CQ Dispatcher Security Consideration
CQ Dispatcher
Secure CQ Using Dispatcher
CQ Can be used as frontline for securing your CQ Application. You can keep your CQ in front of your author or publish instance and only allow certain request to pass. Here is some configuration that you can use to secure your CQ instance.
1) /filters
Through CQ filters you can allow only certain request to pass to CQ. Some common best practice you should follow to allow filters are,
- Starts with Deny all
- Allow only what is required. Usually only /content and /etc/designs should be accessed by users
- Allow only authorized POST request
- A recommended filter section will look like this.
Dispatcher Filter
# only handle the requests in the following acl. default is 'none'
# the glob pattern is matched against the first request line
/filter
{
# deny everything and allow specific entries
/0001 { /type "deny" /glob "*" }
# open consoles
# /0012 { /type "allow" /glob "* /crx/*" } # allow content repository
# /0013 { /type "allow" /glob "* /system/*" } # allow OSGi console
# allow non-public content directories
# /0021 { /type "allow" /glob "* /apps/*" } # allow apps access
# /0022 { /type "allow" /glob "* /bin/*" }
/0023 { /type "allow" /glob "* /content*" } # disable this rule to allow mapped content only
# /0024 { /type "allow" /glob "* /libs/*" }
# /0025 { /type "deny" /glob "* /libs/shindig/proxy*" } # if you enable /libs close access to proxy
# /0026 { /type "allow" /glob "* /home/*" }
# /0027 { /type "allow" /glob "* /tmp/*" }
# /0028 { /type "allow" /glob "* /var/*" }
# enable specific mime types in non-public content directories
/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js *" } # enable javascript
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
# enable features
/0061 { /type "allow" /glob "POST /content/[.]*.form.html" } # allow POSTs to form selectors under content
/0062 { /type "allow" /glob "* /libs/cq/personalization/*" } # enable personalization
/0063 { /type "allow" /glob "POST /content/[.]*.commerce.cart.json" } # allow POSTs to update the shopping cart
# deny content grabbing
/0081 { /type "deny" /glob "GET *.infinity.json*" }
/0082 { /type "deny" /glob "GET *.tidy.json*" }
/0083 { /type "deny" /glob "GET *.sysview.xml*" }
/0084 { /type "deny" /glob "GET *.docview.json*" }
/0085 { /type "deny" /glob "GET *.docview.xml*" }
/0086 { /type "deny" /glob "GET *.*[0-9].json*" }
/0087 { /type "deny" /glob "GET *.feed.xml*" }
# /0088 { /type "allow" /glob "GET *.1.json*" } # allow one-level json requests
# deny query
# This is only required if dispatching for CQ 5.5 or older
/0090 { /type "deny" /glob "* *.query*" }
}
2) /allowedclients
Through allowed client, you can configure clients (IP or HOST) allowed to initiate flush request. Some good practice for this would be
- Deny access from everyone.
- Allow specific allowed client
- A recommended allowed client section will look like this
Allowed Client Dispatcher
/allowedClients { /0001 { /glob "*.*.*.*" /type "deny" } /0002 { /glob "127.0.0.1" /type "allow" } }