diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml index a21905fd..0b56a1c4 100644 --- a/.github/workflows/maven-build.yml +++ b/.github/workflows/maven-build.yml @@ -19,33 +19,20 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ ubuntu-latest ] java: [8, 11, 17] + os: [ubuntu-latest] + distribution: [temurin] steps: - # Check out Git repository - name: Checkout code uses: actions/checkout@v2 - # Set up environment with Java and Maven - name: Setup JDK - uses: actions/setup-java@v1 + uses: actions/setup-java@v2 with: + distribution: ${{ matrix.distribution }} java-version: ${{ matrix.java }} + cache: 'maven' - # Set up dependency cache - - name: Cache local Maven repository - uses: actions/cache@v2 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - # Build & verify - name: Build and verify run: ./mvnw -s ./.maven-settings.xml -Pcontinuous-integration -B -U clean verify - - # Run code coverage check - - name: Run code coverage check - run: bash <(curl -s https://codecov.io/bash) diff --git a/.github/workflows/maven-deploy.yml b/.github/workflows/maven-deploy.yml index 33d3373e..96d6b65c 100644 --- a/.github/workflows/maven-deploy.yml +++ b/.github/workflows/maven-deploy.yml @@ -14,39 +14,27 @@ jobs: runs-on: ubuntu-latest steps: - # Check out Git repository - name: Checkout code uses: actions/checkout@v2 - # Configure GIT - name: Configure GIT run: | git config --global user.email "${{ secrets.GH_SITE_DEPLOY_EMAIL }}" git config --global user.name "${{ secrets.GH_SITE_DEPLOY_NAME }}" - # Set up environment with Java and Maven - name: Setup JDK - uses: actions/setup-java@v1 + uses: actions/setup-java@v2 with: - java-version: 1.8 + distribution: temurin + java-version: 8 + cache: 'maven' - # Set up dependency cache - - name: Cache local Maven repository - uses: actions/cache@v2 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - # Build, deploy to ossrh, generate and stage site - name: Build, verify, deploy, generate site env: SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} run: ./mvnw -s ./.maven-settings.xml -Pcontinuous-integration -B -U clean deploy site - # Deploy site to Github Pages - name: Stage and deploy site run: > ./mvnw -s ./.maven-settings.xml -Pcontinuous-integration -B site:stage scm-publish:publish-scm diff --git a/.github/workflows/release-from-tag.yml b/.github/workflows/release-from-tag.yml new file mode 100644 index 00000000..69bab31b --- /dev/null +++ b/.github/workflows/release-from-tag.yml @@ -0,0 +1,19 @@ +name: Release from Tag + +on: + push: + tags: + - '*' + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v2 + - uses: ncipollo/release-action@v1 + with: + body: 'Changes: https://devops.wcm.io/conga/definitions/aem/changes-report.html' + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.mvn/wrapper/MavenWrapperDownloader.java b/.mvn/wrapper/MavenWrapperDownloader.java deleted file mode 100644 index b901097f..00000000 --- a/.mvn/wrapper/MavenWrapperDownloader.java +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright 2007-present the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -import java.net.*; -import java.io.*; -import java.nio.channels.*; -import java.util.Properties; - -public class MavenWrapperDownloader { - - private static final String WRAPPER_VERSION = "0.5.6"; - /** - * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided. - */ - private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/" - + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar"; - - /** - * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to - * use instead of the default one. - */ - private static final String MAVEN_WRAPPER_PROPERTIES_PATH = - ".mvn/wrapper/maven-wrapper.properties"; - - /** - * Path where the maven-wrapper.jar will be saved to. - */ - private static final String MAVEN_WRAPPER_JAR_PATH = - ".mvn/wrapper/maven-wrapper.jar"; - - /** - * Name of the property which should be used to override the default download url for the wrapper. - */ - private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl"; - - public static void main(String args[]) { - System.out.println("- Downloader started"); - File baseDirectory = new File(args[0]); - System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath()); - - // If the maven-wrapper.properties exists, read it and check if it contains a custom - // wrapperUrl parameter. - File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH); - String url = DEFAULT_DOWNLOAD_URL; - if(mavenWrapperPropertyFile.exists()) { - FileInputStream mavenWrapperPropertyFileInputStream = null; - try { - mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile); - Properties mavenWrapperProperties = new Properties(); - mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream); - url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url); - } catch (IOException e) { - System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'"); - } finally { - try { - if(mavenWrapperPropertyFileInputStream != null) { - mavenWrapperPropertyFileInputStream.close(); - } - } catch (IOException e) { - // Ignore ... - } - } - } - System.out.println("- Downloading from: " + url); - - File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH); - if(!outputFile.getParentFile().exists()) { - if(!outputFile.getParentFile().mkdirs()) { - System.out.println( - "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'"); - } - } - System.out.println("- Downloading to: " + outputFile.getAbsolutePath()); - try { - downloadFileFromURL(url, outputFile); - System.out.println("Done"); - System.exit(0); - } catch (Throwable e) { - System.out.println("- Error downloading"); - e.printStackTrace(); - System.exit(1); - } - } - - private static void downloadFileFromURL(String urlString, File destination) throws Exception { - if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) { - String username = System.getenv("MVNW_USERNAME"); - char[] password = System.getenv("MVNW_PASSWORD").toCharArray(); - Authenticator.setDefault(new Authenticator() { - @Override - protected PasswordAuthentication getPasswordAuthentication() { - return new