf testing SetEnvIf User-Agent "CloudPerformanceTest" let_me_in <RequireAny> Require env let_me_in # Adobe Target IP addresses Require ip 34.253.100.20 Require ip 34.248.100.23 Require ip 52.49.228.246 Require ip 54.205.42.123 Require ip 107.22.177.39 Require ip 52.201.5.105 Require ip 52.193.211.177 Require ip 18.180.24.249 Require ip 52.194.154.154 </RequireAny>
