├── .gitattributes
├── mnt
├── log
│ └── README.md
├── author_docroot
│ └── README.md
└── publish_docroot
│ └── README.md
├── dispatcher-kill
├── dispatcher-login
├── ams
└── 2.6
│ └── etc
│ └── httpd
│ ├── conf.d
│ ├── 000_init_ootb_vars.conf
│ ├── 001_init_ams_vars.conf
│ ├── rewrites
│ │ ├── xforwarded_forcessl_rewrite.rules
│ │ └── base_rewrite.rules
│ ├── security.conf
│ ├── logformat.conf
│ ├── remoteip.conf
│ ├── README
│ ├── variables
│ │ ├── ootb.vars
│ │ └── ams_default.vars
│ ├── mimetypes3d.conf
│ ├── whitelists
│ │ └── 000_base_whitelist.rules
│ ├── available_vhosts
│ │ ├── 000_unhealthy_author.vhost
│ │ ├── 000_unhealthy_publish.vhost
│ │ ├── aem_flush.vhost
│ │ ├── aem_flush_author.vhost
│ │ ├── aem_health.vhost
│ │ ├── ams_lc.vhost
│ │ ├── aem_publish.vhost
│ │ └── aem_author.vhost
│ └── dispatcher_vhost.conf
│ ├── conf.modules.d
│ ├── 00-lua.conf
│ ├── 00-ssl.conf
│ ├── 00-systemd.conf
│ ├── 02-dispatcher.conf
│ ├── 00-dav.conf
│ ├── 01-cgi.conf
│ ├── 00-mpm.conf
│ ├── 00-proxy.conf
│ └── 00-base.conf
│ ├── conf.dispatcher.d
│ ├── clientheaders
│ │ ├── ams_publish_clientheaders.any
│ │ ├── ams_lc_clientheaders.any
│ │ ├── ams_author_clientheaders.any
│ │ └── ams_common_clientheaders.any
│ ├── filters
│ │ ├── ams_lc_filters.any
│ │ ├── ams_author_filters.any
│ │ └── ams_publish_filters.any
│ ├── vhosts
│ │ ├── ams_author_vhosts.any
│ │ ├── ams_lc_vhosts.any
│ │ └── ams_publish_vhosts.any
│ ├── renders
│ │ ├── ams_author_renders.any
│ │ ├── ams_lc_renders.any
│ │ └── ams_publish_renders.any
│ ├── cache
│ │ ├── ams_author_invalidate_allowed.any
│ │ ├── ams_publish_invalidate_allowed.any
│ │ ├── ams_publish_cache.any
│ │ └── ams_author_cache.any
│ ├── dispatcher.any
│ └── available_farms
│ │ ├── 000_ams_catchall_farm.any
│ │ ├── 002_ams_lc_farm.any
│ │ ├── 001_ams_publish_flush_farm.any
│ │ ├── 001_ams_author_flush_farm.any
│ │ ├── 002_ams_author_farm.any
│ │ ├── 100_weretail_publish_farm.any
│ │ └── 002_ams_publish_farm.any
│ └── conf
│ ├── httpd.conf
│ └── magic
├── dispatcher-remote
├── renovate.json
├── .gitignore
├── NOTICE
├── scripts
├── launch.sh
├── env.sh
└── setup.sh
├── .github
└── workflows
│ └── build.yml
├── docker-compose.yaml
├── PULL_REQUEST_TEMPLATE.md
├── Dockerfile
├── CONTRIBUTING.md
├── dispatcher-docker-compose
├── sample
├── weretail.vhost
├── weretail_publish_farm.any
└── weretail_filters.any
├── haproxy
└── haproxy.cfg
├── dispatcher-mount
├── CODE_OF_CONDUCT.md
├── LICENSE
└── README.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.sh text eol=lf
2 |
--------------------------------------------------------------------------------
/mnt/log/README.md:
--------------------------------------------------------------------------------
1 | Folder for Dispatcher logs
--------------------------------------------------------------------------------
/mnt/author_docroot/README.md:
--------------------------------------------------------------------------------
1 | Folder for Author cache
--------------------------------------------------------------------------------
/dispatcher-kill:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | docker kill mydispatcher
--------------------------------------------------------------------------------
/mnt/publish_docroot/README.md:
--------------------------------------------------------------------------------
1 | Folder for Publisher cache
--------------------------------------------------------------------------------
/dispatcher-login:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | docker exec -it mydispatcher /bin/bash
4 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/000_init_ootb_vars.conf:
--------------------------------------------------------------------------------
1 | Include /etc/httpd/conf.d/variables/ootb.vars
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/001_init_ams_vars.conf:
--------------------------------------------------------------------------------
1 | Include /etc/httpd/conf.d/variables/ams_*.vars
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-lua.conf:
--------------------------------------------------------------------------------
1 | LoadModule lua_module modules/mod_lua.so
2 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-ssl.conf:
--------------------------------------------------------------------------------
1 | LoadModule ssl_module modules/mod_ssl.so
2 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any:
--------------------------------------------------------------------------------
1 | ##Any publish specific clientheaders go here
--------------------------------------------------------------------------------
/dispatcher-remote:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | docker run -p 80:8080 -p 443:8443 -itd --rm --name mydispatcher --env-file scripts/env.sh dispatcher
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-systemd.conf:
--------------------------------------------------------------------------------
1 | # This file configures systemd module:
2 | LoadModule systemd_module modules/mod_systemd.so
3 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/02-dispatcher.conf:
--------------------------------------------------------------------------------
1 | ##Load the dispatcher_module into runtime
2 | LoadModule dispatcher_module modules/mod_dispatcher.so
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/filters/ams_lc_filters.any:
--------------------------------------------------------------------------------
1 | ## Livecycle will not have any end points filtered out
2 | /0001 { /type "allow" /url "*" }
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/vhosts/ams_author_vhosts.any:
--------------------------------------------------------------------------------
1 | ## Put hostnames that would be honored for authors blob matching works.
2 | "${AUTHOR_DEFAULT_HOSTNAME}"
3 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/vhosts/ams_lc_vhosts.any:
--------------------------------------------------------------------------------
1 | ## Put hostnames that would be honored for livecycle blob matching works.
2 | "${LIVECYCLE_DEFAULT_HOSTNAME}"
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/vhosts/ams_publish_vhosts.any:
--------------------------------------------------------------------------------
1 | ## Put hostnames that would be honored for publish blob matching works.
2 | "${PUBLISH_DEFAULT_HOSTNAME}"
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-dav.conf:
--------------------------------------------------------------------------------
1 | LoadModule dav_module modules/mod_dav.so
2 | LoadModule dav_fs_module modules/mod_dav_fs.so
3 | LoadModule dav_lock_module modules/mod_dav_lock.so
4 |
--------------------------------------------------------------------------------
/renovate.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json",
3 | "extends": [
4 | "config:recommended"
5 | ],
6 | "ignoreDeps": [
7 | "redhat/ubi8"
8 | ]
9 | }
10 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/renders/ams_author_renders.any:
--------------------------------------------------------------------------------
1 | ## Add values for author instances you'll pull content from
2 | /0 {
3 | /hostname "${AUTHOR_IP}"
4 | /port "${AUTHOR_PORT}"
5 | /timeout "10000"
6 | }
7 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/renders/ams_lc_renders.any:
--------------------------------------------------------------------------------
1 | ## Add values for any livecycle instances you'll pull content from.
2 | /0 {
3 | /hostname "${LIVECYCLE_IP}"
4 | /port "${LIVECYCLE_PORT}"
5 | /timeout "10000"
6 | }
7 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/rewrites/xforwarded_forcessl_rewrite.rules:
--------------------------------------------------------------------------------
1 | ## This ruleset forces https in the end users browser
2 | RewriteCond %{HTTP:X-Forwarded-Proto} !https
3 | RewriteCond %{REQUEST_URI} !^/dispatcher/invalidate.cache
4 | RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301,NE]
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/clientheaders/ams_lc_clientheaders.any:
--------------------------------------------------------------------------------
1 | ##Any livecycle specific clientheaders go here
2 | "authorization"
3 | "proxy-authorization"
4 | "proxy-connection"
5 | "cq-action"
6 | "cq-handle"
7 | "handle"
8 | "action"
9 | "cqstats"
10 | "dav"
11 | "ms-author-via"
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/clientheaders/ams_author_clientheaders.any:
--------------------------------------------------------------------------------
1 | "authorization"
2 | "proxy-authorization"
3 | "proxy-connection"
4 | "cq-action"
5 | "cq-handle"
6 | "handle"
7 | "action"
8 | "cqstats"
9 | "dav"
10 | "ms-author-via"
11 | "x-destination"
12 | "x-depth"
13 | "x-overwrite"
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/cache/ams_author_invalidate_allowed.any:
--------------------------------------------------------------------------------
1 | ## This is where you'd put an entry for each publisher or author that you want to allow to invalidate the cache on the dispatcher
2 | /0 {
3 | /glob "${AUTHOR_IP}"
4 | /type "allow"
5 | }
6 | /01 {
7 | /glob "${PUBLISH_IP}"
8 | /type "allow"
9 | }
10 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/security.conf:
--------------------------------------------------------------------------------
1 | ## We want to make sure the apache versions are hidden so avoid possible attack vectors
2 | ServerSignature Off
3 | ServerTokens Prod
4 |
5 | TraceEnable off
6 |
7 |
8 | Order deny,allow
9 | Deny from all
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/logformat.conf:
--------------------------------------------------------------------------------
1 | ## Logging format to capture the Host requested, and the referer to assure we get direct requests IP and proxied requests proper public addresses in our log entries of the access_log
2 |
3 | LogFormat "%a \"%{Host}i\" %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
4 |
5 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | /.idea/
3 | *.iml
4 |
5 | # do not check in files generated by dispatcher-mount
6 | logs/
7 | cache/
8 | **/enabled_vhosts
9 | **/enabled_farms
10 |
11 | # do not check in samples
12 | **/conf.d/available_vhosts/weretail.vhost
13 | **/conf.dispatcher.d/filters/weretail_filters.any
14 | **/conf.dispatcher.d/available_farms/weretail_publish_farm.any
15 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/remoteip.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Extract true client IP from header added by load balancer/CDN
3 | #
4 |
5 |
6 | # valid for ALB, ELB, AppGateway or Load Balancer + CloudFront
7 | RemoteIPHeader X-Forwarded-For
8 |
9 | # valid for ALB, ELB, AppGateway or Load Balancer + Akamai
10 | #RemoteIPHeader True-Client-IP
11 |
--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | AEM Dispatcher Docker Container
2 | Copyright 2024 Adobe Systems Incorporated
3 |
4 | This software is licensed under the Apache License, Version 2.0 (see
5 | LICENSE file).
6 |
7 | This software uses the following third party libraries that may have
8 | licenses differing from that of the software itself. You can find the
9 | libraries and their respective licenses below.
10 |
11 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/cache/ams_publish_invalidate_allowed.any:
--------------------------------------------------------------------------------
1 | ## This is where you'd put an entry for each publisher or author that you want to allow to invalidate the cache on the dispatcher
2 | /0 {
3 | /glob "${AUTHOR_IP}"
4 | /type "allow"
5 | }
6 | /01 {
7 | /glob "${PUBLISH_IP}"
8 | /type "allow"
9 | }
10 | /02 {
11 | /glob "127.0.0.1"
12 | /type "allow"
13 | }
14 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/renders/ams_publish_renders.any:
--------------------------------------------------------------------------------
1 | ## Add values for any publish instances you'll pull content from.
2 | ## It's recommended to use paired sets of dispatchers to publishers
3 | ## Example Dispatcher1 only grabs from Publisher1 but you don't have to and can list mulitple sources here
4 | /0 {
5 | /hostname "${PUBLISH_IP}"
6 | /port "${PUBLISH_PORT}"
7 | /timeout "10000"
8 | }
9 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/README:
--------------------------------------------------------------------------------
1 |
2 | This directory holds configuration files for the Apache HTTP Server;
3 | any files in this directory which have the ".conf" extension will be
4 | processed as httpd configuration files. The directory is used in
5 | addition to the directory /etc/httpd/conf.modules.d/, which contains
6 | configuration files necessary to load modules.
7 |
8 | Files are processed in alphabetical order.
9 |
10 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/dispatcher.any:
--------------------------------------------------------------------------------
1 | ### Name of the dispatcher
2 | /name "internet-server"
3 |
4 | ## each farm configures a set of (load-balanced) renders
5 | ### Include the author first on purpose
6 | ### Include the publish farm last. That way if the hostname isn't matched they'll end up on the last farm, better for 404 errors that are non descript than 403 authentication and redirect to a login page
7 |
8 | /farms {
9 | $include "enabled_farms/*_farm.any"
10 | }
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/01-cgi.conf:
--------------------------------------------------------------------------------
1 | # This configuration file loads a CGI module appropriate to the MPM
2 | # which has been configured in 00-mpm.conf. mod_cgid should be used
3 | # with a threaded MPM; mod_cgi with the prefork MPM.
4 |
5 |
6 | LoadModule cgid_module modules/mod_cgid.so
7 |
8 |
9 | LoadModule cgid_module modules/mod_cgid.so
10 |
11 |
12 | LoadModule cgi_module modules/mod_cgi.so
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/variables/ootb.vars:
--------------------------------------------------------------------------------
1 | ## This file is not meant to be modified.
2 | ## This file is to avoid null values for Out Of The Box variables.
3 | ## If you want to make changes to these values modify /etc/httpd/conf.d/variables/ams_default.vars.
4 | Define DISP_LOG_LEVEL info
5 | Define AUTHOR_WHITELIST_ENABLED 0
6 | Define PUBLISH_WHITELIST_ENABLED 0
7 | Define LIVECYCLE_WHITELIST_ENABLED 0
8 | Define AUTHOR_FORCE_SSL 1
9 | Define PUBLISH_FORCE_SSL 0
10 | Define LIVECYCLE_FORCE_SSL 1
11 | Define ASSET_DOWNLOAD_RULE deny
12 | Define 3D_MIMETYPE_ENABLED 1
13 | Define DEFAULT_STAT_LEVEL 4
14 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/mimetypes3d.conf:
--------------------------------------------------------------------------------
1 | ##This is needed,if there is any intention of caching 3D files on Publish/Dispatcher, otherwise the files will be served from cache with incorrect content types.
2 |
3 | Define 3D_MIMETYPE_ENABLED 1
4 |
5 |
6 |
7 |
8 | AddType model/vnd.usdz+zip usdz
9 | AddType model/gltf-binary glb
10 | AddType model/gltf+json gltf
11 | AddType application/x-tgif obj
12 | AddType application/vnd.ms-pki.stl stl
13 | AddType model/x-adobe-dn dn
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/cache/ams_publish_cache.any:
--------------------------------------------------------------------------------
1 | ## Put entries of items you do or don't want to cache in apaches doc root
2 | ## the globbing pattern to be compared against the url
3 | ## example: * -> everything
4 | ## : /foo/bar.* -> only the /foo/bar documents
5 | ## : /foo/bar/* -> all pages below /foo/bar
6 | ## : /foo/bar[./]* -> all pages below and /foo/bar itself
7 | ## : *.html -> all .html files
8 | ## Default allow all items to cache
9 | /0000 {
10 | /glob "*"
11 | /type "allow"
12 | }
13 | ## Don't cache csrf login tokens
14 | /0001 {
15 | /glob "/libs/granite/csrf/token.json"
16 | /type "deny"
17 | }
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any:
--------------------------------------------------------------------------------
1 | "X-Forwarded-Proto"
2 | "X-Forwarded-SSL-Certificate"
3 | "X-Forwarded-SSL-Client-Cert"
4 | "X-Forwarded-SSL"
5 | "X-Forwarded-Protocol"
6 | "CSRF-Token"
7 | "referer"
8 | "user-agent"
9 | "from"
10 | "content-type"
11 | "content-length"
12 | "accept-charset"
13 | "accept-encoding"
14 | "accept-language"
15 | "accept"
16 | "host"
17 | "if-match"
18 | "if-none-match"
19 | "if-range"
20 | "if-unmodified-since"
21 | "max-forwards"
22 | "range"
23 | "cookie"
24 | "depth"
25 | "translate"
26 | "expires"
27 | "date"
28 | "if"
29 | "lock-token"
30 | "x-expected-entity-length"
31 | "destination"
32 | "Sling-uploadmode"
33 | "x-requested-with"
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/000_ams_catchall_farm.any:
--------------------------------------------------------------------------------
1 | /catchallfarm {
2 | /clientheaders {
3 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any"
4 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
5 | }
6 | ## Greedy match for all un-matched hostnames
7 | /virtualhosts {
8 | "*"
9 | }
10 | ## Intentionally redirecting renderer traffic to catch all
11 | /renders {
12 | /0 {
13 | /hostname "127.0.0.1"
14 | /port "80"
15 | /timeout "10000"
16 | }
17 | }
18 | ## only handle the requests in the following acl. default is 'none'
19 | ## the glob pattern is matched against the first request line
20 | /filter {
21 | /0001 { /type "deny" /url "*" }
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/whitelists/000_base_whitelist.rules:
--------------------------------------------------------------------------------
1 | ## Include this in a directory context of the virtual host you want to restrict and apply a whitelist of IP's
2 |
3 | ## Here are some examples:
4 | ### Regular expressions are used for X-FORWARDED-FOR if your dispatcher is behind a load balancer
5 | # SetEnvIf X-FORWARDED-FOR ^199\.83\.(12[8-9]|13[0-5])\.[0-9]{1,3}$ AllowIP
6 | # SetEnvIf X-FORWARDED-FOR ^198\.143\.(3[2-9]|[4-5][0-9]|6[0-3])\.[0-9]{1,3}$ AllowIP
7 |
8 | ### Setup a require any section so if any rules in there are matched it will allow them in
9 |
10 | ### We make sure the environment variable AllowIP is enforced
11 | Require env AllowIP
12 | ### Here are some rules for CIDR ip blocks and single addresses
13 | # Require ip 192.150.16.0/23
14 | # Require ip 120.242.180.10
15 |
16 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-mpm.conf:
--------------------------------------------------------------------------------
1 | # Select the MPM module which should be used by uncommenting exactly
2 | # one of the following LoadModule lines:
3 |
4 | # prefork MPM: Implements a non-threaded, pre-forking web server
5 | # See: http://httpd.apache.org/docs/2.4/mod/prefork.html
6 | #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
7 |
8 | # worker MPM: Multi-Processing Module implementing a hybrid
9 | # multi-threaded multi-process web server
10 | # See: http://httpd.apache.org/docs/2.4/mod/worker.html
11 | #
12 | LoadModule mpm_worker_module modules/mod_mpm_worker.so
13 |
14 | # event MPM: A variant of the worker MPM with the goal of consuming
15 | # threads only for connections with active processing
16 | # See: http://httpd.apache.org/docs/2.4/mod/event.html
17 | #
18 | #LoadModule mpm_event_module modules/mod_mpm_event.so
19 |
20 |
--------------------------------------------------------------------------------
/scripts/launch.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # Copyright (c) 2024 Adobe Systems Incorporated. All rights reserved.