PasswordAuthentication(username, password); - } - }); - } - URL website = new URL(urlString); - ReadableByteChannel rbc; - rbc = Channels.newChannel(website.openStream()); - FileOutputStream fos = new FileOutputStream(destination); - fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE); - fos.close(); - rbc.close(); - } - -} diff --git a/.mvn/wrapper/maven-wrapper.jar b/.mvn/wrapper/maven-wrapper.jar index 2cc7d4a5..c1dd12f1 100644 Binary files a/.mvn/wrapper/maven-wrapper.jar and b/.mvn/wrapper/maven-wrapper.jar differ diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties index 598fb341..8c79a83a 100644 --- a/.mvn/wrapper/maven-wrapper.properties +++ b/.mvn/wrapper/maven-wrapper.properties @@ -1,2 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/apache-maven-3.8.4-bin.zip -wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar +wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar diff --git a/README.md b/README.md index d0a6eb5c..1ccec14f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ CONGA AEM Definitions ====== [![Build](https://github.com/wcm-io-devops/conga-aem-definitions/workflows/Build/badge.svg?branch=develop)](https://github.com/wcm-io-devops/conga-aem-definitions/actions?query=workflow%3ABuild+branch%3Adevelop) +[![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem/badge.svg)](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem) Documentation: https://devops.wcm.io/conga/definitions/aem/
Issues: https://wcm-io.atlassian.net/projects/WDCONGA
diff --git a/changes.xml b/changes.xml index 07645e9f..ab7800dc 100644 --- a/changes.xml +++ b/changes.xml @@ -23,6 +23,21 @@ xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd"> + + + Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Make log level for mod_rewrite configurable. + + + Role aem-dispatcher-cloud: Synch with default dispatcher configuration from Adobe project archetype 24 to 35. + + + Role aem-dispatcher-cloud: Add back symlink of "default.host" which was removed in 1.11.2. + + + Fix sling mappings to avoid generation of reverse mapping for "/". Because it would otherwise match every path that is not caught by sling mappings, even when they are not under a sling mapping root path. + + + Role aem-cms: Do not show warning for uncovered node /etc/replication. diff --git a/conga-aem-definitions/pom.xml b/conga-aem-definitions/pom.xml index eafcfe43..61205350 100644 --- a/conga-aem-definitions/pom.xml +++ b/conga-aem-definitions/pom.xml @@ -25,13 +25,13 @@ io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem.parent - 1.11.4 + 1.12.0 ../parent/pom.xml io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem - 1.11.4 + 1.12.0 config-definition CONGA AEM Definitions @@ -51,7 +51,7 @@ io.wcm.devops.conga conga-maven-plugin - 1.14.4 + 1.14.6 true diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/available_vhosts/default.vhost b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/available_vhosts/default.vhost index bcd3c0b5..e170bd81 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/available_vhosts/default.vhost +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/available_vhosts/default.vhost @@ -1,5 +1,5 @@ # -# This is the default publish virtualhost definition for Apache. +# This is the default publish virtualhost definition for Apache. # # DO NOT EDIT this file, your changes will have no impact on your deployment. # @@ -17,11 +17,13 @@ Include conf.d/variables/custom.vars ServerAlias "*" # Use a document root that matches the one in conf.dispatcher.d/default.farm DocumentRoot "${DOCROOT}" + # URI dereferencing algorithm is applied at Sling's level, do not decode parameters here + AllowEncodedSlashes NoDecode # Add header breadcrumbs for help in troubleshooting Header add X-Vhost "publish" - + # Some items cache with the wrong mime type # Use this option to use the name to auto-detect mime types when cached improperly @@ -35,19 +37,14 @@ Include conf.d/variables/custom.vars Options FollowSymLinks AllowOverride None + Require all granted # Insert filter SetOutputFilter DEFLATE # Don't compress images SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary - # Make sure proxies don't deliver the wrong content - Header append Vary User-Agent env=!dont-vary # Prevent clickjacking Header always append X-Frame-Options SAMEORIGIN - - AllowOverride None - Require all granted - # Enabled to allow rewrites to take affect and not be ignored by the dispatcher module DispatcherUseProcessedURL On diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/dispatcher_vhost.conf b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/dispatcher_vhost.conf index 74acc084..450e32df 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/dispatcher_vhost.conf +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/dispatcher_vhost.conf @@ -10,39 +10,103 @@ ServerName dispatcher Include conf.d/variables/default.vars Include conf.d/variables/global.vars -#If the module loads correctly then apply base settings for the module +#SKYOPS-13837: Proxy static frontend code requests through dispatcher + + SSLProxyEngine on + + RewriteRule "^/mnt/var/www/html/libs/cq/frontend-static(/[^\.].*)$" "%{env:FRONTEND_URI_PREFIX}$1?%{env:FRONTEND_URI_SUFFIX}" [P,L] + + + +# CQ-4315090: Allow the functional replication to access publish instance directly for dev and stage environments + + + ProxyPassMatch http://${AEM_HOST}:${AEM_PORT} + RewriteEngine Off + + + + + ProxyPassMatch http://${AEM_HOST}:${AEM_PORT} + RewriteEngine Off + + + +# If the module loads correctly then apply base settings for the module - # location of the configuration file. eg: 'conf/dispatcher.any' - DispatcherConfig conf.dispatcher.d/dispatcher.any - - # Format for the dispatcher log file - LogFormat "%t \"%m %{dispatcher:uri}e%q %H\" %{dispatcher:status}e %{dispatcher:cache}e [%{dispatcher:backend}e] %{ms}Tms \"%{Host}i\"" dispatcher - CustomLog "| /usr/sbin/rotatelogs -e -f -t logs/dispatcher.log 86400" dispatcher "expr=%{HANDLER} == 'dispatcher-handler'" - - # Log level for the dispatcher module - LogLevel dispatcher_module:${DISP_LOG_LEVEL} rewrite_module:${REWRITE_LOG_LEVEL} - - # if