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License");
6 | # you may not use this file except in compliance with the License.
7 | # You may obtain a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 | #
17 | /usr/bin/cat /NOTICE
18 |
19 | /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg
20 |
21 | rm -f /run/httpd/authdigest_shm.*
22 | rm -f /run/httpd/cgisock.*
23 | rm -f /run/httpd/httpd.pid
24 | /usr/sbin/httpd -D FOREGROUND
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/variables/ams_default.vars:
--------------------------------------------------------------------------------
1 | ## log level for the dispatcher log default 1 for production and default 2 for non-production dispatchers
2 | ## error for Errors
3 | ## warn for Warnings
4 | ## info for Infos
5 | ## debug for Debug
6 | ## trace for Trace
7 | Define DISP_LOG_LEVEL trace
8 |
9 | ## Enable IP whitelisting by setting to 1. Then put your whitelist rules in /etc/httpd/conf.d/whitelists/*_whitelist.rules
10 | Define AUTHOR_WHITELIST_ENABLED 0
11 | Define PUBLISH_WHITELIST_ENABLED 0
12 | Define LIVECYCLE_WHITELIST_ENABLED 0
13 |
14 | ## Force all traffic to be SSL
15 | Define AUTHOR_FORCE_SSL 1
16 | Define PUBLISH_FORCE_SSL 0
17 | Define LIVECYCLE_FORCE_SSL 1
18 |
19 | ## Asset Donwload defaults to deny but can be allowed by setting below to allow
20 | Define ASSET_DOWNLOAD_RULE deny
21 |
22 | ## Enable/Disable 3DMime type. Enabling default by setting to 1
23 | Define 3D_MIMETYPE_ENABLED 1
24 |
25 | ## Set the default stat level for farm files.
26 | Define DEFAULT_STAT_LEVEL 4
27 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/cache/ams_author_cache.any:
--------------------------------------------------------------------------------
1 | ## Put entries of items you do or don't want to cache in apaches doc root
2 | ## the globbing pattern to be compared against the url
3 | ## example: * -> everything
4 | ## : /foo/bar.* -> only the /foo/bar documents
5 | ## : /foo/bar/* -> all pages below /foo/bar
6 | ## : /foo/bar[./]* -> all pages below and /foo/bar itself
7 | ## : *.html -> all .html files
8 | /0000 {
9 | /glob "*"
10 | /type "deny"
11 | }
12 | /0001 {
13 | /glob "/libs/*"
14 | /type "allow"
15 | }
16 | /0002 {
17 | /glob "/libs/*.html"
18 | /type "deny"
19 | }
20 | ## Don't cache csrf login tokens
21 | /0003 {
22 | /glob "/libs/granite/csrf/token.json"
23 | /type "deny"
24 | }
25 | /0004 {
26 | /glob "/apps/*"
27 | /type "allow"
28 | }
29 | /0005 {
30 | /glob "/apps/*.html"
31 | /type "deny"
32 | }
33 | ## This page contains a "Welcome, User XXX" message and shouldn't be cached
34 | /0006 {
35 | /glob "/libs/cq/core/content/welcome.*"
36 | /type "deny"
37 | }
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/000_unhealthy_author.vhost:
--------------------------------------------------------------------------------
1 |
2 | ServerName unhealthyauthor
3 | ServerAlias ${AUTHOR_DEFAULT_HOSTNAME}
4 | ErrorDocument 503 /error.html
5 | DocumentRoot /mnt/var/www/default
6 |
7 |
8 | Options FollowSymLinks
9 | AllowOverride None
10 | ##### Insert filter
11 | SetOutputFilter DEFLATE
12 | ##### Don't compress images
13 | SetEnvIfNoCase Request_URI \
14 | \.(?:gif|jpe?g|png)$ no-gzip dont-vary
15 | ##### Make sure proxies don't deliver the wrong content
16 | Header append Vary User-Agent env=!dont-vary
17 |
18 |
19 | AllowOverride None
20 | Require all granted
21 |
22 |
23 | Header always add X-Dispatcher ${DISP_ID}
24 | Header always add X-Vhost "unhealthy-author"
25 |
26 |
27 | ReWriteEngine on
28 | RewriteCond %{REQUEST_URI} !^/error.html$
29 | RewriteRule ^/* /error.html [R=503,L,NC]
30 |
31 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-proxy.conf:
--------------------------------------------------------------------------------
1 | # This file configures all the proxy modules:
2 | LoadModule proxy_module modules/mod_proxy.so
3 | LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
4 | LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
5 | LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
6 | LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
7 | LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
8 | LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
9 | LoadModule proxy_connect_module modules/mod_proxy_connect.so
10 | LoadModule proxy_express_module modules/mod_proxy_express.so
11 | LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
12 | LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
13 | LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
14 | LoadModule proxy_http_module modules/mod_proxy_http.so
15 | LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
16 | LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
17 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/000_unhealthy_publish.vhost:
--------------------------------------------------------------------------------
1 |
2 | ServerName unhealthypublish
3 | ServerAlias ${PUBLISH_DEFAULT_HOSTNAME}
4 | ErrorDocument 503 /error.html
5 | DocumentRoot /mnt/var/www/default
6 |
7 |
8 | Options FollowSymLinks
9 | AllowOverride None
10 | #### Insert filter
11 | SetOutputFilter DEFLATE
12 | #### Don't compress images
13 | SetEnvIfNoCase Request_URI \
14 | \.(?:gif|jpe?g|png)$ no-gzip dont-vary
15 | #### Make sure proxies don't deliver the wrong content
16 | Header append Vary User-Agent env=!dont-vary
17 |
18 |
19 | AllowOverride None
20 | Require all granted
21 |
22 |
23 | Header always add X-Dispatcher ${DISP_ID}
24 | Header always add X-Vhost "unhealthy-publish"
25 |
26 |
27 | ReWriteEngine on
28 | RewriteCond %{REQUEST_URI} !^/error.html$
29 | RewriteRule ^/* /error.html [R=503,L,NC]
30 |
31 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/002_ams_lc_farm.any:
--------------------------------------------------------------------------------
1 | /lcfarm {
2 | ## client headers which should be passed through to the render instances
3 | ## (feature supported since dispatcher build 2.6.3.5222)
4 | /clientheaders {
5 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_lc_clientheaders.any"
6 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
7 | }
8 | ## hostname globbing for farm selection (virtual domain addressing)
9 | /virtualhosts {
10 | $include "/etc/httpd/conf.dispatcher.d/vhosts/ams_lc_vhosts.any"
11 | }
12 | ## the load will be balanced among these render instances
13 | /renders {
14 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_lc_renders.any"
15 | }
16 | ## only handle the requests in the following acl. default is 'none'
17 | ## the glob pattern is matched against the first request line
18 | /filter {
19 | $include "/etc/httpd/conf.dispatcher.d/filters/ams_lc_filters.any"
20 | }
21 | ## allow propagation of replication posts (should seldomly be used)
22 | /propagateSyndPost "0"
23 | }
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/aem_flush.vhost:
--------------------------------------------------------------------------------
1 | ## Collect any enviromental variables that are set in /etc/sysconfig/httpd
2 | ## Collect the dispatchers number
3 | PassEnv DISP_ID
4 | ## Use this vhost in conjunction with adding a Host Header (flush) to your AEM flush agent configurations so they fall into this host
5 | ## This is a deliberate flush target that doesn't conflict with customers configurations of the dispatcher
6 |
7 | ServerName "dispflush"
8 | ServerAlias flush
9 |
10 |
11 | ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
12 | DocumentRoot ${PUBLISH_DOCROOT}
13 | ## Add header breadcrumbs for help in troubleshooting
14 |
15 | Header always add X-Dispatcher ${DISP_ID}
16 | Header always add X-Vhost "flush"
17 |
18 |
19 | AllowOverride None
20 | Require all granted
21 |
22 |
23 |
24 | SetHandler dispatcher-handler
25 |
26 |
27 |
--------------------------------------------------------------------------------
/.github/workflows/build.yml:
--------------------------------------------------------------------------------
1 | name: Buld and Deploy Images
2 |
3 | on:
4 | push:
5 | branches:
6 | - main
7 | tags:
8 | - v*
9 |
10 | jobs:
11 | docker:
12 | runs-on: ubuntu-latest
13 |
14 | permissions:
15 | packages: write
16 | contents: read
17 |
18 | steps:
19 | - name: Set up QEMU
20 | uses: docker/setup-qemu-action@v3
21 | - name: Set up Docker Buildx
22 | uses: docker/setup-buildx-action@v3
23 | - name: Login to GitHub Container Registry
24 | uses: docker/login-action@v3
25 | with:
26 | registry: ghcr.io
27 | username: ${{ github.actor }}
28 | password: ${{ secrets.GITHUB_TOKEN }}
29 | - name: Docker metadata
30 | id: metadata
31 | uses: docker/metadata-action@v5
32 | with:
33 | images: ghcr.io/adobe/aem-dispatcher-docker
34 | - name: Build and push
35 | uses: docker/build-push-action@v6
36 | with:
37 | platforms: linux/amd64,linux/arm64
38 | push: true
39 | tags: ${{ steps.metadata.outputs.tags }}
40 | labels: ${{ steps.metadata.outputs.labels }}
41 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/001_ams_publish_flush_farm.any:
--------------------------------------------------------------------------------
1 | /publishflushfarm {
2 | /clientheaders {
3 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any"
4 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
5 | }
6 | /virtualhosts {
7 | "dispflush"
8 | "flush"
9 | }
10 | /renders {
11 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_publish_renders.any"
12 | }
13 | /filter {
14 | $include "/etc/httpd/conf.dispatcher.d/filters/ams_publish_filters.any"
15 | }
16 | /cache {
17 | /docroot "${PUBLISH_DOCROOT}"
18 | /statfileslevel "${DEFAULT_STAT_LEVEL}"
19 | /rules {
20 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_cache.any"
21 | }
22 | /invalidate {
23 | /0000 {
24 | /glob "*"
25 | /type "allow"
26 | }
27 | }
28 | /allowedClients {
29 | ## By default block all IP from allowing to initiate the invalidation commands
30 | /0000 {
31 | /glob "*.*.*.*"
32 | /type "deny"
33 | }
34 | ## Allow certain IP's like publishers to invalidate cache
35 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_invalidate_allowed.any"
36 | }
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/001_ams_author_flush_farm.any:
--------------------------------------------------------------------------------
1 |
2 | /authorflushfarm {
3 | /clientheaders {
4 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_author_clientheaders.any"
5 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
6 | }
7 | /virtualhosts {
8 | "authordispflush"
9 | "authorflush"
10 | }
11 | /renders {
12 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_author_renders.any"
13 | }
14 | /filter {
15 | $include "/etc/httpd/conf.dispatcher.d/filters/ams_author_filters.any"
16 | }
17 | /cache {
18 | /docroot "${AUTHOR_DOCROOT}"
19 | /statfileslevel "${DEFAULT_STAT_LEVEL}"
20 | /rules {
21 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_author_cache.any"
22 | }
23 | /invalidate {
24 | /0000 {
25 | /glob "*"
26 | /type "allow"
27 | }
28 | }
29 | /allowedClients {
30 | ## By default block all IP from allowing to initiate the invalidation commands
31 | /0000 {
32 | /glob "*.*.*.*"
33 | /type "deny"
34 | }
35 | ## Allow certain IP's like publishers to invalidate cache
36 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_author_invalidate_allowed.any"
37 | }
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/aem_flush_author.vhost:
--------------------------------------------------------------------------------
1 | ## Collect any enviromental variables that are set in /etc/sysconfig/httpd
2 | ## Collect the dispatchers number
3 | PassEnv DISP_ID
4 | ## Use this vhost in conjunction with adding a Host Header (authorflush) to your AEM author flush agent configurations so they fall into this host
5 | ## This is a deliberate flush target that doesn't conflict with customers configurations of the dispatcher
6 | ## This is for the intended use to flush cached directories of author content. /var/www/author
7 |
8 | ServerName "authorflush"
9 | ServerAlias "authordispflush"
10 |
11 | ## Use a doc root that matches what's in the /etc/httpd/conf/author-farm.any
12 | DocumentRoot ${AUTHOR_DOCROOT}
13 | ## Add header breadcrumbs for help in troubleshooting
14 |
15 | Header always add X-Dispatcher ${DISP_ID}
16 | Header always add X-Vhost "authorflush"
17 |
18 |
19 | AllowOverride None
20 | Require all granted
21 |
22 |
23 |
24 | SetHandler dispatcher-handler
25 |
26 |
27 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/filters/ams_author_filters.any:
--------------------------------------------------------------------------------
1 | ## allow everything
2 | /0001 { /type "allow" /url "*" }
3 | ## block admin tools
4 | /0010 { /type "deny" /url "/admin/*" }
5 | /0011 { /type "deny" /url "/system/*" }
6 | /0012 { /type "deny" /url "/_?jcr[:_]system.*" }
7 | /0013 {/type "allow" /path "/_jcr_system/_jcr_versionStorage/*" /extension '(js|json|css|png|jpeg|gif|html)' }
8 | ## CRX tools are default blocked but can be allowed in /etc/sysconfig/httpd but never in a production environment.
9 | /0014 { /type "${CRX_FILTER}" /url "/crx/*" }
10 | /0015 { /type "${CRX_FILTER}" /url "/bin/crxde*" }
11 |
12 | ## Block public access to our health check page
13 | /0016 { /type "deny" /path "/content/ams/healthcheck/*"}
14 | /0017 { /type "deny" /url "/content/regent.html"}
15 |
16 | ## Enable clientlibs proxy servlet
17 | /0018 { /type "allow" /method "GET" /url "/etc.clientlibs/*" /suffix '(.*.css$|.*.eot$|.*.gif$|.*.ico$|.*.jpeg$|.*.jpg$|.*.js$|.*.gif$|.*.png$|.*.svg$|.*.swf$|.*.ttf$|.*.woff$|.*.woff2$)' }
18 |
19 | ## allow some requests
20 | /0052 { /type "allow" /method "GET" /extension "html" /url "/system/sling/logout.html*" } ## allow logout
21 | #Asset download defaults to deny but can be allowed in /etc/httpd/conf.d/variables/ams_default.vars
22 | /0070 { /type "${ASSET_DOWNLOAD_RULE}" /method "GET" /url "*.assetdownload.zip/assets.zip*" }
23 |
24 |
25 |
--------------------------------------------------------------------------------
/docker-compose.yaml:
--------------------------------------------------------------------------------
1 | version: "3.7"
2 | services:
3 |
4 | dispatcher:
5 | image: dispatcher
6 | container_name: dispatcher
7 | environment:
8 | - DISP_ID=docker
9 | ## Replace value with the Author IP and Port you are using:
10 | - AUTHOR_IP=host.docker.internal
11 | - AUTHOR_PORT=4502
12 | - AUTHOR_DEFAULT_HOSTNAME=author.docker.local
13 | - AUTHOR_DOCROOT=/mnt/var/www/author
14 | ## Replace value with the Publisher IP and Port you are using:
15 | - PUBLISH_IP=host.docker.internal
16 | - PUBLISH_PORT=4503
17 | - PUBLISH_DEFAULT_HOSTNAME=publish.docker.local
18 | - PUBLISH_DOCROOT=/mnt/var/www/html
19 | ## Replace value with the LiveCycle IP and Port you are using:
20 | - LIVECYCLE_IP=127.0.0.1
21 | - LIVECYCLE_PORT=8080
22 | - LIVECYCLE_DEFAULT_HOSTNAME=aemforms-exampleco-dev.adobecqms.net
23 | - LIVECYCLE_DOCROOT=/mnt/var/www/lc
24 | - PUBLISH_FORCE_SSL=0
25 | - AUTHOR_FORCE_SSL=0
26 | ## Enable / Disable CRXDE access. Production this should be disabled
27 | - CRX_FILTER=deny
28 | ## Allow dispatcher flush from any IP
29 | - DISPATCHER_FLUSH_FROM_ANYWHERE=allow
30 |
31 | volumes:
32 | - ./ams/2.6/etc/httpd/conf:/etc/httpd/conf:ro
33 | - ./ams/2.6/etc/httpd/conf.d:/etc/httpd/conf.d:ro
34 | - ./ams/2.6/etc/httpd/conf.dispatcher.d:/etc/httpd/conf.dispatcher.d:ro
35 | - ./ams/2.6/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro
36 | - ./mnt/author_docroot:/var/www/author:rw
37 | - ./mnt/publish_docroot:/var/www/html:rw
38 | - ./mnt/log:/var/log/httpd:rw
39 | tmpfs:
40 | - /tmp
41 | ports:
42 | - 80:8080
43 | - 443:8443
44 |
45 |
--------------------------------------------------------------------------------
/scripts/env.sh:
--------------------------------------------------------------------------------
1 | #
2 | # Copyright (c) 2024 Adobe Systems Incorporated. All rights reserved.
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | #
16 | DISP_ID=docker
17 | ## Replace value with the Author IP and Port you are using:
18 | AUTHOR_IP=host.docker.internal
19 | AUTHOR_PORT=4502
20 | AUTHOR_DEFAULT_HOSTNAME=author.docker.local
21 | AUTHOR_DOCROOT=/mnt/var/www/author
22 | ## Replace value with the Publisher IP and Port you are using:
23 | PUBLISH_IP=host.docker.internal
24 | PUBLISH_PORT=4503
25 | PUBLISH_DEFAULT_HOSTNAME=publish.docker.local
26 | PUBLISH_DOCROOT=/mnt/var/www/html
27 | ## Replace value with the LiveCycle IP and Port you are using:
28 | LIVECYCLE_IP=127.0.0.1
29 | LIVECYCLE_PORT=8080
30 | LIVECYCLE_DEFAULT_HOSTNAME=aemforms-exampleco-dev.adobecqms.net
31 | LIVECYCLE_DOCROOT=/mnt/var/www/lc
32 |
33 | PUBLISH_FORCE_SSL=0
34 | AUTHOR_FORCE_SSL=0
35 |
36 | ## Enable / Disable CRXDE access. Production this should be disabled
37 | #CRX_FILTER=allow
38 | CRX_FILTER=deny
39 |
40 | ## Allow dispatcher flush from any IP
41 | ## WARNING: Set this to "allowed" on local dev environments that don't have fixed IPs
42 | ## Set to deny or comment out on prod environments
43 | DISPATCHER_FLUSH_FROM_ANYWHERE=allow
44 |
45 | ENV_TYPE=dev
46 | RUNMODE=sites
47 |
--------------------------------------------------------------------------------
/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Description
4 |
5 |
6 |
7 | ## Related Issue
8 |
9 |
10 |
11 |
12 |
13 |
14 | ## Motivation and Context
15 |
16 |
17 |
18 | ## How Has This Been Tested?
19 |
20 |
21 |
22 |
23 |
24 | ## Screenshots (if appropriate)
25 |
26 | ## Types of changes
27 |
28 |
29 |
30 | - [ ] Bug fix (non-breaking change which fixes an issue)
31 | - [ ] New feature (non-breaking change which adds functionality)
32 | - [ ] Breaking change (fix or feature that would cause existing functionality to change)
33 |
34 | ## Checklist
35 |
36 |
37 |
38 |
39 | - [ ] I have signed the [Adobe Open Source CLA](https://opensource.adobe.com/cla.html).
40 | - [ ] My code follows the code style of this project.
41 | - [ ] My change requires a change to the documentation.
42 | - [ ] I have updated the documentation accordingly.
43 | - [ ] I have read the **CONTRIBUTING** document.
44 | - [ ] I have added tests to cover my changes.
45 | - [ ] All new and existing tests passed.
46 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | #
2 | # Copyright (c) 2024 Adobe Systems Incorporated. All rights reserved.
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | #
16 | FROM --platform=$TARGETPLATFORM redhat/ubi8:8.8
17 |
18 | # Install HTTPD
19 | RUN yum -y update && yum -y install httpd mod_ssl procps haproxy iputils less openssl && yum clean all
20 |
21 | # Remove default httpd config
22 | RUN rm -rf /etc/httpd/conf/* && rm -rf /etc/httpd/conf.d/* && rm -rf /etc/httpd/conf.modules.d/*
23 |
24 | # Copy the AMS base files into the image.
25 | COPY ams/2.6/etc/httpd /etc/httpd
26 | # Setup sample configs
27 | COPY sample/weretail_filters.any /etc/httpd/conf.dispatcher.d/filters/weretail_filters.any
28 | COPY sample/weretail_publish_farm.any /etc/httpd/conf.dispatcher.d/available_farms/100_weretail_publish_farm.any
29 | COPY sample/weretail.vhost /etc/httpd/conf.d/available_vhosts/
30 |
31 | # Copy haproxy config
32 | COPY haproxy/haproxy.cfg /etc/haproxy
33 |
34 | # Install dispatcher
35 | ARG TARGETARCH
36 | COPY scripts/setup.sh /
37 | RUN chmod +x /setup.sh
38 | # Ensuring correct file ending on windows systems
39 | RUN sed -i -e 's/\r\n/\n/' /setup.sh
40 | RUN ./setup.sh
41 | RUN rm /setup.sh
42 |
43 | COPY scripts/launch.sh /
44 | # Ensuring correct file ending on windows systems
45 | RUN sed -i -e 's/\r\n/\n/' /launch.sh
46 | RUN chmod +x /launch.sh
47 |
48 | COPY LICENSE /
49 | COPY NOTICE /
50 |
51 | EXPOSE 80 443
52 |
53 | # Start container
54 | ENTRYPOINT ["/bin/bash","/launch.sh"]
55 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/rewrites/base_rewrite.rules:
--------------------------------------------------------------------------------
1 | ## This file is used to apply rewrite rules as an include.
2 | ## Consider the base file here as a global for re-use
3 |
4 | ##Examples:
5 | ## This ruleset would look for robots.txt and fetch it from the dam only if the domain is exampleco-dev.adobecqms.net
6 | #RewriteCond %{SERVER_NAME} exampleco-dev.adobecqms.net [NC]
7 | #RewriteRule ^/robots.txt$ /content/dam/exampleco/robots.txt [NC,PT]
8 | ## This ruleset would look for favicon.ico in exampleco's base dam folder if the domain is exampleco-brand1-dev.adobecqms.net
9 | #RewriteCond %{SERVER_NAME} exampleco-brand1-dev.adobecqms.net [NC]
10 | #RewriteRule ^/favicon.ico$ /content/dam/exampleco/favicon.ico [NC,PT]
11 | ## This ruleset would look for sitemap.xml and point it at the re-usable file in exampleco's general folder of their site pages
12 | #RewriteCond %{SERVER_NAME} exampleco-brand2-dev.adobecqms.net [NC]
13 | #RewriteRule ^/sitemap.xml$ /content/exampleco/general/sitemap.xml [NC,PT]
14 | ## This ruleset would look for logo.jpg on all sites and source it from exampleco's general folder
15 | #RewriteRule ^/logo.jpg$ /content/dam/exampleco/general/logo.jpg [NC,PT]
16 |
17 | ## This ruleset is a vanity url that exampleco's contactus site that doesn't exist on our environment
18 | #RewriteRule ^/contactus https://corp.exampleco.com/contactus.html [NC,R=301]
19 |
20 | ## Prevent X-FORWARDED-FOR spoofing
21 | RewriteCond %{HTTP:X-Forwarded-For} !^$
22 | RewriteCond %{HTTP:X-Forwarded-For} !^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
23 | ## For IPv6
24 | RewriteCond %{HTTP:X-Forwarded-For} !^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})
25 | RewriteCond %{HTTP:X-Forwarded-For} !^[a-fA-F0-9:]+,?.*
26 | RewriteRule .* - [F]
27 | ## Uncomment to force HSTS protection
28 | #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
29 |
30 | ## Block wordpress DDOS Attempts
31 | RewriteRule ^.*xmlrpc.php - [F]
32 | RewriteCond %{HTTP_USER_AGENT} ^.*wordpress [NC]
33 | RewriteRule .* - [F]
34 |
35 | ## Block wp-login
36 | RewriteRule ^.*wp-login - [F,NC,L]
37 |
38 | ## Block dot dot semicolon attack
39 | RewriteCond %{REQUEST_URI} ^.*\.\.;.*
40 | RewriteRule ".*" "-" [R=404]
41 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 |
3 | Thanks for choosing to contribute!
4 |
5 | The following are a set of guidelines to follow when contributing to this project.
6 |
7 | ## Code Of Conduct
8 |
9 | This project adheres to the Adobe [code of conduct](../CODE_OF_CONDUCT.md). By participating,
10 | you are expected to uphold this code. Please report unacceptable behavior to
11 | [Grp-opensourceoffice@adobe.com](mailto:Grp-opensourceoffice@adobe.com).
12 |
13 | ## Have A Question?
14 |
15 | Start by filing an issue. The existing committers on this project work to reach
16 | consensus around project direction and issue solutions within issue threads
17 | (when appropriate).
18 |
19 | ## Contributor License Agreement
20 |
21 | All third-party contributions to this project must be accompanied by a signed contributor
22 | license agreement. This gives Adobe permission to redistribute your contributions
23 | as part of the project. [Sign our CLA](https://opensource.adobe.com/cla.html). You
24 | only need to submit an Adobe CLA one time, so if you have submitted one previously,
25 | you are good to go!
26 |
27 | ## Code Reviews
28 |
29 | All submissions should come in the form of pull requests and need to be reviewed
30 | by project committers. Read [GitHub's pull request documentation](https://help.github.com/articles/about-pull-requests/)
31 | for more information on sending pull requests.
32 |
33 | Lastly, please follow the [pull request template](PULL_REQUEST_TEMPLATE.md) when
34 | submitting a pull request!
35 |
36 | ## From Contributor To Committer
37 |
38 | We love contributions from our community! If you'd like to go a step beyond contributor
39 | and become a committer with full write access and a say in the project, you must
40 | be invited to the project. The existing committers employ an internal nomination
41 | process that must reach lazy consensus (silence is approval) before invitations
42 | are issued. If you feel you are qualified and want to get more deeply involved,
43 | feel free to reach out to existing committers to have a conversation about that.
44 |
45 | ## Security Issues
46 |
47 | Security issues shouldn't be reported on this issue tracker. Instead, [file an issue to our security experts](https://helpx.adobe.com/security/alertus.html).
48 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/aem_health.vhost:
--------------------------------------------------------------------------------
1 | ## Collect the dispatchers number
2 | PassEnv DISP_ID
3 | ## Use this vhost in conjunction with adding a Host Header (health) to your load balancer configurations so they fall into this host
4 | ## This will execute the scripts that live in /var/www/cgi-bin/health/
5 | ## To test this is working tail the log file: /var/log/elb/health_check.log
6 | ## Then run a curl command to run the script: curl -H 'Host: health' http://localhost:81/health/ or curl -H 'Host: health' http://localhost/health/
7 |
8 | ## This requires a cgi-module to be loaded like:
9 | ## LoadModule cgid_module modules/mod_cgid.so
10 | ## Which should be called in /etc/httpd/conf.modules.d/01-cgi.conf
11 |
12 | Listen 81
13 |
14 | ServerName "health-aws"
15 | ServerAlias health health_check
16 | ## CustomLog for access
17 | CustomLog logs/healthcheck_access_log combined
18 | ## Set the timeouts for header and body to be larger than the idle timeout setting on the load balancer.
19 |
20 | RequestReadTimeout header=65 body=65
21 |
22 |
23 | Header always add X-Dispatcher ${DISP_ID}
24 | Header always add X-Vhost "health"
25 |
26 |
27 | AllowOverride None
28 | Options None
29 | Require all granted
30 |
31 | ScriptAlias /health/ "/var/www/cgi-bin/health/"
32 | ScriptAlias /eagle/ "/var/www/cgi-bin/health/"
33 |
34 |
35 |
36 | ServerName "health-azure"
37 | ServerAlias health health_check
38 | ## CustomLog for access
39 | CustomLog logs/healthcheck_access_log combined
40 | ## Set the timeouts for header and body to be larger than the idle timeout setting on the load balancer.
41 |
42 | RequestReadTimeout header=65 body=65
43 |
44 |
45 | Header always add X-Dispatcher ${DISP_ID}
46 | Header always add X-Vhost "health"
47 |
48 |
49 | AllowOverride None
50 | Options None
51 | Require all granted
52 |
53 | ScriptAlias /health/ "/var/www/cgi-bin/health/"
54 | ScriptAlias /eagle/ "/var/www/cgi-bin/health/"
55 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/ams_lc.vhost:
--------------------------------------------------------------------------------
1 | ## Collect any enviromental variables that are set in /etc/sysconfig/httpd
2 |
3 | ServerName livecycle
4 | ## Put names of which domains are used for your livecycle site/content here
5 | ServerAlias ${LIVECYCLE_DEFAULT_HOSTNAME}
6 | ## Use a doc root that matches what's in the /etc/httpd/conf.dispatcher.d/lc-farm.any
7 | DocumentRoot ${LIVECYCLE_DOCROOT}
8 | ## Add header breadcrumbs for help in troubleshooting
9 |
10 | Header always add X-Dispatcher ${DISP_ID}
11 | Header always add X-Vhost "livecycle"
12 | Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
13 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
14 | Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
15 | #### Make sure proxies don't deliver the wrong content
16 | Header append Vary User-Agent env=!dont-vary
17 |
18 |
19 | ## Update /etc/sysconfig/httpd with setting the LIVECYCLE_WHITELIST_ENABLED from 0 or 1 to enable or disable ip restriction rules
20 |
21 | Include /etc/httpd/conf.d/whitelists/*_whitelist.rules
22 |
23 |
24 | ## Some items cache with the wrong mime type
25 | ## Use this option to use the name to auto-detect mime types when cached improperly
26 | ModMimeUsePathInfo On
27 | ## Use this option to avoid cache poisioning
28 | ## Sling will return /content/image.jpg as well as /content/image.jpg/ but apache can't search /content/image.jpg/ as a file
29 | ## Apache will treat that like a directory. This assures the last slash is never stored in cache
30 | DirectorySlash Off
31 | ## Enable the dispatcher file handler for apache to fetch files from AEM
32 | SetHandler dispatcher-handler
33 |
34 | Options FollowSymLinks
35 | AllowOverride None
36 | #### Insert filter
37 | SetOutputFilter DEFLATE
38 | #### Don't compress images
39 | SetEnvIfNoCase Request_URI \
40 | \.(?:gif|jpe?g|png)$ no-gzip dont-vary
41 |
42 |
43 | AllowOverride None
44 | Require all granted
45 |
46 |
47 | ## Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
48 | DispatcherUseProcessedURL 1
49 | ## Default setting to allow all errors to come from the aem instance
50 | DispatcherPassError 0
51 |
52 |
53 | ReWriteEngine on
54 | LogLevel warn rewrite:info
55 | ##Global rewrite include
56 | Include /etc/httpd/conf.d/rewrites/base_rewrite.rules
57 | ## Update /etc/sysconfig/httpd with setting the LIVECYCLE_FORCE_SSL from 0 or 1 to enable or disable enforcing SSL
58 |
59 | Include /etc/httpd/conf.d/rewrites/xforwarded_forcessl_rewrite.rules
60 |
61 |
62 |
--------------------------------------------------------------------------------
/dispatcher-docker-compose:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | VERSION="ams/2.6"
4 | PATH_TO_CONF="etc/httpd"
5 |
6 | if [ ! -d $(pwd)/$VERSION/$PATH_TO_CONF/conf ]; then
7 | echo "**** ERROR ****"
8 | echo "This script is supposed to be run in the root directory of the dispatcher project, "
9 | echo "though we could not find a directory ./$VERSION/$PATH_TO_CONF/conf conf from the current directory."
10 | echo "Please change to the projects main directory and try again."
11 | echo ""
12 | exit 1
13 | fi
14 |
15 | echo ""
16 | echo "Starting dispatcher, mounting local configuration from ./$VERSION/$PATH_TO_CONF ..."