turned to 1, request to / are not handled by the dispatcher - # use the mod_alias then for the correct mapping - DispatcherDeclineRoot Off - - # if turned to 1, the dispatcher uses the URL already processed - # by handlers preceeding the dispatcher (i.e. mod_rewrite) - # instead of the original one passed to the web server. - DispatcherUseProcessedURL On - # Default value of 0 but if its set to 1 then the dispatcher will have apache handle all errors - # If set to a string of error numbers it will only hand off those errors to apache to handle - #DispatcherPassError 403,404 - #DispatcherPassError 1 - + # location of the configuration file. eg: 'conf/dispatcher.any' + DispatcherConfig conf.dispatcher.d/dispatcher.any + + # Format for the dispatcher log file + LogFormat "%t \"%m %{dispatcher:uri}e%q %H\" %{dispatcher:status}e %{dispatcher:cache}e [%{dispatcher:backend}e] %{ms}Tms \"%{Host}i\"" dispatcher + CustomLog "| /usr/sbin/rotatelogs -e -f -t logs/dispatcher.log 86400" dispatcher "expr=%{HANDLER} == 'dispatcher-handler'" + + # Log level for the dispatcher module + LogLevel dispatcher_module:${DISP_LOG_LEVEL} rewrite_module:${REWRITE_LOG_LEVEL} + + # if turned to 1, request to / are not handled by the dispatcher + # use the mod_alias then for the correct mapping + DispatcherDeclineRoot Off + + # if turned to 1, the dispatcher uses the URL already processed + # by handlers preceeding the dispatcher (i.e. mod_rewrite) + # instead of the original one passed to the web server. + DispatcherUseProcessedURL On + # Default value of 0 but if its set to 1 then the dispatcher will have apache handle all errors + # If set to a string of error numbers it will only hand off those errors to apache to handle + # DispatcherPassError 403,404 + # DispatcherPassError 1 + + # Setting to replace the Host header with the value of X-Forwarded-Host + # + # Possible values are: Off, On or a file name, containing the edge key to expect + # Default: Off + DispatcherUseForwardedHost ${FORWARDED_HOST_SETTING} - - # Expire text/html after this many seconds - ExpiresActive On - ExpiresByType text/html A${EXPIRATION_TIME} + # When enabled it removes Cache-Control headers set by mod_expires to unchacheable content + DispatcherRestrictUncacheableContent On -# Include all *.vhost files in enabled_vhosts + + + # Expire text/html after this many seconds + ExpiresActive On + ExpiresByType text/html A${EXPIRATION_TIME} + + Header unset Age + + +# Allow ingressroute checks through on /systemready (regardless of dispatcher filters) + + ProxyPass http://${AEM_HOST}:${AEM_PORT}/systemready + RewriteEngine Off + + +# Allow access to CRXDE on dev environment + + + ProxyPassMatch http://${AEM_HOST}:${AEM_PORT} + RewriteEngine Off + + + +# CQ-4287185: Allow access to magento reverse-proxy endpoint + + SSLProxyEngine on + + ProxyPass ${COMMERCE_ENDPOINT} + ProxyPassReverse ${COMMERCE_ENDPOINT} + RewriteEngine Off + + + +# Disable access to default CGI scripts + + AllowOverride None + Options None + Require all denied + + Include conf.d/enabled_vhosts/*.vhost # Create a catch-all vhost @@ -53,28 +117,28 @@ Include conf.d/enabled_vhosts/*.vhost # That way bots and hackers won't know what purpose a random IP listening on webports is really doing. # Hitting the catch all doesn't let them know the customer is ExampleCo.com etc.. - ServerName unmatched-host-catch-all - ServerAlias "*" - # Azure traffic manager will hit here so lets have a custom log for that - SetEnvIf User-agent .*Azure\sTraffic\sManager.* trafficmanager - CustomLog logs/healthcheck_access_log combined env=trafficmanager - CustomLog logs/httpd_access.log combined env=!trafficmanager - - # Specify where the catch all html files live - DocumentRoot /var/www/localhost/htdocs - # Add some visible targets AKA breadcrumbs that you can see in your browser dev tools or curl -I command - - Options Indexes FollowSymLinks - AllowOverride None - Require all granted - - - Header always add X-Vhost catch-all - - - RewriteEngine on - RewriteRule ^/* /index.html [PT,L,NC] - + ServerName unmatched-host-catch-all + ServerAlias "*" + # Azure traffic manager will hit here so lets have a custom log for that + SetEnvIf User-agent .*Azure\sTraffic\sManager.* trafficmanager + CustomLog logs/healthcheck_access_log combined env=trafficmanager + CustomLog logs/httpd_access.log combined env=!trafficmanager + + # Specify where the catch all html files live + DocumentRoot /var/www/localhost/htdocs + # Add some visible targets AKA breadcrumbs that you can see in your browser dev tools or curl -I command + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + Header always add X-Vhost catch-all + + + RewriteEngine on + RewriteRule ^/* /index.html [PT,L,NC] + # We want to make sure the apache versions are hidden so avoid possible attack vectors diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/rewrites/default_rewrite.rules b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/rewrites/default_rewrite.rules index d4beaf2d..42215053 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/rewrites/default_rewrite.rules +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/rewrites/default_rewrite.rules @@ -6,28 +6,29 @@ # Instead modify your rewrite.rules file # -#Examples: +# Examples: # This ruleset would look for robots.txt and fetch it from the dam only if the domain is exampleco-dev.adobecqms.net -#RewriteCond %{SERVER_NAME} exampleco-dev.adobecqms.net [NC] -#RewriteRule ^/robots.txt$ /content/dam/exampleco/robots.txt [NC,PT] +# RewriteCond %{SERVER_NAME} exampleco-dev.adobecqms.net [NC] +# RewriteRule ^/robots.txt$ /content/dam/exampleco/robots.txt [NC,PT] # This ruleset would look for favicon.ico in exampleco's base dam folder if the domain is exampleco-brand1-dev.adobecqms.net -#RewriteCond %{SERVER_NAME} exampleco-brand1-dev.adobecqms.net [NC] -#RewriteRule ^/favicon.ico$ /content/dam/exampleco/favicon.ico [NC,PT] +# RewriteCond %{SERVER_NAME} exampleco-brand1-dev.adobecqms.net [NC] +# RewriteRule ^/favicon.ico$ /content/dam/exampleco/favicon.ico [NC,PT] # This ruleset