17 | echo " Open your browser at http://publish.docker.local/content/we-retail/us/en.html "
18 | echo " **** Press Ctrl-C to stop **** "
19 | echo ""
20 |
21 | # copy sample we-retail files
22 | cp sample/weretail.vhost $VERSION/etc/httpd/conf.d/available_vhosts
23 | cp sample/weretail_publish_farm.any $VERSION/etc/httpd/conf.dispatcher.d/available_farms/100_weretail_publish_farm.any
24 | cp sample/weretail_filters.any $VERSION/etc/httpd/conf.dispatcher.d/filters
25 |
26 | # create and link up default enabled vhosts
27 | if [ ! -d $VERSION/etc/httpd/conf.d/enabled_vhosts ]; then
28 | mkdir $VERSION/etc/httpd/conf.d/enabled_vhosts
29 | fi
30 |
31 | ln -Fs ../available_vhosts/aem_author.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_author.vhost
32 | ln -Fs ../available_vhosts/aem_flush_author.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_flush_author.vhost
33 | ln -Fs ../available_vhosts/aem_publish.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_publish.vhost
34 | ln -Fs ../available_vhosts/aem_flush.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_flush.vhost
35 | ln -Fs ../available_vhosts/aem_health.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_health.vhost
36 | ln -Fs ../available_vhosts/weretail.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/weretail.vhost
37 |
38 | # create and link up default enabled farms
39 | if [ ! -d $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms ]; then
40 | mkdir $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms
41 | fi
42 | ln -Fs ../available_farms/000_ams_catchall_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/000_ams_catchall_farm.any
43 | ln -Fs ../available_farms/001_ams_author_flush_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/001_ams_author_flush_farm.any
44 | ln -Fs ../available_farms/001_ams_publish_flush_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/001_ams_publish_flush_farm.any
45 | ln -Fs ../available_farms/002_ams_author_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/002_ams_author_farm.any
46 | ln -Fs ../available_farms/002_ams_publish_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/002_ams_publish_farm.any
47 |
48 | # set up sample configs
49 | ln -Fs ../available_farms/100_weretail_publish_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/100_weretail_publish_farm.any
50 |
51 | # start dispatcher with docker-compose
52 | docker-compose up -d
53 |
54 |
--------------------------------------------------------------------------------
/sample/weretail.vhost:
--------------------------------------------------------------------------------
1 | ## Collect any enviromental variables that are set in /etc/sysconfig/httpd
2 | ## Collect the dispatchers number
3 | PassEnv DISP_ID
4 |
5 |
6 | ## allowing slashes in the URL to be encoded and still honored
7 | AllowEncodedSlashes On
8 | ServerName we-retail
9 | ## Put names of which domains are used for your published site/content here
10 | ServerAlias we-retail.docker.local
11 |
12 |
13 | ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
14 | DocumentRoot ${PUBLISH_DOCROOT}
15 | ## Add header breadcrumbs for help in troubleshooting
16 |
17 | Header always add X-Dispatcher ${DISP_ID}
18 | Header always add X-Vhost "publish"
19 | Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
20 | Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
21 | #### Make sure proxies don't deliver the wrong content
22 | Header append Vary User-Agent env=!dont-vary
23 | ## Force SSL for author
24 | ## Add HSTS for avoiding man in the middle during browser redirect to SSL
25 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
26 |
27 |
28 | ## Update /etc/sysconfig/httpd with setting the PUBLISH_WHITELIST_ENABLED from 0 or 1 to enable or disable ip restriction rules
29 |
30 | Include /etc/httpd/conf.d/whitelists/*_whitelist.rules
31 |
32 |
33 | ## Some items cache with the wrong mime type
34 | ## Use this option to use the name to auto-detect mime types when cached improperly
35 | ModMimeUsePathInfo On
36 | ## Use this option to avoid cache poisioning
37 | ## Sling will return /content/image.jpg as well as /content/image.jpg/ but apache can't search /content/image.jpg/ as a file
38 | ## Apache will treat that like a directory. This assures the last slash is never stored in cache
39 | DirectorySlash Off
40 | ## Enable the dispatcher file handler for apache to fetch files from AEM
41 | SetHandler dispatcher-handler
42 |
43 | Options FollowSymLinks
44 | AllowOverride None
45 | #### Insert filter
46 | SetOutputFilter DEFLATE
47 | #### Don't compress images
48 | SetEnvIfNoCase Request_URI \
49 | \.(?:gif|jpe?g|png)$ no-gzip dont-vary
50 |
51 |
52 | AllowOverride None
53 | Require all granted
54 |
55 |
56 | ## Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
57 | DispatcherUseProcessedURL 1
58 | ## Default setting to allow all errors to come from the aem instance
59 | DispatcherPassError 0
60 |
61 |
62 | ReWriteEngine on
63 | LogLevel warn rewrite:info
64 | ##Global rewrite include
65 | Include /etc/httpd/conf.d/rewrites/base_rewrite.rules
66 | ## Update /etc/sysconfig/httpd with setting the PUBLISH_FORCE_SSL from 0 or 1 to enable or disable enforcing SSL
67 |
68 | Include /etc/httpd/conf.d/rewrites/xforwarded_forcessl_rewrite.rules
69 |
70 |
71 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/aem_publish.vhost:
--------------------------------------------------------------------------------
1 | ## Collect any enviromental variables that are set in /etc/sysconfig/httpd
2 | ## Collect the dispatchers number
3 | PassEnv DISP_ID
4 |
5 |
6 | ## allowing slashes in the URL to be encoded and still honored
7 | AllowEncodedSlashes On
8 | ServerName publish
9 | ## Put names of which domains are used for your published site/content here
10 | ServerAlias ${PUBLISH_DEFAULT_HOSTNAME}
11 |
12 |
13 | ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
14 | DocumentRoot ${PUBLISH_DOCROOT}
15 | ## Add header breadcrumbs for help in troubleshooting
16 |
17 | Header always add X-Dispatcher ${DISP_ID}
18 | Header always add X-Vhost "publish"
19 | Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
20 | Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
21 | #### Make sure proxies don't deliver the wrong content
22 | Header append Vary User-Agent env=!dont-vary
23 | ## Force SSL for author
24 | ## Add HSTS for avoiding man in the middle during browser redirect to SSL
25 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
26 |
27 |
28 | ## Update /etc/sysconfig/httpd with setting the PUBLISH_WHITELIST_ENABLED from 0 or 1 to enable or disable ip restriction rules
29 |
30 | Include /etc/httpd/conf.d/whitelists/*_whitelist.rules
31 |
32 |
33 | ## Some items cache with the wrong mime type
34 | ## Use this option to use the name to auto-detect mime types when cached improperly
35 | ModMimeUsePathInfo On
36 | ## Use this option to avoid cache poisioning
37 | ## Sling will return /content/image.jpg as well as /content/image.jpg/ but apache can't search /content/image.jpg/ as a file
38 | ## Apache will treat that like a directory. This assures the last slash is never stored in cache
39 | DirectorySlash Off
40 | ## Enable the dispatcher file handler for apache to fetch files from AEM
41 | SetHandler dispatcher-handler
42 |
43 | Options FollowSymLinks
44 | AllowOverride None
45 | #### Insert filter
46 | SetOutputFilter DEFLATE
47 | #### Don't compress images
48 | SetEnvIfNoCase Request_URI \
49 | \.(?:gif|jpe?g|png)$ no-gzip dont-vary
50 |
51 |
52 | AllowOverride None
53 | Require all granted
54 |
55 |
56 | ## Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
57 | DispatcherUseProcessedURL 1
58 | ## Default setting to allow all errors to come from the aem instance
59 | DispatcherPassError 0
60 |
61 |
62 | ReWriteEngine on
63 | LogLevel warn rewrite:info
64 | ##Global rewrite include
65 | Include /etc/httpd/conf.d/rewrites/base_rewrite.rules
66 | ## Update /etc/sysconfig/httpd with setting the PUBLISH_FORCE_SSL from 0 or 1 to enable or disable enforcing SSL
67 |
68 | Include /etc/httpd/conf.d/rewrites/xforwarded_forcessl_rewrite.rules
69 |
70 |
71 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/filters/ams_publish_filters.any:
--------------------------------------------------------------------------------
1 | ## deny everything and allow specific entries
2 | ## Start with everything blocked as a safeguard and open things customers need and what's safe OOTB
3 | /0001 { /type "deny" /url "*" }
4 |
5 | ## Open consoles if this isn't a production environment by uncommenting the next few lines
6 | #/002 { /type "allow" /url "/crx/*" } ## allow content repository
7 | #/003 { /type "allow" /url "/system/*" } ## allow OSGi console
8 |
9 | ## allow non-public content directories if this isn't a production environment by uncommenting the next few lines
10 | #/004 { /type "allow" /url "/apps/*" } ## allow apps access
11 | #/005 { /type "allow" /url "/bin/*" } ## allow bin path access
12 |
13 | ## This rule allows content to be access
14 | /0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/*" } ## disable this rule to allow mapped content only
15 |
16 | ## Enable specific mime types clientlibs directories
17 | /0011 { /type "allow" /method "GET" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|png|svg|swf|ttf|woff|woff2)' /path "/etc/clientlibs/*" }
18 |
19 | ## Enable clientlibs proxy servlet
20 | /0012 { /type "allow" /method "GET" /url "/etc.clientlibs/*" /suffix '(.*.css$|.*.eot$|.*.gif$|.*.ico$|.*.jpeg$|.*.jpg$|.*.js$|.*.gif$|.*.png$|.*.svg$|.*.swf$|.*.ttf$|.*.woff$|.*.woff2$)' }
21 |
22 | ## Enable basic features
23 | /0013 { /type "allow" /method "GET" /url '/libs/granite/csrf/token.json' /extension 'json' } ## AEM provides a framework aimed at preventing Cross-Site Request Forgery attacks
24 | /0014 { /type "allow" /method "POST" /url "/content/[.]*.form.html" } ## allow POSTs to form selectors under content
25 |
26 | /0015 { /type "allow" /method "GET" /path "/libs/cq/personalization" } ## enable personalization
27 | /0016 { /type "allow" /method "POST" /path "/content/[.]*.commerce.cart.json" } ## allow POSTs to update the shopping cart
28 |
29 | ## Deny content grabbing for greedy queries and prevent un-intended self DOS attacks
30 | /0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }
31 |
32 | ## Deny authoring query params
33 | /0018 { /type "deny" /method "GET" /query "debug=*" }
34 | /0019 { /type "deny" /method "GET" /query "wcmmode=*" }
35 | #### Deny front door entry
36 | /0020 { /type "deny" /path "/content/ams/healthcheck/*"}
37 | /0021 { /type "deny" /url "/content/regent.html"}
38 |
39 | ## Enable specific mime types clientlibs directories
40 | /0022 { /type "allow" /extension '(gltf|stl|obj|usdz|glb)' /method "GET" /path "/content/dam/*" }
41 |
42 | ## Deny dot dot semicolon attack
43 | /0023 { /type "deny" /url '.*/[.][.];/.*' }
44 |
45 | ## AMSSEC033 Deny AEM password hash retrieval (AMSAUTO-15449)
46 | /0024 { /type "deny" /suffix '(.*infinity.*|.*children.*|.*tidy.*)' }
47 |
48 | ## Deny bracket filter pivots like /.[./ which tries to resolve as a /../ (AMSAUTO-22244)
49 | /0027 { /type "deny" /url '.*(\\[|]).*' }
50 |
51 | ## DOT Compliance
52 | ## AMS blocks suffix and selectors by default. These are the most abused filter bypasses. Please only allow ones that you need.
53 | /0025 { /type "deny" /url "/content*" /suffix "*" }
54 | /0026 { /type "deny" /url "/content*" /selectors "*" }
55 |
--------------------------------------------------------------------------------
/haproxy/haproxy.cfg:
--------------------------------------------------------------------------------
1 | #
2 | # Copyright (c) 2024 Adobe Systems Incorporated. All rights reserved.
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | #
16 | global
17 | user haproxy
18 | group haproxy
19 | log 127.0.0.1 local0
20 | log-tag haproxy
21 | chroot /var/lib/haproxy
22 | daemon
23 | quiet
24 | stats socket /var/lib/haproxy/stats level admin
25 | maxconn 256
26 | pidfile /var/run/haproxy.pid
27 | tune.bufsize 262144
28 | # --------------------------------------------------------------------------
29 | # SSL/TLS defaults
30 | # --------------------------------------------------------------------------
31 | # generated 2020-05-25, Mozilla Guideline v5.4, HAProxy 1.5.18, OpenSSL 1.0.2k, intermediate configuration
32 | # https://ssl-config.mozilla.org/#server=haproxy&version=1.5.18&config=intermediate&openssl=1.0.2k&guideline=5.4
33 | # intermediate configuration
34 | ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
35 | ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
36 | ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
37 | ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
38 | tune.ssl.default-dh-param 2048
39 | defaults
40 | timeout connect 1m
41 | timeout client 1m
42 | timeout server 1m
43 | log global
44 | mode http
45 | balance roundrobin
46 | option httplog
47 | option dontlognull
48 | option redispatch
49 | option tcplog
50 | option forwardfor if-none
51 | option accept-invalid-http-request
52 | retries 5
53 | # -----------------------------------------------------------------------------
54 | # Dispatcher (HTTPS)
55 | # -----------------------------------------------------------------------------
56 | frontend dispatcher-https-in
57 | mode http
58 | default_backend apache
59 | bind *:8443 ssl crt /etc/ssl/docker/haproxy.pem
60 | http-request set-header X-Forwarded-Proto https
61 |
62 | # -----------------------------------------------------------------------------
63 | # Dispatcher (HTTP)
64 | # -----------------------------------------------------------------------------
65 | frontend dispatcher-http-in
66 | mode http
67 | default_backend apache
68 | bind *:8080
69 |
70 | # -----------------------------------------------------------------------------
71 | # Backends
72 | # -----------------------------------------------------------------------------
73 | backend apache
74 | timeout server 5m
75 | server server1 127.0.0.1:80 maxconn 128
76 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/002_ams_author_farm.any:
--------------------------------------------------------------------------------
1 | /authorfarm {
2 | ## client headers which should be passed through to the render instances
3 | ## (feature supported since dispatcher build 2.6.3.5222)
4 | /clientheaders {
5 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_author_clientheaders.any"
6 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
7 | }
8 | ## hostname globbing for farm selection (virtual domain addressing)
9 | /virtualhosts {
10 | $include "/etc/httpd/conf.dispatcher.d/vhosts/ams_author_vhosts.any"
11 | }
12 | ## the load will be balanced among these render instances
13 | /renders {
14 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_author_renders.any"
15 | }
16 | ## only handle the requests in the following acl. default is 'none'
17 | ## the glob pattern is matched against the first request line
18 | /filter {
19 | $include "/etc/httpd/conf.dispatcher.d/filters/ams_author_filters.any"
20 | }
21 | /cache {
22 | ## The cacheroot must be equal to the document root of the webserver
23 | /docroot "${AUTHOR_DOCROOT}"
24 | ## sets the level upto which files named ".stat" will be created in the
25 | ## document root of the webserver. when an activation request for some
26 | ## handle is received, only files within the same subtree are affected
27 | ## by the invalidation.
28 | /statfileslevel "${DEFAULT_STAT_LEVEL}"
29 | ## caches also authorized data
30 | /allowAuthorized "1"
31 | ## Flag indicating whether the dispatcher should serve stale content if
32 | ## no remote server is available.
33 | #/serveStaleOnError "0"
34 | ## the rules define, which pages should be cached. please note that
35 | ## - only GET requests are cached
36 | ## - only requests with an extension are cached
37 | ## - only requests without query parameters ( ? ) are cached
38 | ## - only unauthorized pages are cached unless allowUnauthorized is set to 1
39 | /rules {
40 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_author_cache.any"
41 | }
42 | # the invalidate section defines those pages which are 'invalidated' after
43 | # any activation. please note that, the activated page itself and all
44 | # related documents are flushed on an modification. for example: if the
45 | # page /foo/bar is activated, all /foo/bar.* files are removed from the
46 | # cache.
47 | /invalidate {
48 | /0000 {
49 | /glob "*"
50 | /type "allow"
51 | }
52 | }
53 | /allowedClients {
54 | ## By default block all IP from allowing to initiate the invalidation commands
55 | /0000 {
56 | /glob "*.*.*.*"
57 | /type "deny"
58 | }
59 | ## Allow certain IP's like publishers to invalidate cache
60 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_author_invalidate_allowed.any"
61 | }
62 |
63 | # A grace period defines the number of seconds a stale, auto-invalidated
64 | # resource may still be served from the cache after the last activation
65 | # occurring. Auto-invalidated resources are invalidated by any activation,
66 | # when their path matches the /invalidate section above. This setting
67 | # can be used in a setup, where a batch of activations would otherwise
68 | # repeatedly invalidate the entire cache.
69 | /gracePeriod "2"
70 |
71 | }
72 | ## allow propagation of replication posts (should seldomly be used)
73 | /propagateSyndPost "0"
74 | }
75 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/available_vhosts/aem_author.vhost:
--------------------------------------------------------------------------------
1 | ## Collect any enviromental variables that are set in /etc/sysconfig/httpd
2 | ## Collect the dispatchers number
3 | PassEnv DISP_ID
4 |
5 |
6 | ## allowing slashes in the URL to be encoded and still honored
7 | AllowEncodedSlashes On
8 | ServerName "author"
9 | ServerAlias ${AUTHOR_DEFAULT_HOSTNAME}
10 |
11 |
12 | ## Use a special doc root that doesn't overlap publish doc roots or it wont fetch from author each time and authors wont see their changes
13 | DocumentRoot ${AUTHOR_DOCROOT}
14 | ## Add header breadcrumbs for help in troubleshooting
15 |
16 | Header always add X-Dispatcher ${DISP_ID}
17 | Header always add X-Vhost "author"
18 | Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
19 | Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
20 | #### Make sure proxies don't deliver the wrong content
21 | Header append Vary User-Agent env=!dont-vary
22 | ## Force SSL for author
23 | ## Add HSTS for avoiding man in the middle during browser redirect to SSL
24 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
25 |
26 |
27 | Options Indexes FollowSymLinks
28 | AllowOverride None
29 | Require all granted
30 |
31 |
32 | ## Update /etc/sysconfig/httpd with setting the AUTHOR_WHITELIST_ENABLED from 0 or 1 to enable or disable ip restriction rules
33 |
34 | Include /etc/httpd/conf.d/whitelists/*_whitelist.rules
35 |
36 |
37 | ## Some items cache with the wrong mime type
38 | ## Use this option to use the name to auto-detect mime types when cached improperly
39 | ModMimeUsePathInfo On
40 | ## Use this option to avoid cache poisioning
41 | ## Sling will return /content/image.jpg as well as /content/image.jpg/ but apache can't search /content/image.jpg/ as a file
42 | ## Apache will treat that like a directory. This assures the last slash is never stored in cache
43 | DirectorySlash Off
44 | ## Enable the dispatcher file handler for apache to fetch files from AEM
45 | SetHandler dispatcher-handler
46 |
47 | Options FollowSymLinks
48 | AllowOverride None
49 | #### Insert filter
50 | SetOutputFilter DEFLATE
51 | #### Don't compress images
52 | SetEnvIfNoCase Request_URI \
53 | \.(?:gif|jpe?g|png)$ no-gzip dont-vary
54 | #### Don't compress AEM assets
55 | SetEnvIfNoCase Request_URI assetdownload no-gzip dont-vary
56 |
57 |
58 | ## Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
59 | DispatcherUseProcessedURL 1
60 | ## Default setting to allow all errors to come from the aem instance
61 | DispatcherPassError 0
62 |
63 |
64 | ReWriteEngine on
65 | LogLevel warn rewrite:info
66 | ##Global rewrite include
67 | Include /etc/httpd/conf.d/rewrites/base_rewrite.rules
68 | ## Update /etc/sysconfig/httpd with setting the AUTHOR_FORCE_SSL from 0 or 1 to enable or disable enforcing SSL
69 |
70 | Include /etc/httpd/conf.d/rewrites/xforwarded_forcessl_rewrite.rules
71 |
72 |
73 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.d/dispatcher_vhost.conf:
--------------------------------------------------------------------------------
1 | ### This file is auto-included by httpd.conf and customers shouldn't put their changes here. Instead put then in another /etc/httpd/conf.d/*.conf file or in /etc/httpd/conf.d/available_vhosts/*.vhost
2 |
3 | ## Fake ServerName to avoid warning in startup
4 | ServerName dispatcher
5 |
6 | ##If the module loads correctly then apply base settings for the module
7 |
8 | ## location of the configuration file. eg: 'conf/dispatcher.any'
9 | DispatcherConfig conf.dispatcher.d/dispatcher.any
10 | ## location of the dispatcher log file. eg: 'logs/dispatcher.log'
11 | DispatcherLog logs/dispatcher.log
12 | ## log level for the dispatcher log default 0 for production and default 2 for non-production dispatchers
13 | ## 0 Errors
14 | ## 1 Warnings
15 | ## 2 Infos
16 | ## 3 Debug
17 | DispatcherLogLevel ${DISP_LOG_LEVEL}
18 | ## if turned to 1, request to / are not handled by the dispatcher
19 | ## use the mod_alias then for the correct mapping
20 | DispatcherDeclineRoot 0
21 | ## if turned to 1, the dispatcher uses the URL already processed
22 | ## by handlers preceeding the dispatcher (i.e. mod_rewrite)
23 | ## instead of the original one passed to the web server.