would look for sitemap.xml and point it at the re-usable file in exampleco's general folder of their site pages -#RewriteCond %{SERVER_NAME} exampleco-brand2-dev.adobecqms.net [NC] -#RewriteRule ^/sitemap.xml$ /content/exampleco/general/sitemap.xml [NC,PT] +# RewriteCond %{SERVER_NAME} exampleco-brand2-dev.adobecqms.net [NC] +# RewriteRule ^/sitemap.xml$ /content/exampleco/general/sitemap.xml [NC,PT] # This ruleset would look for logo.jpg on all sites and source it from exampleco's general folder -#RewriteRule ^/logo.jpg$ /content/dam/exampleco/general/logo.jpg [NC,PT] +# RewriteRule ^/logo.jpg$ /content/dam/exampleco/general/logo.jpg [NC,PT] # This ruleset is a vanity url that exampleco's contactus site that doesn't exist on our environment -#RewriteRule ^/contactus https://corp.exampleco.com/contactus.html [NC,R=301] +# RewriteRule ^/contactus https://corp.exampleco.com/contactus.html [NC,R=301] # Prevent X-FORWARDED-FOR spoofing RewriteCond %{HTTP:X-Forwarded-For} !^$ RewriteCond %{HTTP:X-Forwarded-For} !^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} +RewriteCond %{HTTP:X-Forwarded-For} !^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])) RewriteRule .* - [F] # Uncomment to force HSTS protection -#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" +# Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" # Block wordpress DDOS Attempts RewriteRule ^.*xmlrpc.php - [F] diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/variables/global.vars b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/variables/global.vars index 85eac754..6bef338b 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/variables/global.vars +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/variables/global.vars @@ -21,3 +21,12 @@ # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#logging # # Define REWRITE_LOG_LEVEL Warn + + +# Disable default caching headers +# +# The following headers are set by default dispatcher configuration Expires, Cache-Control, Age. +# If you uncomment and define DISABLE_DEFAULT_CACHING variable these headers are not set any more +# and you can fully customize the caching behavior. +# +# Define DISABLE_DEFAULT_CACHING diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/available_farms/default.farm b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/available_farms/default.farm index b4383bc9..4b8aa0a7 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/available_farms/default.farm +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/available_farms/default.farm @@ -30,11 +30,11 @@ # if the package is installed on publishers to generate a list of all content with a vanityurl attached # this section will auto-allow the items to bypass the normal dispatcher filters # Reference: https://docs.adobe.com/docs/en/dispatcher/disp-config.html#Enabling%20Access%20to%20Vanity%20URLs%20-%20/vanity_urls - #/vanity_urls { + # /vanity_urls { # /url "/libs/granite/dispatcher/content/vanityUrls.html" # /file "/tmp/vanity_urls" # /delay 300 - #} + # } # allow propagation of replication posts (should seldomly be used) /propagateSyndPost "0" # the cache is used to store requests from the renders for faster delivery @@ -42,9 +42,9 @@ /cache { # The cacheroot must be equal to the document root of the webserver /docroot "${DOCROOT}" - # sets the level upto which files named ".stat" will be created in the - # document root of the webserver. when an activation request for some - # handle is received, only files within the same subtree are affected + # sets the level upto which files named ".stat" will be created in the + # document root of the webserver. when an activation request for some + # handle is received, only files within the same subtree are affected # by the invalidation. /statfileslevel "2" # caches also authorized data @@ -74,6 +74,12 @@ /glob "*.html" /type "allow" } + # to ensure that AEM forms HTMLs are not auto-invalidated due to invalidation of any other resource. It is supposed to be deleted only after its own activation. + /0002 + { + /glob "/content/forms/**/*.html" + /type "deny" + } } /allowedClients { $include "../cache/default_invalidate.any" @@ -81,11 +87,11 @@ # The ignoreUrlParams section contains query string parameter names that # should be ignored when determining whether some request's output can be # cached or delivered from cache. - # In this example configuration, the "q" parameter will be ignored. - #/ignoreUrlParams { + # In this example configuration, the "q" parameter will be ignored. + # /ignoreUrlParams { # /0001 { /glob "*" /type "deny" } # /0002 { /glob "q" /type "allow" } - #} + # } # Cache response headers next to a cached file. On the first request to # an uncached resource, all headers matching one of the values found here diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/cache/default_rules.any b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/cache/default_rules.any index cda3557e..8ced38ce 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/cache/default_rules.any +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/cache/default_rules.any @@ -18,3 +18,29 @@ /glob "*" /type "allow" } +# Don't cache csrf login tokens +/0001 { + /glob "/libs/granite/csrf/token.json" + /type "deny" +} + +# AEM Screens cache rules +# Do not cache Screens channels json +/0010 { + /glob "/content/screens/svc.channels.json" + /type "deny" +} +/0011 { + /glob "/content/screens/svc/channels.channels.json" + /type "deny" +} +/0012 { + /glob "/screens/channels.json" + /type "deny" +} + +# GraphQL cache rules for persistent queries +/0020 { + /glob "/graphql/execute.json/*" + /type "deny" +} diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any index a7b8cf53..76f14d09 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any @@ -39,3 +39,5 @@ "destination" "Sling-uploadmode" "x-requested-with" +"If-Modified-Since" +"Authorization" diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/dispatcher.any b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/dispatcher.any index 069b0fdc..820e32da 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/dispatcher.any +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/dispatcher.any @@ -6,6 +6,6 @@ # /farms { - # Include all *.farm files in enabled_farms - $include "enabled_farms/*.farm" + # Include all *.farm files in enabled_farms + $include "enabled_farms/*.farm" } diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/filters/default_filters.any b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/filters/default_filters.any index 6ef01076..5af14b34 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/filters/default_filters.any +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/filters/default_filters.any @@ -11,15 +11,15 @@ /0001 { /type "deny" /url "*" } # Open consoles if this isn't a production environment by uncommenting the next few lines -#/002 { /type "allow" /url "/crx/*" } # allow content repository -#/003 { /type "allow" /url "/system/*" } # allow OSGi console +# /002 { /type "allow" /url "/crx/*" } # allow content repository +# /003 { /type "allow" /url "/system/*" } # allow OSGi console # allow non-public content directories if this isn't a production environment by uncommenting the next few lines -#/004 { /type "allow" /url "/apps/*" } # allow apps access -#/005 { /type "allow" /url "/bin/*" } # allow bin path access +# /004 { /type "allow" /url "/apps/*" } # allow apps access +# /005 { /type "allow" /url "/bin/*" } # allow bin path access # This rule allows content to be access -/0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/*" } # disable this rule to allow mapped content only +/0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html|mp4|mov|m4v)' /path "/content/*" } # disable this rule to allow mapped content only # Enable specific mime types in non-public content directories /0011 { /type "allow" /method "GET" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|png|svg|swf|ttf|woff|woff2)' } @@ -46,3 +46,46 @@ # Allow index page /0030 { /type "allow" /url "/index.html" } + +# Allow IMS Authentication +/0031 { /type "allow" /method "GET" /url "/callback/j_security_check" } + +# AEM Forms specific filters +# to allow AF specific endpoints for prefill, submit and sign +/0032 { /type "allow" /path "/content/forms/af/*" /method "POST" /selectors '(submit|internalsubmit|agreement|signSubmit|prefilldata|save)' /extension '(jsp|json)' } + +# to allow AF specific endpoints for thank you page +/0033 { /type "allow" /path "/content/forms/af/*" /method "GET" /selectors '(guideThankYouPage|guideAsyncThankYouPage)' /extension '(html)'} + +# to allow AF specific endpoints for lazy loading +/0034 { /type "allow" /path "/content/forms/af/*" /method "GET" /extension '(jsonhtmlemitter)'} + +# to allow fp related functionalities +/0035 { /type "allow" /path "/content/forms/*" /selectors '(fp|attach|draft|dor|api)' /extension '(html|jsp|json|pdf)' } + +# to allow forms access via dam path +/0036 { /type "allow" /path "/content/dam/formsanddocuments/**/jcr:content" /method "GET"} + +# to allow invoke service functionality (FDM) +/0037 { /type "allow" /path "/content/forms/*" /selectors '(af)' /extension '(dermis)' } + +# AEM Screens Filters +# to allow AEM Screens channels selectors +/0050 { /type "allow" /method "GET" /url "/screens/channels.json" } + +# to allow AEM Screens Content and selectors +/0051 { /type "allow" /method '(GET|HEAD)' /url "/content/screens/*" } + +# AEM Sites Filters +# to allow site30 theme servlet +/0052 { /type "allow" /extension "theme" /path "/content/*" } + +# Allow GraphQL & preflight requests +# GraphQL also supports "GET" requests, if you intend to use "GET" add a rule in filters.any +/0060 { /type "allow" /method '(POST|OPTIONS)' /url "/content/_cq_graphql/*/endpoint.json" } + +# GraphQL Persisted Queries & preflight requests +/0061 { /type "allow" /method '(GET|POST|OPTIONS)' /url "/graphql/execute.json*" } + +# Allow Forms Doc Generation requests +/0062 { /type "allow" /method "POST" /url "/adobe/forms/doc/*" } diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/renders/default_renders.any b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/renders/default_renders.any index 8d388fba..affa9373 100644 --- a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/renders/default_renders.any +++ b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/renders/default_renders.any @@ -5,7 +5,7 @@ # /0 { - /hostname "${AEM_HOST}" - /port "${AEM_PORT}" - /timeout "10000" + /hostname "${AEM_HOST}" + /port "${AEM_PORT}" + /timeout "10000" } diff --git a/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/opt-in/USE_SOURCES_DIRECTLY b/conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/opt-in/USE_SOURCES_DIRECTLY new file mode 100644 index 00000000..e69de29b diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml index 86ea7129..6fef6492 100644 --- a/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml +++ b/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml @@ -250,6 +250,8 @@ config: level: warn # Access logging similar to "Combined", but without IP address (privacy protection) accessLogFormat: '"0.0.0.0 %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' + # Log level for mod_rewrite (error, warn, info, debug, trace1-trace8) + rewriteLogLevel: warn ssl: # If set to true all requests are redirected to HTTPS and HSTS is enabled diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml index fd9ae405..d833efff 100644 --- a/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml +++ b/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml @@ -48,6 +48,8 @@ variants: - destination - Sling-uploadmode - x-requested-with + - If-Modified-Since + - Authorization # Dispatcher filter rules (use only regex, no glob expressions) filter: @@ -56,24 +58,24 @@ variants: type: deny # This rule allows content to be accessed [from default_filters.any] - url: /content(/.*)? - extension: (css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html) + extension: (css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html|mp4|mov|m4v) type: allow # Enable clientlibs proxy servlet [from default_filters.any] - url: /etc.clientlibs(/.