24 | DispatcherUseProcessedURL 1
25 | ## Default value of 0 but if its set to 1 then the dispatcher will have apache handle all errors
26 | ## If set to a string of error numbers it will only hand off those errors to apache to handle
27 | #DispatcherPassError 403,404
28 | #DispatcherPassError 1
29 |
30 | ## Include all of the customers *.vhost files as well as the default ones provided for author and publish URLs
31 | Include /etc/httpd/conf.d/enabled_vhosts/*.vhost
32 |
33 |
34 | ## Create a catch-all vhost
35 | ## A catch-all is a safe place for un-matched hostnames to land.
36 | ## This prevents someone pointing an-unwanted DNS record at your site and loading your pages.
37 | ## Example: yoursitesucks.com (CNAME) -> yourelbaddressQKAWZM8H-208090978.us-east-1.elb.amazonaws.com
38 | ## This host will accept any hostname and with a rewrite rule load the same index page giving away no details as to what they are hitting
39 | ## That way bots and hackers won't know what purpose a random IP listening on webports is really doing.
40 | ## Hitting the catch all doesn't let them know the customer is ExampleCo.com etc..
41 |
42 | ServerName unmatched-host-catch-all
43 | ServerAlias "*"
44 | ErrorDocument 403 /index.html
45 |
46 |
47 | ## Azure traffic manager will hit here so lets have a custom log for that
48 | SetEnvIf User-agent .*Azure\sTraffic\sManager.* trafficmanager
49 | CustomLog logs/healthcheck_access_log combined env=trafficmanager
50 | CustomLog logs/access_log combined env=!trafficmanager
51 | ## Specify where the catch all html files live
52 | DocumentRoot /mnt/var/www/default
53 | ## Add some visible targets AKA breadcrumbs that you can see in your browser dev tools or curl -I command
54 |
55 | Options Indexes FollowSymLinks
56 | AllowOverride None
57 | Require all granted
58 |
59 |
60 | Header always add X-Vhost catch-all
61 | Header add X-Dispatcher ${DISP_ID}
62 |
63 |
64 | ReWriteEngine on
65 | RewriteCond %{REQUEST_URI} !^/index.html$
66 | RewriteRule ^/* /index.html [F,L,NC]
67 |
68 |
69 |
--------------------------------------------------------------------------------
/scripts/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # Copyright (c) 2024 Adobe Systems Incorporated. All rights reserved.
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License");
6 | # you may not use this file except in compliance with the License.
7 | # You may obtain a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 | #
17 | DISPARCH=x86_64
18 |
19 | if [ "${TARGETARCH}" = "arm64" ]; then
20 | DISPARCH=aarch64
21 | fi
22 |
23 | #create default docroots
24 | mkdir -p /mnt/var/www/html
25 | chown apache:apache /mnt/var/www/html
26 |
27 | mkdir -p /mnt/var/www/default
28 | chown apache:apache /mnt/var/www/default
29 |
30 | mkdir -p /mnt/var/www/author
31 | chown apache:apache /mnt/var/www/author
32 | #create and link up default enabled vhosts
33 | mkdir /etc/httpd/conf.d/enabled_vhosts
34 | ln -s /etc/httpd/conf.d/available_vhosts/aem_author.vhost /etc/httpd/conf.d/enabled_vhosts/aem_author.vhost
35 | ln -s /etc/httpd/conf.d/available_vhosts/aem_flush_author.vhost /etc/httpd/conf.d/enabled_vhosts/aem_flush_author.vhost
36 | ln -s /etc/httpd/conf.d/available_vhosts/aem_publish.vhost /etc/httpd/conf.d/enabled_vhosts/aem_publish.vhost
37 | ln -s /etc/httpd/conf.d/available_vhosts/aem_flush.vhost /etc/httpd/conf.d/enabled_vhosts/aem_flush.vhost
38 | ln -s /etc/httpd/conf.d/available_vhosts/aem_health.vhost /etc/httpd/conf.d/enabled_vhosts/aem_health.vhost
39 | ln -s /etc/httpd/conf.d/available_vhosts/weretail.vhost /etc/httpd/conf.d/enabled_vhosts/weretail.vhost
40 |
41 |
42 | #create and link up default enabled farms
43 | mkdir /etc/httpd/conf.dispatcher.d/enabled_farms
44 | ln -s /etc/httpd/conf.dispatcher.d/available_farms/000_ams_catchall_farm.any /etc/httpd/conf.dispatcher.d/enabled_farms/000_ams_catchall_farm.any
45 | ln -s /etc/httpd/conf.dispatcher.d/available_farms/001_ams_author_flush_farm.any /etc/httpd/conf.dispatcher.d/enabled_farms/001_ams_author_flush_farm.any
46 | ln -s /etc/httpd/conf.dispatcher.d/available_farms/001_ams_publish_flush_farm.any /etc/httpd/conf.dispatcher.d/enabled_farms/001_ams_publish_flush_farm.any
47 | ln -s /etc/httpd/conf.dispatcher.d/available_farms/002_ams_author_farm.any /etc/httpd/conf.dispatcher.d/enabled_farms/002_ams_author_farm.any
48 | ln -s /etc/httpd/conf.dispatcher.d/available_farms/002_ams_publish_farm.any /etc/httpd/conf.dispatcher.d/enabled_farms/002_ams_publish_farm.any
49 |
50 | #set up sample configs
51 | ln -s /etc/httpd/conf.dispatcher.d/available_farms/100_weretail_publish_farm.any /etc/httpd/conf.dispatcher.d/enabled_farms/100_weretail_publish_farm.any
52 |
53 | #set up dispatcher
54 | mkdir -p /tmp/dispatcher
55 |
56 | curl -o /tmp/dispatcher/dispatcher.tar.gz https://download.macromedia.com/dispatcher/download/dispatcher-apache2.4-linux-$DISPARCH-4.3.5.tar.gz
57 |
58 | cd /tmp/dispatcher
59 |
60 | tar zxvf dispatcher.tar.gz
61 |
62 | cp -v dispatcher-apache2.4-4.3.5.so /etc/httpd/modules/mod_dispatcher.so
63 |
64 | #set up haproxy SSL
65 | mkdir -p /etc/ssl/docker && \
66 | openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=GB/ST=London/L=London/O=Adobe/CN=localhost" \
67 | -keyout /etc/ssl/docker/localhost.key \
68 | -out /etc/ssl/docker/localhost.crt && \
69 | cat /etc/ssl/docker/localhost.key /etc/ssl/docker/localhost.crt > /etc/ssl/docker/haproxy.pem
70 |
--------------------------------------------------------------------------------
/dispatcher-mount:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | VERSION="ams/2.6"
4 | PATH_TO_CONF="etc/httpd"
5 |
6 | if [ ! -d $(pwd)/$VERSION/$PATH_TO_CONF/conf ]; then
7 | echo "**** ERROR ****"
8 | echo "This script is supposed to be run in the root directory of the dispatcher project, "
9 | echo "though we could not find a directory ./$VERSION/$PATH_TO_CONF/conf conf from the current directory."
10 | echo "Please change to the projects main directory and try again."
11 | echo ""
12 | exit 1
13 | fi
14 |
15 | mkdir logs 2> /dev/null
16 | mkdir cache 2> /dev/null
17 |
18 |
19 | echo ""
20 | echo "Starting dispatcher, mounting local configuration from ./$VERSION/$PATH_TO_CONF ..."
21 | echo " Open your browser at http://publish.docker.local/content/we-retail/us/en.html "
22 | echo " **** Press Ctrl-C to stop **** "
23 | echo ""
24 |
25 | # copy sample we-retail files
26 | cp sample/weretail.vhost $VERSION/etc/httpd/conf.d/available_vhosts
27 | cp sample/weretail_publish_farm.any $VERSION/etc/httpd/conf.dispatcher.d/available_farms/100_weretail_publish_farm.any
28 | cp sample/weretail_filters.any $VERSION/etc/httpd/conf.dispatcher.d/filters
29 |
30 | #create and link up default enabled vhosts
31 | if [ ! -d $VERSION/etc/httpd/conf.d/enabled_vhosts ]; then
32 | mkdir $VERSION/etc/httpd/conf.d/enabled_vhosts
33 | fi
34 |
35 | ln -Fs ../available_vhosts/aem_author.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_author.vhost
36 | ln -Fs ../available_vhosts/aem_flush_author.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_flush_author.vhost
37 | ln -Fs ../available_vhosts/aem_publish.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_publish.vhost
38 | ln -Fs ../available_vhosts/aem_flush.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_flush.vhost
39 | ln -Fs ../available_vhosts/aem_health.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/aem_health.vhost
40 | ln -Fs ../available_vhosts/weretail.vhost $VERSION/etc/httpd/conf.d/enabled_vhosts/weretail.vhost
41 |
42 | #create and link up default enabled farms
43 | if [ ! -d $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms ]; then
44 | mkdir $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms
45 | fi
46 | ln -Fs ../available_farms/000_ams_catchall_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/000_ams_catchall_farm.any
47 | ln -Fs ../available_farms/001_ams_author_flush_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/001_ams_author_flush_farm.any
48 | ln -Fs ../available_farms/001_ams_publish_flush_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/001_ams_publish_flush_farm.any
49 | ln -Fs ../available_farms/002_ams_author_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/002_ams_author_farm.any
50 | ln -Fs ../available_farms/002_ams_publish_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/002_ams_publish_farm.any
51 |
52 | #set up sample configs
53 | ln -Fs ../available_farms/100_weretail_publish_farm.any $VERSION/etc/httpd/conf.dispatcher.d/enabled_farms/100_weretail_publish_farm.any
54 |
55 |
56 | docker run -p 80:8080 -p 443:8443 -it --rm \
57 | --mount type=bind,src=$(pwd)/$VERSION/$PATH_TO_CONF/conf,dst=/etc/httpd/conf,readonly=true \
58 | --mount type=bind,src=$(pwd)/$VERSION/$PATH_TO_CONF/conf.d,dst=/etc/httpd/conf.d,readonly=true \
59 | --mount type=bind,src=$(pwd)/$VERSION/$PATH_TO_CONF/conf.dispatcher.d,dst=/etc/httpd/conf.dispatcher.d,readonly=true \
60 | --mount type=bind,src=$(pwd)/$VERSION/$PATH_TO_CONF/conf.modules.d,dst=/etc/httpd/conf.modules.d,readonly=true \
61 | --mount type=bind,src=$(pwd)/logs,dst=/var/log/httpd \
62 | --mount type=bind,src=$(pwd)/cache,dst=/mnt/var/www/html \
63 | --mount type=tmpfs,dst=/tmp \
64 | --env-file scripts/env.sh \
65 | --name mydispatcher dispatcher | cat
66 |
67 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.modules.d/00-base.conf:
--------------------------------------------------------------------------------
1 | #
2 | # This file loads most of the modules included with the Apache HTTP
3 | # Server itself.
4 | #
5 |
6 | LoadModule access_compat_module modules/mod_access_compat.so
7 | LoadModule actions_module modules/mod_actions.so
8 | LoadModule alias_module modules/mod_alias.so
9 | LoadModule allowmethods_module modules/mod_allowmethods.so
10 | LoadModule auth_basic_module modules/mod_auth_basic.so
11 | LoadModule auth_digest_module modules/mod_auth_digest.so
12 | LoadModule authn_anon_module modules/mod_authn_anon.so
13 | LoadModule authn_core_module modules/mod_authn_core.so
14 | LoadModule authn_dbd_module modules/mod_authn_dbd.so
15 | LoadModule authn_dbm_module modules/mod_authn_dbm.so
16 | LoadModule authn_file_module modules/mod_authn_file.so
17 | LoadModule authn_socache_module modules/mod_authn_socache.so
18 | LoadModule authz_core_module modules/mod_authz_core.so
19 | LoadModule authz_dbd_module modules/mod_authz_dbd.so
20 | LoadModule authz_dbm_module modules/mod_authz_dbm.so
21 | LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
22 | LoadModule authz_host_module modules/mod_authz_host.so
23 | LoadModule authz_owner_module modules/mod_authz_owner.so
24 | LoadModule authz_user_module modules/mod_authz_user.so
25 | LoadModule autoindex_module modules/mod_autoindex.so
26 | LoadModule cache_module modules/mod_cache.so
27 | LoadModule cache_disk_module modules/mod_cache_disk.so
28 | LoadModule data_module modules/mod_data.so
29 | LoadModule dbd_module modules/mod_dbd.so
30 | LoadModule deflate_module modules/mod_deflate.so
31 | LoadModule dir_module modules/mod_dir.so
32 | LoadModule dumpio_module modules/mod_dumpio.so
33 | LoadModule echo_module modules/mod_echo.so
34 | LoadModule env_module modules/mod_env.so
35 | LoadModule expires_module modules/mod_expires.so
36 | LoadModule ext_filter_module modules/mod_ext_filter.so
37 | LoadModule filter_module modules/mod_filter.so
38 | LoadModule headers_module modules/mod_headers.so
39 | LoadModule include_module modules/mod_include.so
40 | LoadModule info_module modules/mod_info.so
41 | LoadModule log_config_module modules/mod_log_config.so
42 | LoadModule logio_module modules/mod_logio.so
43 | LoadModule mime_magic_module modules/mod_mime_magic.so
44 | LoadModule mime_module modules/mod_mime.so
45 | LoadModule negotiation_module modules/mod_negotiation.so
46 | LoadModule remoteip_module modules/mod_remoteip.so
47 | LoadModule reqtimeout_module modules/mod_reqtimeout.so
48 | LoadModule rewrite_module modules/mod_rewrite.so
49 | LoadModule setenvif_module modules/mod_setenvif.so
50 | LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
51 | LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
52 | LoadModule socache_dbm_module modules/mod_socache_dbm.so
53 | LoadModule socache_memcache_module modules/mod_socache_memcache.so
54 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
55 | LoadModule status_module modules/mod_status.so
56 | LoadModule substitute_module modules/mod_substitute.so
57 | LoadModule suexec_module modules/mod_suexec.so
58 | LoadModule unique_id_module modules/mod_unique_id.so
59 | LoadModule unixd_module modules/mod_unixd.so
60 | LoadModule userdir_module modules/mod_userdir.so
61 | LoadModule version_module modules/mod_version.so
62 | LoadModule vhost_alias_module modules/mod_vhost_alias.so
63 |
64 | #LoadModule buffer_module modules/mod_buffer.so
65 | #LoadModule watchdog_module modules/mod_watchdog.so
66 | #LoadModule heartbeat_module modules/mod_heartbeat.so
67 | #LoadModule heartmonitor_module modules/mod_heartmonitor.so
68 | #LoadModule usertrack_module modules/mod_usertrack.so
69 | #LoadModule dialup_module modules/mod_dialup.so
70 | #LoadModule charset_lite_module modules/mod_charset_lite.so
71 | #LoadModule log_debug_module modules/mod_log_debug.so
72 | #LoadModule ratelimit_module modules/mod_ratelimit.so
73 | #LoadModule reflector_module modules/mod_reflector.so
74 | #LoadModule request_module modules/mod_request.so
75 | #LoadModule sed_module modules/mod_sed.so
76 | #LoadModule speling_module modules/mod_speling.so
77 |
78 |
--------------------------------------------------------------------------------
/sample/weretail_publish_farm.any:
--------------------------------------------------------------------------------
1 | /weretail-publishfarm {
2 | ## client headers which should be passed through to the render instances
3 | ## (feature supported since dispatcher build 2.6.3.5222)
4 | /clientheaders {
5 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any"
6 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
7 | }
8 | ## hostname globbing for farm selection (virtual domain addressing)
9 | /virtualhosts {
10 | we-retail
11 | we-retail.docker.local
12 | }
13 | ## the load will be balanced among these render instances
14 | /renders {
15 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_publish_renders.any"
16 | }
17 | ## only handle the requests in the following acl. default is 'none'
18 | ## the glob pattern is matched against the first request line
19 | /filter {
20 | $include "/etc/httpd/conf.dispatcher.d/filters/weretail_filters.any"
21 | }
22 | ## if the package is installed on publishers to generate a list of all content with a vanityurl attached
23 | ## this section will auto-allow the items to bypass the normal dispatcher filters
24 | ## Reference: https://docs.adobe.com/docs/en/dispatcher/disp-config.html#Enabling%20Access%20to%20Vanity%20URLs%20-%20/vanity_urls
25 | #/vanity_urls {
26 | # /url "/libs/granite/dispatcher/content/vanityUrls.html"
27 | # /file "/tmp/vanity_urls"
28 | # /delay 300
29 | #}
30 | ## allow propagation of replication posts (should seldomly be used)
31 | /propagateSyndPost "0"
32 | ## the cache is used to store requests from the renders for faster delivery
33 | ## for a second time.
34 | /cache {
35 | ## The cacheroot must be equal to the document root of the webserver
36 | /docroot "${PUBLISH_DOCROOT}"
37 | ## sets the level upto which files named ".stat" will be created in the
38 | ## document root of the webserver. when an activation request for some
39 | ## handle is received, only files within the same subtree are affected
40 | ## by the invalidation.
41 | /statfileslevel "${DEFAULT_STAT_LEVEL}"
42 | ## caches also authorized data
43 | /allowAuthorized "0"
44 | ## Flag indicating whether the dispatcher should serve stale content if
45 | ## no remote server is available.
46 | /serveStaleOnError "1"
47 | ## the rules define, which pages should be cached. please note that
48 | ## - only GET requests are cached
49 | ## - only requests with an extension are cached
50 | ## - only requests without query parameters ( ? ) are cached
51 | ## - only unauthorized pages are cached unless allowUnauthorized is set to 1
52 | /rules {
53 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_cache.any"
54 | }
55 | # the invalidate section defines those pages which are 'invalidated' after
56 | # any activation. please note that, the activated page itself and all
57 | # related documents are flushed on an modification. for example: if the
58 | # page /foo/bar is activated, all /foo/bar.* files are removed from the
59 | # cache.
60 | /invalidate {
61 | /0000 {
62 | /glob "*"
63 | /type "deny"
64 | }
65 | /0001 {
66 | /glob "*.html"
67 | /type "allow"
68 | }
69 | }
70 | /allowedClients {
71 | ## By default block all IP from allowing to initiate the invalidation commands
72 | /0000 {
73 | /glob "*.*.*.*"
74 | /type "deny"
75 | }
76 | ## Allow certain IP's like publishers to invalidate cache
77 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_invalidate_allowed.any"
78 | }
79 | ## Cache response headers next to a cached file. On the first request to
80 | ## an uncached resource, all headers matching one of the values found here
81 | ## are stored in a separate file, next to the cache file. On subsequent
82 | ## requests to the cached resource, the stored headers are added to the
83 | ## response.
84 | ## Note, that file globbing characters are not allowed here.
85 | /headers {
86 | "Cache-Control"
87 | "Content-Disposition"
88 | "Content-Type"
89 | "Expires"
90 | "Last-Modified"
91 | "X-Content-Type-Options"
92 | }
93 | ## By default we want to cache every page regardless if it has a query parameter.
94 | ## For pages that render html differently based on the query parameters
95 | ## please add entries to deny the caching of those query parameters in this section
96 | /ignoreUrlParams {
97 | /0001 { /glob "*" /type "allow" }
98 | }
99 |
100 | # A grace period defines the number of seconds a stale, auto-invalidated
101 | # resource may still be served from the cache after the last activation
102 | # occurring. Auto-invalidated resources are invalidated by any activation,
103 | # when their path matches the /invalidate section above. This setting
104 | # can be used in a setup, where a batch of activations would otherwise
105 | # repeatedly invalidate the entire cache.
106 | /gracePeriod "2"
107 |
108 | ## Enable TTL evaluates the response headers from the backend, and if they
109 | ## contain a Cache-Control max-age or Expires date, an auxiliary, empty file
110 | ## next to the cache file is created, with modification time equal to the
111 | ## expiry date. When the cache file is requested past the modification time
112 | ## it is automatically re-requested from the backend.
113 | # /enableTTL "1"
114 | }
115 | }
116 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/100_weretail_publish_farm.any:
--------------------------------------------------------------------------------
1 | /weretail-publishfarm {
2 | ## client headers which should be passed through to the render instances
3 | ## (feature supported since dispatcher build 2.6.3.5222)
4 | /clientheaders {
5 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any"
6 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
7 | }
8 | ## hostname globbing for farm selection (virtual domain addressing)
9 | /virtualhosts {
10 | we-retail
11 | we-retail.docker.local
12 | }
13 | ## the load will be balanced among these render instances
14 | /renders {
15 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_publish_renders.any"
16 | }
17 | ## only handle the requests in the following acl. default is 'none'
18 | ## the glob pattern is matched against the first request line
19 | /filter {
20 | $include "/etc/httpd/conf.dispatcher.d/filters/weretail_filters.any"
21 | }
22 | ## if the package is installed on publishers to generate a list of all content with a vanityurl attached
23 | ## this section will auto-allow the items to bypass the normal dispatcher filters
24 | ## Reference: https://docs.adobe.com/docs/en/dispatcher/disp-config.html#Enabling%20Access%20to%20Vanity%20URLs%20-%20/vanity_urls
25 | #/vanity_urls {
26 | # /url "/libs/granite/dispatcher/content/vanityUrls.html"
27 | # /file "/tmp/vanity_urls"
28 | # /delay 300
29 | #}
30 | ## allow propagation of replication posts (should seldomly be used)
31 | /propagateSyndPost "0"
32 | ## the cache is used to store requests from the renders for faster delivery
33 | ## for a second time.
34 | /cache {
35 | ## The cacheroot must be equal to the document root of the webserver
36 | /docroot "${PUBLISH_DOCROOT}"
37 | ## sets the level upto which files named ".stat" will be created in the
38 | ## document root of the webserver. when an activation request for some
39 | ## handle is received, only files within the same subtree are affected
40 | ## by the invalidation.
41 | /statfileslevel "${DEFAULT_STAT_LEVEL}"
42 | ## caches also authorized data
43 | /allowAuthorized "0"
44 | ## Flag indicating whether the dispatcher should serve stale content if
45 | ## no remote server is available.
46 | /serveStaleOnError "1"
47 | ## the rules define, which pages should be cached. please note that
48 | ## - only GET requests are cached
49 | ## - only requests with an extension are cached
50 | ## - only requests without query parameters ( ? ) are cached
51 | ## - only unauthorized pages are cached unless allowUnauthorized is set to 1
52 | /rules {
53 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_cache.any"
54 | }
55 | # the invalidate section defines those pages which are 'invalidated' after
56 | # any activation. please note that, the activated page itself and all
57 | # related documents are flushed on an modification. for example: if the
58 | # page /foo/bar is activated, all /foo/bar.* files are removed from the
59 | # cache.
60 | /invalidate {
61 | /0000 {
62 | /glob "*"
63 | /type "deny"
64 | }
65 | /0001 {
66 | /glob "*.html"
67 | /type "allow"
68 | }
69 | }
70 | /allowedClients {
71 | ## By default block all IP from allowing to initiate the invalidation commands
72 | /0000 {
73 | /glob "*.*.*.*"
74 | /type "deny"
75 | }
76 | ## Allow certain IP's like publishers to invalidate cache
77 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_invalidate_allowed.any"
78 | }
79 | ## Cache response headers next to a cached file. On the first request to
80 | ## an uncached resource, all headers matching one of the values found here
81 | ## are stored in a separate file, next to the cache file. On subsequent
82 | ## requests to the cached resource, the stored headers are added to the
83 | ## response.
84 | ## Note, that file globbing characters are not allowed here.
85 | /headers {
86 | "Cache-Control"
87 | "Content-Disposition"
88 | "Content-Type"
89 | "Expires"
90 | "Last-Modified"
91 | "X-Content-Type-Options"
92 | }
93 | ## By default we want to cache every page regardless if it has a query parameter.
94 | ## For pages that render html differently based on the query parameters
95 | ## please add entries to deny the caching of those query parameters in this section
96 | /ignoreUrlParams {
97 | /0001 { /glob "*" /type "allow" }
98 | }
99 |
100 | # A grace period defines the number of seconds a stale, auto-invalidated
101 | # resource may still be served from the cache after the last activation
102 | # occurring. Auto-invalidated resources are invalidated by any activation,
103 | # when their path matches the /invalidate section above. This setting
104 | # can be used in a setup, where a batch of activations would otherwise
105 | # repeatedly invalidate the entire cache.
106 | /gracePeriod "2"
107 |
108 | ## Enable TTL evaluates the response headers from the backend, and if they
109 | ## contain a Cache-Control max-age or Expires date, an auxiliary, empty file
110 | ## next to the cache file is created, with modification time equal to the
111 | ## expiry date. When the cache file is requested past the modification time
112 | ## it is automatically re-requested from the backend.
113 | # /enableTTL "1"
114 | }
115 | }
116 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf.dispatcher.d/available_farms/002_ams_publish_farm.any:
--------------------------------------------------------------------------------
1 | /publishfarm {
2 | ## client headers which should be passed through to the render instances
3 | ## (feature supported since dispatcher build 2.6.3.5222)
4 | /clientheaders {
5 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any"
6 | $include "/etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any"
7 | }
8 | ## hostname globbing for farm selection (virtual domain addressing)
9 | /virtualhosts {
10 | $include "/etc/httpd/conf.dispatcher.d/vhosts/ams_publish_vhosts.any"
11 | }
12 | ## the load will be balanced among these render instances
13 | /renders {
14 | $include "/etc/httpd/conf.dispatcher.d/renders/ams_publish_renders.any"
15 | }
16 | ## only handle the requests in the following acl. default is 'none'
17 | ## the glob pattern is matched against the first request line
18 | /filter {
19 | $include "/etc/httpd/conf.dispatcher.d/filters/ams_publish_filters.any"
20 | }
21 | ## if the package is installed on publishers to generate a list of all content with a vanityurl attached
22 | ## this section will auto-allow the items to bypass the normal dispatcher filters
23 | ## Reference: https://docs.adobe.com/docs/en/dispatcher/disp-config.html#Enabling%20Access%20to%20Vanity%20URLs%20-%20/vanity_urls
24 | #/vanity_urls {
25 | # /url "/libs/granite/dispatcher/content/vanityUrls.html"
26 | # /file "/tmp/vanity_urls"
27 | # /delay 300
28 | #}
29 | ## allow propagation of replication posts (should seldomly be used)
30 | /propagateSyndPost "0"
31 | ## the cache is used to store requests from the renders for faster delivery
32 | ## for a second time.
33 | /cache {
34 | ## The cacheroot must be equal to the document root of the webserver
35 | /docroot "${PUBLISH_DOCROOT}"
36 | ## sets the level upto which files named ".stat" will be created in the
37 | ## document root of the webserver. when an activation request for some
38 | ## handle is received, only files within the same subtree are affected
39 | ## by the invalidation.
40 | /statfileslevel "${DEFAULT_STAT_LEVEL}"
41 | ## caches also authorized data
42 | /allowAuthorized "0"
43 | ## Flag indicating whether the dispatcher should serve stale content if
44 | ## no remote server is available.
45 | /serveStaleOnError "1"
46 | ## the rules define, which pages should be cached. please note that
47 | ## - only GET requests are cached
48 | ## - only requests with an extension are cached
49 | ## - only requests without query parameters ( ? ) are cached
50 | ## - only unauthorized pages are cached unless allowUnauthorized is set to 1
51 | /rules {
52 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_cache.any"
53 | }
54 | # the invalidate section defines those pages which are 'invalidated' after
55 | # any activation. please note that, the activated page itself and all
56 | # related documents are flushed on an modification. for example: if the
57 | # page /foo/bar is activated, all /foo/bar.* files are removed from the
58 | # cache.
59 | /invalidate {
60 | /0000 {
61 | /glob "*"
62 | /type "deny"
63 | }
64 | /0001 {
65 | /glob "*.html"
66 | /type "allow"
67 | }
68 | }
69 | /allowedClients {
70 | ## By default block all IP from allowing to initiate the invalidation commands
71 | /0000 {
72 | /glob "*.*.*.*"
73 | /type "deny"
74 | }
75 | ## Allow certain IP's like publishers to invalidate cache
76 | $include "/etc/httpd/conf.dispatcher.d/cache/ams_publish_invalidate_allowed.any"
77 | }
78 | ## Cache response headers next to a cached file. On the first request to
79 | ## an uncached resource, all headers matching one of the values found here
80 | ## are stored in a separate file, next to the cache file. On subsequent
81 | ## requests to the cached resource, the stored headers are added to the
82 | ## response.
83 | ## Note, that file globbing characters are not allowed here.
84 | /headers {
85 | "Cache-Control"
86 | "Content-Disposition"
87 | "Content-Type"
88 | "Expires"
89 | "Last-Modified"
90 | "X-Content-Type-Options"
91 | }
92 | ## By default we want to cache every page regardless if it has a query parameter.
93 | ## For pages that render html differently based on the query parameters
94 | ## please add entries to deny the caching of those query parameters in this section
95 | /ignoreUrlParams {
96 | /0001 { /glob "*" /type "allow" }
97 | }
98 |
99 | # A grace period defines the number of seconds a stale, auto-invalidated
100 | # resource may still be served from the cache after the last activation
101 | # occurring. Auto-invalidated resources are invalidated by any activation,
102 | # when their path matches the /invalidate section above. This setting
103 | # can be used in a setup, where a batch of activations would otherwise
104 | # repeatedly invalidate the entire cache.
105 | /gracePeriod "2"
106 |
107 | ## Enable TTL evaluates the response headers from the backend, and if they
108 | ## contain a Cache-Control max-age or Expires date, an auxiliary, empty file
109 | ## next to the cache file is created, with modification time equal to the
110 | ## expiry date. When the cache file is requested past the modification time
111 | ## it is automatically re-requested from the backend.
112 | # /enableTTL "1"
113 | }
114 | }
115 |
--------------------------------------------------------------------------------
/sample/weretail_filters.any:
--------------------------------------------------------------------------------
1 |
2 | ###############################################################################################
3 | ##
4 | ## NOTE:
5 | ## This file is for educational use, only. It does not guarantee a safe configuration
6 | ## for production use!
7 | ##
8 | ## Visit https://medium.com/@achimkoch/writing-better-aem-dispatcher-filters-f23b391624a9
9 | ## for documentation on the rule style used here
10 | ##
11 | ###############################################################################################
12 |
13 |
14 |
15 |
16 | ###############################################################################################
17 | ##
18 | ## DENY LIST:
19 | ## Deny everything by default
20 | ##
21 | ###############################################################################################
22 |
23 | /DENY_ALL { /type "deny" /url "*" }
24 |
25 |
26 | ###############################################################################################
27 | ##
28 | ## ALLOW LIST:
29 | ## Allow only URLs the aplication requires and that are known to be secure.
30 | ## Whitelist entries must be as SPECIFIC as possible , i.e. they should define as many
31 | ## attributes as possible (path, extension and suffix).
32 | ##
33 | ## Note: We use mnemonic names for the rules instead of numeric ones for better readability
34 | ##
35 | ##############################################################################################
36 |
37 |
38 | ## regular content and resource access;
39 | ## pattern: /allow- { /type "allow" /method "GET" /path '' /selectors '' /extension '' /suffix '' }
40 |
41 | /allow-content-html { /type "allow" /method "GET" /path '/content/.*' /selectors '' /extension 'html' /suffix '' }
42 | /allow-content-resources { /type "allow" /method "GET" /path '/content/.*' /selectors '' /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2)' /suffix '' }
43 | /allow-clientlib-resources { /type "allow" /method "GET" /path '/etc/clientlibs/.*' /selectors '' /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|png|svg|swf|ttf|woff|woff2)' /suffix '' }
44 |
45 | /allow-contexthub { /type "allow" /method "GET" /path '/content/.*/_jcr_content/contexthub' /selectors '(pagedata|commerce|cart|orderhistory|relatedproducts|smartlists)' /extension '(json)' }
46 | /allow-productimages { /type "allow" /method "GET" /path '/content/.*/_jcr_content/.*' /selectors '(img|coreimg)' /extension '(jpg|jpeg|png)' /suffix '.*(jpg|jpeg|png)' }
47 |
48 |
49 | /allow-base-clientlibs-proxyservlet { /type "allow" /method "GET" /url '/etc.clientlibs/(clientlibs|foundation|core).*\.(css|js)' }
50 | /allow-application-clientlibs-proxyservlet { /type "allow" /method "GET" /url '/etc.clientlibs/weretail/clientlibs/.*\.(css|js|woff2|ttf)' }
51 |
52 | ## individual URLs;
53 | ## pattern /allow- { /type "allow" /method "GET" /url '' }
54 |
55 | /allow-cloudsettings { /type "allow" /method "GET" /url '/etc/cloudsettings.kernel.js/libs/settings/cloudsettings/legacy/contexthub'}
56 | /allow-favicon { /type "allow" /method "GET" /url '/favicon.ico'}
57 | /allow-segmentation { /type "allow" /method "GET" /url '/conf/we-retail/settings/wcm/segments.seg.js' }
58 |
59 |
60 | ## allow basic built-in functionality
61 | /allow-csrf-token { /type "allow" /method "GET" /url '/libs/granite/csrf/token.json' /extension 'json' }
62 |
63 | #/allow-personalization { /type "allow" /method "GET" /path "/libs/cq/personalization" }
64 | #/allow-shopping-cart { /type "allow" /method "POST" /path "/content/[.]*.commerce.cart.json" } ## allow POSTs to update the shopping cart
65 |
66 |
67 |
68 | ###############################################################################################
69 | ##
70 | ## BACKSTOP:
71 | ##
72 | ## Deny all URLs that are known to be harmful. These rules must be as GENERIC as possible.