*)? - method: "GET" + method: GET type: allow # Basic features: AEM provides a framework aimed at preventing Cross-Site Request Forgery attacks [from default_filters.any] - url: /libs/granite/csrf/token.json - method: "GET" + method: GET extension: json type: allow # Basic features: allow POSTs to form selectors under content [from default_filters.any] - url: /content/*.form.html - method: "POST" + method: POST type: allow # Basic features: enable personalization [from default_filters.any] - url: /libs/cq/personalization(/.*)? - method: "GET" + method: GET type: allow # Deny content grabbing for greedy queries and prevent un-intended self DOS attacks [from default_filters.any] - selectors: (feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content) @@ -87,6 +89,21 @@ variants: # Allow current user [from default_filters.any] - url: /libs/granite/security/currentuser.json type: allow + # Allow IMS Authentication [from default_filters.any] + - url: /callback/j_security_check + type: allow + # AEM Sites Filters: to allow site30 theme servlet [from default_filters.any] + - path: /content/* + extension: theme + type: allow + # Allow GraphQL & preflight requests: GraphQL also supports "GET" requests, if you intend to use "GET" add a rule in filters.any [from default_filters.any] + - url: /content/_cq_graphql/*/endpoint.json + method: (POST|OPTIONS) + type: allow + # GraphQL Persisted Queries & preflight requests [from default_filters.any] + - url: /graphql/execute.json* + method: (GET|POST|OPTIONS) + type: allow # Deny content grabbing for /content - additional selectors not included in default dispatcher.any - path: /content(/.*)? selectors: (ambits|assetsearch|assignments|childrenlist|cloudservices|contentfinder|context|emailservice|exacttarget|ext|form|media|missingpages|mobileapps|pages|paragraphs|payloadsummary|permissions|publications|referencelist|savedsearch|skippedpages|search|social|style|tags|tagtree|timezones) @@ -115,6 +132,12 @@ variants: # Exclude .htx extension from caching - glob: "*.htx" type: deny + # Don't cache csrf login tokens [from default_filters.any] + - glob: /libs/granite/csrf/token.json + type: deny + # GraphQL cache rules for persistent queries [from default_filters.any] + - glob: /graphql/execute.json/* + type: deny # Defines the pages that are "invalidated" after any activation invalidate: @@ -125,10 +148,6 @@ variants: type: allow - glob: "*.json" type: allow - - glob: "/etc/segmentation.segment.js" - type: allow - - glob: "*/analytics.sitecatalyst.js" - type: allow templateDir: aem-dispatcher-cloud @@ -186,6 +205,10 @@ files: url: classpath:/aem-sdk-dispatcher/src/conf.d/rewrites/default_rewrite.rules variants: - aem-publish +- file: opt-in/USE_SOURCES_DIRECTLY + url: classpath:/aem-sdk-dispatcher/src/opt-in/USE_SOURCES_DIRECTLY + variants: + - aem-publish # --- dispatcher config --- @@ -240,6 +263,10 @@ files: url: classpath:/aem-sdk-dispatcher/src/conf.d/available_vhosts/default.vhost variants: - aem-publish +- file: conf.d/enabled_vhosts/9999_default.vhost + symlinkTarget: conf.d/available_vhosts/default.vhost + variants: + - aem-publish - file: conf.dispatcher.d/dispatcher.any url: classpath:/aem-sdk-dispatcher/src/conf.dispatcher.d/dispatcher.any variants: @@ -283,6 +310,11 @@ config: serverName: serverAliasNames: + # Logging configuration + logging: + # Log level for mod_rewrite (Error, Warn, Info, Debug, Trace1-Trace8) + rewriteLogLevel: Warn + # Redirecting from "/" (only publish dispatcher) rootRedirect: #url: /en.html diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml index 6aad9dfb..c1d18edf 100644 --- a/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml +++ b/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml @@ -233,6 +233,8 @@ config: level: warn # Access logging similar to "Combined", but without IP address (privacy protection) accessLogFormat: '"0.0.0.0 %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' + # Log level for mod_rewrite (error, warn, info, debug, trace1-trace8) + rewriteLogLevel: warn # Access restrictions accessRestriction: diff --git a/conga-aem-definitions/src/main/templates/aem-cms/aem-cms-publish-slingmapping.json.hbs b/conga-aem-definitions/src/main/templates/aem-cms/aem-cms-publish-slingmapping.json.hbs index c97dcfc9..7a0fed33 100644 --- a/conga-aem-definitions/src/main/templates/aem-cms/aem-cms-publish-slingmapping.json.hbs +++ b/conga-aem-definitions/src/main/templates/aem-cms/aem-cms-publish-slingmapping.json.hbs @@ -12,7 +12,22 @@ {{~#neq serverName "*"}}, "{{serverName}}{{portSuffix}}": { "jcr:primaryType": "sling:Mapping", - "sling:internalRedirect": ["/","{{sling.mapping.rootPath}}"] + "sling:internalRedirect": ["{{sling.mapping.rootPath}}"], + "resolver-mapping": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "(.+)$", + "sling:internalRedirect": ["/$1","{{sling.mapping.rootPath}}/$1"] + }, + "reverse-mapping-root-with-selector": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$1", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}(\\..+)"] + }, + "reverse-mapping-root": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}"] + } } {{/neq ~}} {{~#each httpd.serverAliasNames as |alias|}} @@ -20,7 +35,22 @@ {{~#neq serverAlias "*"}}, "{{serverAlias}}{{portSuffix}}": { "jcr:primaryType": "sling:Mapping", - "sling:internalRedirect": ["/","{{../sling.mapping.rootPath}}"] + "sling:internalRedirect": ["{{../sling.mapping.rootPath}}"], + "resolver-mapping": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "(.+)$", + "sling:internalRedirect": ["/$1","{{sling.mapping.rootPath}}/$1"] + }, + "reverse-mapping-root-with-selector": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$1", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}(\\..+)"] + }, + "reverse-mapping-root": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}"] + } } {{/neq ~}} {{/each ~}} @@ -40,7 +70,22 @@ {{~#neq serverName "*"}}, "{{serverName}}{{portSuffix}}": { "jcr:primaryType": "sling:Mapping", - "sling:internalRedirect": ["/","{{sling.mapping.rootPath}}"] + "sling:internalRedirect": ["{{sling.mapping.rootPath}}"], + "resolver-mapping": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "(.+)$", + "sling:internalRedirect": ["/$1","{{sling.mapping.rootPath}}/$1"] + }, + "reverse-mapping-root-with-selector": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$1", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}(\\..+)"] + }, + "reverse-mapping-root": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}"] + } } {{/neq ~}} {{~#each httpd.serverAliasNames as |alias|}} @@ -48,7 +93,22 @@ {{~#neq serverAlias "*"}}, "{{serverAlias}}{{portSuffix}}": { "jcr:primaryType": "sling:Mapping", - "sling:internalRedirect": ["/","{{../sling.mapping.rootPath}}"] + "sling:internalRedirect": ["{{../sling.mapping.rootPath}}"], + "resolver-mapping": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "(.+)$", + "sling:internalRedirect": ["/$1","{{sling.mapping.rootPath}}/$1"] + }, + "reverse-mapping-root-with-selector": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$1", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}(\\..+)"] + }, + "reverse-mapping-root": { + "jcr:primaryType": "sling:Mapping", + "sling:match": "$", + "sling:internalRedirect": ["{{sling.mapping.rootPath}}"] + } } {{/neq ~}} {{/each ~}} diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs index cc73933b..e1fa3910 100644 --- a/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs +++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs @@ -30,7 +30,7 @@ ServerAlias {{this}} {{~#block "logSettings"}} # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. -LogLevel {{httpd.logging.level}} +LogLevel {{httpd.logging.level}} rewrite:{{httpd.logging.rewriteLogLevel}} ErrorLog logs/vhost_{{tenant}}_error.log CustomLog logs/vhost_{{tenant}}_access.log {{httpd.logging.accessLogFormat}} diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs index 68cef9d7..96159d08 100644 --- a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs +++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs @@ -32,13 +32,15 @@ ServerAlias {{this}} {{~#block "generalSettings"}} # Use a document root that matches the one in conf.dispatcher.d/default.farm DocumentRoot "${DOCROOT}" +# URI dereferencing algorithm is applied at Sling's level, do not decode parameters here +AllowEncodedSlashes NoDecode # Add header breadcrumbs for help in troubleshooting Header add X-Vhost "publish" # Webserver in AEM cloud service is always terminated with SSL RequestHeader set X-Forwarded-SSL "on" - + # Some items cache with the wrong mime type # Use this option to use the name to auto-detect mime types when cached improperly @@ -52,19 +54,14 @@ DocumentRoot "${DOCROOT}" Options FollowSymLinks AllowOverride None + Require all granted # Insert filter SetOutputFilter DEFLATE # Don't compress images & videos SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|webm|mp4)$ no-gzip dont-vary - # Make sure proxies don't deliver the wrong content - Header append Vary User-Agent env=!dont-vary # Prevent clickjacking Header always append X-Frame-Options SAMEORIGIN - - AllowOverride None - Require all granted - # Enabled to allow rewrites to take affect and not be ignored by the dispatcher module DispatcherUseProcessedURL On diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/variables/global.vars.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/variables/global.vars.hbs index bd418fab..8e7d336d 100644 --- a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/variables/global.vars.hbs +++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/variables/global.vars.hbs @@ -20,9 +20,19 @@ Define DISP_LOG_LEVEL {{dispatcher.logging.level}} # More information can be found at: # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#logging # -# Define REWRITE_LOG_LEVEL Warn +Define REWRITE_LOG_LEVEL {{httpd.logging.rewriteLogLevel}} + + +# Disable default caching headers +# +# The following headers are set by default dispatcher configuration Expires, Cache-Control, Age. +# If you uncomment and define DISABLE_DEFAULT_CACHING variable these headers are not set any more +# and you can fully customize the caching behavior. +# +# Define DISABLE_DEFAULT_CACHING + {{#httpdCloudManagerConditional}} -# Set the default experiation time for text/html responses (in minutes) +# Set the default expiration time for text/html responses (in minutes) Define EXPIRATION_TIME {{httpd.headers.htmlExpirationTimeMin}} {{/httpdCloudManagerConditional}} diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.dispatcher.d/available_farms/publish.farm.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.dispatcher.d/available_farms/publish.farm.hbs index e6cc8298..710b339b 100644 --- a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.dispatcher.d/available_farms/publish.farm.hbs +++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.dispatcher.d/available_farms/publish.farm.hbs @@ -25,11 +25,11 @@ # if the package is installed on publishers to generate a list of all content with a vanityurl attached # this section will auto-allow the items to bypass the normal dispatcher filters # Reference: https://docs.adobe.com/docs/en/dispatcher/disp-config.html#Enabling%20Access%20to%20Vanity%20URLs%20-%20/vanity_urls - #/vanity_urls { - # /url "/libs/granite/dispatcher/content/vanityUrls.html" - # /file "/tmp/vanity_urls" - # /delay 300 - #} + # /vanity_urls { + # /url "/libs/granite/dispatcher/content/vanityUrls.html" + # /file "/tmp/vanity_urls" + # /delay 300 + # } # allow propagation of replication posts (should seldomly be used) /propagateSyndPost "0" diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs index be4126a0..58a87434 100644 --- a/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs +++ b/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs @@ -37,7 +37,7 @@ Protocols h2 h2c http/1.1 {{~#block "logSettings"}} # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. -LogLevel {{httpd.logging.level}} +LogLevel {{httpd.logging.level}} rewrite:{{httpd.logging.rewriteLogLevel}} ErrorLog ${APACHE_LOG_DIR}/vhost_publish_{{httpd.serverName}}_error.log CustomLog ${APACHE_LOG_DIR}/vhost_publish_{{httpd.serverName}}_access.log {{httpd.logging.accessLogFormat}} {{/block}} diff --git a/example/pom.xml b/example/pom.xml index 2465b581..99f68588 100644 --- a/example/pom.xml +++ b/example/pom.xml @@ -32,7 +32,7 @@ io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem.example config - 1.11.4 + 1.12.0 CONGA AEM Definitions Example Example environment definition. @@ -43,7 +43,7 @@ io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem - 1.11.4 + 1.12.0 @@ -55,7 +55,7 @@ io.wcm.devops.conga conga-maven-plugin - 1.14.4 + 1.14.6 true diff --git a/example/src/main/environments/test.yaml b/example/src/main/environments/test.yaml index 2283d765..e3c8d87d 100644 --- a/example/src/main/environments/test.yaml +++ b/example/src/main/environments/test.yaml @@ -220,6 +220,7 @@ config: logging: level: error accessLogFormat: '"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' + rewriteLogLevel: debug accessRestriction: adminAccessFromIp: 10.0.0.0/255.0.0.0 adminAccessFromHost: www.example.org @@ -338,4 +339,4 @@ tenants: serverName: www.stage-sample5.com prod: serverName: www.prod-sample5.com - rootRedirect.url: /content/sample4/en.html \ No newline at end of file + rootRedirect.url: /content/sample4/en.html diff --git a/mvnw b/mvnw index 41c0f0c2..5643201c 100755 --- a/mvnw +++ b/mvnw @@ -36,6 +36,10 @@ if [ -z "$MAVEN_SKIP_RC" ] ; then + if [ -f /usr/local/etc/mavenrc ] ; then + . /usr/local/etc/mavenrc + fi + if [ -f /etc/mavenrc ] ; then . /etc/mavenrc fi @@ -145,7 +149,7 @@ if [ -z "$JAVACMD" ] ; then JAVACMD="$JAVA_HOME/bin/java" fi else - JAVACMD="`which java`" + JAVACMD="`\\unset -f command; \\command -v java`" fi fi @@ -212,9 +216,9 @@ else echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." fi if [ -n "$MVNW_REPOURL" ]; then - jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" else - jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" fi while IFS="=" read key value; do case "$key" in (wrapperUrl) jarUrl="$value"; break ;; @@ -233,9 +237,9 @@ else echo "Found wget ... using wget" fi if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then - wget "$jarUrl" -O "$wrapperJarPath" + wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" else - wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" + wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" fi elif command -v curl > /dev/null; then if [ "$MVNW_VERBOSE" = true ]; then @@ -305,6 +309,8 @@ WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain exec "$JAVACMD" \ $MAVEN_OPTS \ + $MAVEN_DEBUG_OPTS \ -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ - "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ + "-Dmaven.home=${M2_HOME}" \ + "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" diff --git a/mvnw.cmd b/mvnw.cmd index 86115719..8a15b7f3 100644 --- a/mvnw.cmd +++ b/mvnw.cmd @@ -46,8 +46,8 @@ if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") @REM Execute a user defined script before this one if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre @REM check for pre script, once with legacy .bat ending and once with .cmd ending -if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" -if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" +if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %* +if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %* :skipRcPre @setlocal @@ -120,9 +120,9 @@ SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain -set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" +set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" -FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( +FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B ) @@ -134,7 +134,7 @@ if exist %WRAPPER_JAR% ( ) ) else ( if not "%MVNW_REPOURL%" == "" ( - SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar" + SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar" ) if "%MVNW_VERBOSE%" == "true" ( echo Couldn't find %WRAPPER_JAR%, downloading it ... @@ -158,7 +158,13 @@ if exist %WRAPPER_JAR% ( @REM work with both Windows and non-Windows executions. set MAVEN_CMD_LINE_ARGS=%* -%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* +%MAVEN_JAVA_EXE% ^ + %JVM_CONFIG_MAVEN_PROPS% ^ + %MAVEN_OPTS% ^ + %MAVEN_DEBUG_OPTS% ^ + -classpath %WRAPPER_JAR% ^ + "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^ + %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* if ERRORLEVEL 1 goto error goto end @@ -168,15 +174,15 @@ set ERROR_CODE=1 :end @endlocal & set ERROR_CODE=%ERROR_CODE% -if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost +if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost @REM check for post script, once with legacy .bat ending and once with .cmd ending -if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" -if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" +if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat" +if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd" :skipRcPost @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' -if "%MAVEN_BATCH_PAUSE%" == "on" pause +if "%MAVEN_BATCH_PAUSE%"=="on" pause -if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% +if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE% -exit /B %ERROR_CODE% +cmd /C exit /B %ERROR_CODE% diff --git a/parent/pom.xml b/parent/pom.xml index 1695e0a0..918cff6d 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -25,13 +25,13 @@ io.wcm.devops io.wcm.devops.parent_toplevel - 1.2.10 + 1.3.0 io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem.parent - 1.11.4 + 1.12.0 pom CONGA AEM Definitions diff --git a/pom.xml b/pom.xml index 2e2bb279..2669699a 100644 --- a/pom.xml +++ b/pom.xml @@ -23,13 +23,13 @@ io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem.parent - 1.11.4 + 1.12.0 parent/pom.xml io.wcm.devops.conga.definitions io.wcm.devops.conga.definitions.aem.root - 1.11.4 + 1.12.0 pom CONGA AEM Definitions diff --git a/src/site/site.xml b/src/site/site.xml index 0ec420eb..4304aa67 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -22,7 +22,7 @@ + xsi:schemaLocation="http://maven.apache.org/DECORATION/1.8.0 https://maven.apache.org/xsd/decoration-1.8.0.xsd"> ]]>