73 | ## I.e. if possible only define path-patterns, suffix-patterns or extensions.
74 | ##
75 | ###############################################################################################
76 |
77 | #/deny-sufixes { /type "deny" /url "/content*" }
78 |
79 |
80 | /deny-greedy-selectors { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }
81 | /deny-authoring-queries-001 { /type "deny" /method "GET" /query "debug=*" }
82 | /deny-authoring-queries-002 { /type "deny" /method "GET" /query "wcmmode=*" }
83 |
84 | /deny-healthcheck-on-public-domainname { /type "deny" /path "/content/ams/healthcheck/*"}
85 | /deny-regent-on-oublic-domainname { /type "deny" /url "/content/regent.html"}
86 | /deny-path-traversal-attack { /type "deny" /url '.*/[.][.];/.*' }
87 | /deny-password-hash-retrieval { /type "deny" /suffix '(.*infinity.*|.*children.*|.*tidy.*)' } ## AMSSEC033 Deny AEM password hash retrieval (AMSAUTO-15449)
88 | /deny-bracket-filter-pivots { /type "deny" /url '.*(\\[|]).*' } ## Deny bracket filter pivots like /.[./ which tries to resolve as a /../ (AMSAUTO-22244)
89 |
90 |
91 | ## AMS blocks suffix and selectors by default. These are the most abused filter bypasses. Please only allow ones that you need.
92 | #/0025 { /type "deny" /url "/content*" /suffix "*" }
93 | #/0026 { /type "deny" /url "/content*" /selectors "*" }
94 | #/9026 { /type "allow" /url '/content/.*' /selectors '(img|coreimg)' }
95 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Adobe Code of Conduct
2 |
3 | ## Our Pledge
4 |
5 | We as members, contributors, and leaders pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
6 |
7 | We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
8 |
9 | ## Our Standards
10 |
11 | Examples of behavior that contribute to a positive environment for our project and community include:
12 |
13 | * Demonstrating empathy and kindness toward other people
14 | * Being respectful of differing opinions, viewpoints, and experiences
15 | * Giving and gracefully accepting constructive feedback
16 | * Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
17 | * Focusing on what is best, not just for us as individuals but for the overall community
18 |
19 | Examples of unacceptable behavior include:
20 |
21 | * The use of sexualized language or imagery, and sexual attention or advances of any kind
22 | * Trolling, insulting or derogatory comments, and personal or political attacks
23 | * Public or private harassment
24 | * Publishing others’ private information, such as a physical or email address, without their explicit permission
25 | * Other conduct which could reasonably be considered inappropriate in a professional setting
26 |
27 | ## Our Responsibilities
28 |
29 | Project maintainers are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any instances of unacceptable behavior.
30 |
31 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for behaviors that they deem inappropriate, threatening, offensive, or harmful.
32 |
33 | ## Scope
34 |
35 | This Code of Conduct applies when an individual is representing the project or its community both within project spaces and in public spaces. Examples of representing a project or community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
36 |
37 | ## Enforcement
38 |
39 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by first contacting the project team. Oversight of Adobe projects is handled by the Adobe Open Source Office, which has final say in any violations and enforcement of this Code of Conduct and can be reached at . All complaints will be reviewed and investigated promptly and fairly.
40 |
41 | The project team must respect the privacy and security of the reporter of any incident.
42 |
43 | Project maintainers who do not follow or enforce the Code of Conduct may face temporary or permanent repercussions as determined by other members of the project's leadership or the Adobe Open Source Office.
44 |
45 | ## Enforcement Guidelines
46 |
47 | Project maintainers will follow these Community Impact Guidelines in determining the consequences for any action they deem to be in violation of this Code of Conduct:
48 |
49 | ### 1. Correction
50 |
51 | Community Impact: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
52 |
53 | Consequence: A private, written warning from project maintainers describing the violation and why the behavior was unacceptable. A public apology may be requested from the violator before any further involvement in the project by violator.
54 |
55 | ### 2. Warning
56 |
57 | Community Impact: A relatively minor violation through a single incident or series of actions.
58 |
59 | Consequence: A written warning from project maintainers that includes stated consequences for continued unacceptable behavior. Violator must refrain from interacting with the people involved for a specified period of time as determined by the project maintainers, including, but not limited to, unsolicited interaction with those enforcing the Code of Conduct through channels such as community spaces and social media. Continued violations may lead to a temporary or permanent ban.
60 |
61 | ### 3. Temporary Ban
62 |
63 | Community Impact: A more serious violation of community standards, including sustained unacceptable behavior.
64 |
65 | Consequence: A temporary ban from any interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Failure to comply with the temporary ban may lead to a permanent ban.
66 |
67 | ### 4. Permanent Ban
68 |
69 | Community Impact: Demonstrating a consistent pattern of violation of community standards or an egregious violation of community standards, including, but not limited to, sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
70 |
71 | Consequence: A permanent ban from any interaction with the community.
72 |
73 | ## Attribution
74 |
75 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1,
76 | available at [http://contributor-covenant.org/version/2/1][version]
77 |
78 | [homepage]: http://contributor-covenant.org
79 | [version]: http://contributor-covenant.org/version/2/1
80 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | http://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 | APPENDIX: How to apply the Apache License to your work.
180 |
181 | To apply the Apache License to your work, attach the following
182 | boilerplate notice, with the fields enclosed by brackets "[]"
183 | replaced with your own identifying information. (Don't include
184 | the brackets!) The text should be enclosed in the appropriate
185 | comment syntax for the file format. We also recommend that a
186 | file or class name and description of purpose be included on the
187 | same "printed page" as the copyright notice for easier
188 | identification within third-party archives.
189 |
190 | Copyright 2024 Adobe Systems Incorporated.
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf/httpd.conf:
--------------------------------------------------------------------------------
1 | #
2 | # This is the main Apache HTTP server configuration file. It contains the
3 | # configuration directives that give the server its instructions.
4 | # See for detailed information.
5 | # In particular, see
6 | #
7 | # for a discussion of each configuration directive.
8 | #
9 | # Do NOT simply read the instructions in here without understanding
10 | # what they do. They're here only as hints or reminders. If you are unsure
11 | # consult the online docs. You have been warned.
12 | #
13 | # Configuration and logfile names: If the filenames you specify for many
14 | # of the server's control files begin with "/" (or "drive:/" for Win32), the
15 | # server will use that explicit path. If the filenames do *not* begin
16 | # with "/", the value of ServerRoot is prepended -- so 'log/access_log'
17 | # with ServerRoot set to '/www' will be interpreted by the
18 | # server as '/www/log/access_log', where as '/log/access_log' will be
19 | # interpreted as '/log/access_log'.
20 |
21 | #
22 | # ServerRoot: The top of the directory tree under which the server's
23 | # configuration, error, and log files are kept.
24 | #
25 | # Do not add a slash at the end of the directory path. If you point
26 | # ServerRoot at a non-local disk, be sure to specify a local disk on the
27 | # Mutex directive, if file-based mutexes are used. If you wish to share the
28 | # same ServerRoot for multiple httpd daemons, you will need to change at
29 | # least PidFile.
30 | #
31 | ServerRoot "/etc/httpd"
32 |
33 | #
34 | # Listen: Allows you to bind Apache to specific IP addresses and/or
35 | # ports, instead of the default. See also the
36 | # directive.
37 | #
38 | # Change this to Listen on specific IP addresses as shown below to
39 | # prevent Apache from glomming onto all bound IP addresses.
40 | #
41 | #Listen 12.34.56.78:80
42 | Listen 80
43 |
44 | #
45 | # Dynamic Shared Object (DSO) Support
46 | #
47 | # To be able to use the functionality of a module which was built as a DSO you
48 | # have to place corresponding `LoadModule' lines at this location so the
49 | # directives contained in it are actually available _before_ they are used.
50 | # Statically compiled modules (those listed by `httpd -l') do not need
51 | # to be loaded here.
52 | #
53 | # Example:
54 | # LoadModule foo_module modules/mod_foo.so
55 | #
56 | Include conf.modules.d/*.conf
57 |
58 | #
59 | # If you wish httpd to run as a different user or group, you must run
60 | # httpd as root initially and it will switch.
61 | #
62 | # User/Group: The name (or #number) of the user/group to run httpd as.
63 | # It is usually good practice to create a dedicated user and group for
64 | # running httpd, as with most system services.
65 | #
66 | User apache
67 | Group apache
68 |
69 | # 'Main' server configuration
70 | #
71 | # The directives in this section set up the values used by the 'main'
72 | # server, which responds to any requests that aren't handled by a
73 | # definition. These values also provide defaults for
74 | # any containers you may define later in the file.
75 | #
76 | # All of these directives may appear inside containers,
77 | # in which case these default settings will be overridden for the
78 | # virtual host being defined.
79 | #
80 |
81 | #
82 | # ServerAdmin: Your address, where problems with the server should be
83 | # e-mailed. This address appears on some server-generated pages, such
84 | # as error documents. e.g. admin@your-domain.com
85 | #
86 | ServerAdmin root@localhost
87 |
88 | #
89 | # ServerName gives the name and port that the server uses to identify itself.
90 | # This can often be determined automatically, but we recommend you specify
91 | # it explicitly to prevent problems during startup.
92 | #
93 | # If your host doesn't have a registered DNS name, enter its IP address here.
94 | #
95 | #ServerName www.example.com:80
96 |
97 | #
98 | # Deny access to the entirety of your server's filesystem. You must
99 | # explicitly permit access to web content directories in other
100 | # blocks below.
101 | #
102 |
103 | AllowOverride none
104 | Require all denied
105 |
106 |
107 | #
108 | # Note that from this point forward you must specifically allow
109 | # particular features to be enabled - so if something's not working as
110 | # you might expect, make sure that you have specifically enabled it
111 | # below.
112 | #
113 |
114 | #
115 | # DocumentRoot: The directory out of which you will serve your
116 | # documents. By default, all requests are taken from this directory, but
117 | # symbolic links and aliases may be used to point to other locations.
118 | #
119 | DocumentRoot "/var/www/html"
120 |
121 | #
122 | # Relax access to content within /var/www.
123 | #
124 |
125 | AllowOverride None
126 | # Allow open access:
127 | Require all granted
128 |
129 |
130 | # Further relax access to the default document root:
131 |
132 | #
133 | # Possible values for the Options directive are "None", "All",
134 | # or any combination of:
135 | # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
136 | #
137 | # Note that "MultiViews" must be named *explicitly* --- "Options All"
138 | # doesn't give it to you.
139 | #
140 | # The Options directive is both complicated and important. Please see
141 | # http://httpd.apache.org/docs/2.4/mod/core.html#options
142 | # for more information.
143 | #
144 | Options Indexes FollowSymLinks
145 |
146 | #
147 | # AllowOverride controls what directives may be placed in .htaccess files.
148 | # It can be "All", "None", or any combination of the keywords:
149 | # Options FileInfo AuthConfig Limit
150 | #
151 | AllowOverride None
152 |
153 | #
154 | # Controls who can get stuff from this server.
155 | #
156 | Require all granted
157 |
158 |
159 | #
160 | # DirectoryIndex: sets the file that Apache will serve if a directory
161 | # is requested.
162 | #
163 |
164 | DirectoryIndex index.html
165 |
166 |
167 | #
168 | # The following lines prevent .htaccess and .htpasswd files from being
169 | # viewed by Web clients.
170 | #
171 |
172 | Require all denied
173 |
174 |
175 | #
176 | # ErrorLog: The location of the error log file.
177 | # If you do not specify an ErrorLog directive within a
178 | # container, error messages relating to that virtual host will be
179 | # logged here. If you *do* define an error logfile for a
180 | # container, that host's errors will be logged there and not here.
181 | #
182 | ErrorLog "logs/error_log"
183 |
184 | #
185 | # LogLevel: Control the number of messages logged to the error_log.
186 | # Possible values include: debug, info, notice, warn, error, crit,
187 | # alert, emerg.
188 | #
189 | LogLevel warn
190 |
191 |
192 | #
193 | # The following directives define some format nicknames for use with
194 | # a CustomLog directive (see below).
195 | #
196 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
197 | LogFormat "%h %l %u %t \"%r\" %>s %b" common
198 |
199 |
200 | # You need to enable mod_logio.c to use %I and %O
201 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
202 |
203 |
204 | #
205 | # The location and format of the access logfile (Common Logfile Format).
206 | # If you do not define any access logfiles within a
207 | # container, they will be logged here. Contrariwise, if you *do*
208 | # define per- access logfiles, transactions will be
209 | # logged therein and *not* in this file.
210 | #
211 | #CustomLog "logs/access_log" common
212 |
213 | #
214 | # If you prefer a logfile with access, agent, and referer information
215 | # (Combined Logfile Format) you can use the following directive.
216 | #
217 | CustomLog "logs/access_log" combined
218 |
219 |
220 |
221 | #
222 | # Redirect: Allows you to tell clients about documents that used to
223 | # exist in your server's namespace, but do not anymore. The client
224 | # will make a new request for the document at its new location.
225 | # Example:
226 | # Redirect permanent /foo http://www.example.com/bar
227 |
228 | #
229 | # Alias: Maps web paths into filesystem paths and is used to
230 | # access content that does not live under the DocumentRoot.
231 | # Example:
232 | # Alias /webpath /full/filesystem/path
233 | #
234 | # If you include a trailing / on /webpath then the server will
235 | # require it to be present in the URL. You will also likely
236 | # need to provide a section to allow access to
237 | # the filesystem path.
238 |
239 | #
240 | # ScriptAlias: This controls which directories contain server scripts.
241 | # ScriptAliases are essentially the same as Aliases, except that
242 | # documents in the target directory are treated as applications and
243 | # run by the server when requested rather than as documents sent to the
244 | # client. The same rules about trailing "/" apply to ScriptAlias
245 | # directives as to Alias.
246 | #
247 | ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
248 |
249 |
250 |
251 | #
252 | # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
253 | # CGI directory exists, if you have that configured.
254 | #
255 |
256 | AllowOverride None
257 | Options None
258 | Require all granted
259 |
260 |
261 |
262 | #
263 | # TypesConfig points to the file containing the list of mappings from
264 | # filename extension to MIME-type.
265 | #
266 | TypesConfig /etc/mime.types
267 |
268 | #
269 | # AddType allows you to add to or override the MIME configuration
270 | # file specified in TypesConfig for specific file types.
271 | #
272 | #AddType application/x-gzip .tgz
273 | #
274 | # AddEncoding allows you to have certain browsers uncompress
275 | # information on the fly. Note: Not all browsers support this.
276 | #
277 | #AddEncoding x-compress .Z
278 | #AddEncoding x-gzip .gz .tgz
279 | #
280 | # If the AddEncoding directives above are commented-out, then you
281 | # probably should define those extensions to indicate media types:
282 | #
283 | AddType application/x-compress .Z
284 | AddType application/x-gzip .gz .tgz
285 |
286 | #
287 | # AddHandler allows you to map certain file extensions to "handlers":
288 | # actions unrelated to filetype. These can be either built into the server
289 | # or added with the Action directive (see below)
290 | #
291 | # To use CGI scripts outside of ScriptAliased directories:
292 | # (You will also need to add "ExecCGI" to the "Options" directive.)
293 | #
294 | #AddHandler cgi-script .cgi
295 |
296 | # For type maps (negotiated resources):
297 | #AddHandler type-map var
298 |
299 | #
300 | # Filters allow you to process content before it is sent to the client.
301 | #
302 | # To parse .shtml files for server-side includes (SSI):
303 | # (You will also need to add "Includes" to the "Options" directive.)
304 | #
305 | AddType text/html .shtml
306 | AddOutputFilter INCLUDES .shtml
307 |
308 |
309 | #
310 | # Specify a default charset for all content served; this enables
311 | # interpretation of all content as UTF-8 by default. To use the
312 | # default browser choice (ISO-8859-1), or to allow the META tags
313 | # in HTML content to override this choice, comment out this
314 | # directive:
315 | #
316 | AddDefaultCharset UTF-8
317 |
318 |
319 | #
320 | # The mod_mime_magic module allows the server to use various hints from the
321 | # contents of the file itself to determine its type. The MIMEMagicFile
322 | # directive tells the module where the hint definitions are located.
323 | #
324 | MIMEMagicFile conf/magic
325 |
326 |
327 | #
328 | # Customizable error responses come in three flavors:
329 | # 1) plain text 2) local redirects 3) external redirects
330 | #
331 | # Some examples:
332 | #ErrorDocument 500 "The server made a boo boo."
333 | #ErrorDocument 404 /missing.html
334 | #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
335 | #ErrorDocument 402 http://www.example.com/subscription_info.html
336 | #
337 |
338 | #
339 | # EnableMMAP and EnableSendfile: On systems that support it,
340 | # memory-mapping or the sendfile syscall may be used to deliver
341 | # files. This usually improves server performance, but must
342 | # be turned off when serving from networked-mounted
343 | # filesystems or if support for these functions is otherwise
344 | # broken on your system.
345 | # Defaults if commented: EnableMMAP On, EnableSendfile Off
346 | #
347 | #EnableMMAP off
348 | EnableSendfile on
349 |
350 | # Supplemental configuration
351 | #
352 | # Load config files in the "/etc/httpd/conf.d" directory, if any.
353 | IncludeOptional conf.d/*.conf
354 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Dispatcher Docker image
3 |
4 | This is a simple dispatcher image that is very close to an AMS setup.
5 | It builds on top of [Redhat Universal Base Image 8.8](https://hub.docker.com/r/redhat/ubi8) and contains the default AMS Dispatcher 2.6 configuration.
6 |
7 | The default publish host has been set to `publish.docker.local` and the default renderer is set to `host.docker.internal:4503` which should point to the AEM instance running on your local computer.
8 |
9 | [HAProxy](https://www.haproxy.org/) has been embedded in the image to support SSL connections the mimic how AMS has setup their ELBs/AppGWs.
10 |
11 | Environmental variables are configured in `scripts/env.sh`
12 |
13 | # Basic Setup
14 |
15 | ## Building the image
16 |
17 | We use docker's buildx to support multi-arch images.
18 |
19 | ```shell
20 | docker buildx create --use
21 | docker buildx build --load -t dispatcher --platform=linux/amd64 .
22 | ```
23 |
24 | To build for Apple Silicon or Windows ARM, use `--platform=linux/arm64` instead
25 |
26 | Multi-arch images can be built, but can only be pushed to a remote registry and not be directly loaded in Docker desktop.
27 |
28 | ## Checking the created image
29 |
30 | ```shell
31 | $ docker images
32 | REPOSITORY TAG IMAGE ID CREATED SIZE
33 | dispatcher latest 6b4b91a23c06 1 minute ago 725MB
34 | ```
35 |
36 | ## How to use the image
37 |
38 | You can run the image in two different ways
39 |
40 | 1. As a completely independent remote server
41 | - This is a quick way to get dispatcher up and running locally and you're not planning to make any changes to the configuration files.
42 | 2. By keeping the configuration files on your local system and mounting them when you start the image.
43 | - This is the recommended way to start the image as it will allow you to quickly make changes and see them apply without the need to rebuild the container.
44 |
45 | ### Running the image
46 |
47 | ```shell
48 | docker run -p 80:8080 -p 443:8443 -itd --rm --env-file scripts/env.sh --name dispatcher dispatcher
49 | ```
50 |
51 | | Quick Reference | |
52 | | ----------------- | ------------------------------------------------------------ |
53 | | -p 80:8080 | map port 80 of the host to port 8080 of the container use -p 8080:8080 if port 80 already is in use on the host) |
54 | | -p 443:8443 | map port 443 of the host to port 8443 of the container. (use -p 4443:8443 if port 443 already is in use on the host) |
55 | | -i | keep STDIN open even if not attached ("interactive") and |
56 | | -t | allocate a pseudo-tty to allow interactive logins ("tty") |
57 | | -d | run docker detached in the background |
58 | | --rm | automatically remove the container when it exits |
59 | | --env-file | Environment file to bind to the container |
60 | | --name dispatcher | assign name "dispatcher" to the container, consider setting a different name per project. |
61 |
62 | ### Using Docker Compose
63 |
64 | Provided `docker-compose.yaml` can be modified to suit your needs. In a typical scenario you would incorporate it to your own Docker Compose configuration.
65 |
66 | You can start dispatcher with Docker Compose using script `dispatcher-docker-compose`
67 |
68 | Following folders are mounted from the host os to make it easier to inspect cached files and monitor log files.
69 |
70 | | Folder | |
71 | | -------------------- | ------------------------------------------------------------ |
72 | | mnt/author_docroot | Author cached files |
73 | | mnt/publish_docroot | Publish cached files |
74 | | mnt/log | Dispatcher logs |
75 |
76 | ## Checking the container's current state
77 |
78 | ```shell
79 | $ docker container ps
80 | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81 | 8c345d523ff2 dispatcher "/bin/bash /launch.sh" About a minute ago Up About a minute 80/tcp, 443/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp dispatcher
82 | ```
83 |
84 | ## Testing your AEM installation
85 |
86 | The dispatcher maps `publish.docker.local` to the local publisher instance on port 4503.
87 | Run the publisher and navigate to [http://we-retail.docker.local/content/we-retail/language-masters/en.html](http://we-retail.docker.local/content/we-retail/language-masters/en.html)
88 |
89 | ## Adapting your localhost
90 |
91 | The image is based on the configuration used by AMS. If you are planning to deploy the configuration into AMS, please make sure to also read the section on **Immutable files**.
92 |
93 | The configuration is environment agnostic. It is supposed to run as-is locally, on dev, stage and prod etc without any change. All environment specific variables are stored in a file `scripts/env.sh`.
94 |
95 | The default configuration is
96 |
97 | `author.docker.local` for the Author
98 | `publish.docker.local`for the Publisher
99 |
100 | Make sure that both are mapped in your local `/etc/hosts` file.
101 | The Dispatcher connects to the Author and Publisher through `host.docker.internal` .
102 |
103 | ```shell
104 | $ cat /etc/hosts | grep docker.local
105 | 127.0.0.1 author.docker.local
106 | 127.0.0.1 publish.docker.local
107 | 127.0.0.1 we-retail.docker.local
108 | 127.0.0.1 host.docker.internal
109 | ```
110 |
111 | # Using your own dispatcher config
112 |
113 | There are several options to use this container with your own configuration:
114 |
115 | 1. Remote web server ([dispatcher-remote](dispatcher-remote))
116 | - Copy the configuration you are working on into the container with `docker cp`
117 | - Log into the container and restart apache
118 | - A disadvantage with `docker cp` is that it only copies and does not sync the directory contents and will require manual intervention if files were deleted locally.
119 | 2. Mount a local directory ([dispatcher-mount](dispatcher-mount))
120 | - A local dispatcher project module is mounted read-only into the container at startup.
121 | - After each change, restart the current container or SIGHUP the httpd process.
122 | 3. Create a separate docker image
123 | - This is useful if you have a separate team working on multiple dispatcher configurations and you have access to a container repository to distribute pre-built images
124 |
125 | ## Remote web server
126 |
127 | ### Start dispatcher in container
128 |
129 | ```shell
130 | docker run -p 80:8080 -p 443:8443 -itd --rm --name dispatcher --env-file scripts/env.sh dispatcher
131 | ```
132 |
133 | ### Copy files to docker container
134 |
135 | ```shell
136 | cd _your_project_/dispatcher/etc/httpd
137 | docker cp . dispatcher:/etc/httpd/
138 | ```
139 |
140 | ### Connecting to the Dispatcher terminal
141 |
142 | You can run shell commands inside the dispatcher container.
143 |
144 | ```shell
145 | docker exec -it dispatcher /bin/bash
146 | ```
147 |
148 | ### Reloading the Dispatcher
149 |
150 | You can reload the dispatcher with following command:
151 |
152 | ```shell
153 | kill -HUP `cat /var/run/httpd/httpd.pid`
154 | ```
155 |
156 | ### Inspecting the logs
157 |
158 | While connected to dispatcher, you can view the logs in `/var/log/httpd`
159 |
160 | ```shell
161 | $ ll /var/log/httpd/
162 | total 36
163 | -rw-r--r-- 1 root root 14779 May 20 10:04 access_log
164 | -rw-r--r-- 1 root root 15295 May 20 10:04 dispatcher.log
165 | -rw-r--r-- 1 root root 739 May 20 10:03 error_log
166 | -rw-r--r-- 1 root root 0 May 20 10:03 healthcheck_access_log
167 | ```
168 |
169 | ## Mount a local directory
170 |
171 | ### Start Dispatcher with local folders mapped
172 |
173 | We are assuming you have your Dispatcher configuration stored in a folder "dispatcher" in your project:
174 |
175 | ```shell
176 | cd _your_project_/dispatcher
177 | mkdir logs
178 |
179 | docker run -p 80:8080 -p 443:8443 -itd --rm --name dispatcher --env-file scripts/env.sh \
180 | --mount type=bind,src=$(pwd)/src/conf,dst=/etc/httpd/conf,readonly=true \
181 | --mount type=bind,src=$(pwd)/src/conf.d,dst=/etc/httpd/conf.d,readonly=true \
182 | --mount type=bind,src=$(pwd)/src/conf.dispatcher.d,dst=/etc/httpd/conf.dispatcher.d,readonly=true \
183 | --mount type=bind,src=$(pwd)/src/conf.modules.d,dst=/etc/httpd/conf.modules.d,readonly=true \
184 | --mount type=bind,src=$(pwd)/logs,dst=/var/log/httpd \
185 | --mount type=tmpfs,dst=/tmp \
186 | dispatcher
187 | ```
188 |
189 | | Quick Reference | |
190 | | ------------------------------------------------------------ | ------------------------------------------------------------ |
191 | | --mount type=bind,src=$(pwd)/src/conf,dst=/etc/httpd/conf,readonly=true | Binds the folder `src/conf` in the host's current working directory to /etc/httpd/conf in a read-only fashion |
192 | | --mount type=tmpfs,dst=/tmp | Uses a memory based filesystem for temporary data to (slighly) improve the performance |
193 |
194 | This is a lot to type. We had to mount each folder individually, as the Dispatcher Docker image also contains the `/modules` folder in `/etc` and mounting `/etc`would make them unavailable.
195 |
196 | Alternatively, you can use the convenience script
197 |
198 | ```shell
199 | ./dispatcher-mount
200 | ```
201 |
202 | in this distribution. The script assumes that the "src/conf" folder is in the current directory and terminates with an error if it can't find it.
203 |
204 | ## Restarting the container
205 |
206 | You can restart the container by calling
207 |
208 | ```shell
209 | docker restart -t0 dispatcher
210 | ```
211 |
212 | | Quick Reference | |
213 | | --------------- | ------------------------------------------------------------ |
214 | | -t0 | Kills the container after 0 seconds and does not wait for the Apache to shut down. This is safe, as the container does not preserve any crucial data. |
215 |
216 | Or - if you are lazy - just call the shell-scripts:
217 |
218 | ```shell
219 | ./dispatcher-kill
220 | ./dispatcher-mount
221 | ```
222 |
223 | # Create your own image
224 |
225 | You can also use this image as a base image, and add your configuration on top of it with similar Dockerfile
226 |
227 | ```Dockerfile
228 | FROM dispatcher
229 |
230 | COPY yourproject/dispatcher/src/conf /etc/httpd
231 | COPY yourproject/dispatcher/src/conf.d /etc/httpd
232 | COPY yourproject/dispatcher/src/conf.dispatcher.d /etc/httpd
233 | COPY yourproject/dispatcher/src/conf.modules.d /etc/httpd
234 | COPY yourproject/dispatcher/cert.pem /etc/ssl/docker/haproxy.pem
235 |
236 | # Start container
237 | ENTRYPOINT ["/bin/bash","/launch.sh"]
238 | ```
239 |
240 | # Immutable files
241 |
242 | Certain files on AMS hosted dispatchers are immutable, and cannot be changed. This is achieved on filesystem level by using extended attributes. Docker does not support such functionality which means that any changes to the dispatcher configuration will be reflected in your docker image, but may not be applied on an AMS environment after deployment.
243 |
244 | Those files are:
245 |
246 | ```text
247 | /etc/httpd/conf/httpd.conf
248 | /etc/httpd/conf.d/available_vhosts/aem_author.vhost
249 | /etc/httpd/conf.d/available_vhosts/aem_publish.vhost
250 | /etc/httpd/conf.d/available_vhosts/aem_flush.vhost
251 | /etc/httpd/conf.d/available_vhosts/aem_health.vhost
252 | /etc/httpd/conf.d/available_vhosts/000_unhealthy_author.vhost
253 | /etc/httpd/conf.d/available_vhosts/000_unhealthy_publish.vhost
254 | /etc/httpd/conf.d/available_vhosts/aem_flush_author.vhost
255 | /etc/httpd/conf.d/available_vhosts/ams_lc.vhost
256 | /etc/httpd/conf.d/rewrites/base_rewrite.rules
257 | /etc/httpd/conf.d/rewrites/xforwarded_forcessl_rewrite.rules
258 | /etc/httpd/conf.d/whitelists/000_base_whitelist.rules
259 | /etc/httpd/conf.d/variables/ootb.vars
260 | /etc/httpd/conf.d/dispatcher_vhost.conf
261 | /etc/httpd/conf.d/logformat.conf
262 | /etc/httpd/conf.d/security.conf
263 | /etc/httpd/conf.d/mimetypes3d.conf
264 | /etc/httpd/conf.d/remoteip.conf
265 | /etc/httpd/conf.d/000_init_ootb_vars.conf
266 | /etc/httpd/conf.d/001_init_ams_vars.conf
267 | /etc/httpd/conf.modules.d/02-dispatcher.conf
268 | /etc/httpd/conf.dispatcher.d/available_farms/000_ams_catchall_farm.any
269 | /etc/httpd/conf.dispatcher.d/available_farms/001_ams_author_flush_farm.any
270 | /etc/httpd/conf.dispatcher.d/available_farms/001_ams_publish_flush_farm.any
271 | /etc/httpd/conf.dispatcher.d/available_farms/002_ams_author_farm.any
272 | /etc/httpd/conf.dispatcher.d/available_farms/002_ams_lc_farm.any
273 | /etc/httpd/conf.dispatcher.d/available_farms/002_ams_publish_farm.any
274 | /etc/httpd/conf.dispatcher.d/cache/ams_author_cache.any
275 | /etc/httpd/conf.dispatcher.d/cache/ams_author_invalidate_allowed.any
276 | /etc/httpd/conf.dispatcher.d/cache/ams_publish_cache.any
277 | /etc/httpd/conf.dispatcher.d/cache/ams_publish_invalidate_allowed.any
278 | /etc/httpd/conf.dispatcher.d/clientheaders/ams_author_clientheaders.any
279 | /etc/httpd/conf.dispatcher.d/clientheaders/ams_publish_clientheaders.any
280 | /etc/httpd/conf.dispatcher.d/clientheaders/ams_common_clientheaders.any
281 | /etc/httpd/conf.dispatcher.d/clientheaders/ams_lc_clientheaders.any
282 | /etc/httpd/conf.dispatcher.d/filters/ams_author_filters.any
283 | /etc/httpd/conf.dispatcher.d/filters/ams_publish_filters.any
284 | /etc/httpd/conf.dispatcher.d/filters/ams_lc_filters.any
285 | /etc/httpd/conf.dispatcher.d/renders/ams_author_renders.any
286 | /etc/httpd/conf.dispatcher.d/renders/ams_lc_renders.any
287 | /etc/httpd/conf.dispatcher.d/renders/ams_publish_renders.any
288 | /etc/httpd/conf.dispatcher.d/vhosts/ams_author_vhosts.any
289 | /etc/httpd/conf.dispatcher.d/vhosts/ams_publish_vhosts.any
290 | /etc/httpd/conf.dispatcher.d/vhosts/ams_lc_vhosts.any
291 | /etc/httpd/conf.dispatcher.d/dispatcher.any
292 | ```
293 |
294 | # Troubleshooting
295 |
296 | ## Inspecting log files
297 |
298 | By default, the `DISP_LOG_LEVEL` is set to "4" (trace) in the file `ams_default.vars` (This setting is used in `dispatcher_vhost.conf`).
299 |
300 | Log into the remote dispatcher and view the log files call
301 |
302 | ```shell
303 | ./dispatcher-login
304 | ```
305 |
306 | and navigate into `/var/log/httpd/`
307 |
308 | ```shell
309 | cd /var/log/httpd/
310 | ```
311 |
312 | > **TIP** If you mounted the logs directory, you can just inspect the logs files directly on your machine.
313 |
--------------------------------------------------------------------------------
/ams/2.6/etc/httpd/conf/magic:
--------------------------------------------------------------------------------
1 | # Magic data for mod_mime_magic Apache module (originally for file(1) command)
2 | # The module is described in /manual/mod/mod_mime_magic.html
3 | #
4 | # The format is 4-5 columns:
5 | # Column #1: byte number to begin checking from, ">" indicates continuation
6 | # Column #2: type of data to match
7 | # Column #3: contents of data to match
8 | # Column #4: MIME type of result
9 | # Column #5: MIME encoding of result (optional)
10 |
11 | #------------------------------------------------------------------------------
12 | # Localstuff: file(1) magic for locally observed files
13 | # Add any locally observed files here.
14 |
15 | #------------------------------------------------------------------------------
16 | # end local stuff
17 | #------------------------------------------------------------------------------
18 |
19 | #------------------------------------------------------------------------------
20 | # Java
21 |
22 | 0 short 0xcafe
23 | >2 short 0xbabe application/java
24 |
25 | #------------------------------------------------------------------------------
26 | # audio: file(1) magic for sound formats
27 | #
28 | # from Jan Nicolai Langfeldt ,
29 | #
30 |
31 | # Sun/NeXT audio data
32 | 0 string .snd
33 | >12 belong 1 audio/basic
34 | >12 belong 2 audio/basic
35 | >12 belong 3 audio/basic
36 | >12 belong 4 audio/basic
37 | >12 belong 5 audio/basic
38 | >12 belong 6 audio/basic
39 | >12 belong 7 audio/basic
40 |
41 | >12 belong 23 audio/x-adpcm
42 |
43 | # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format
44 | # that uses little-endian encoding and has a different magic number
45 | # (0x0064732E in little-endian encoding).
46 | 0 lelong 0x0064732E
47 | >12 lelong 1 audio/x-dec-basic
48 | >12 lelong 2 audio/x-dec-basic
49 | >12 lelong 3 audio/x-dec-basic
50 | >12 lelong 4 audio/x-dec-basic
51 | >12 lelong 5 audio/x-dec-basic
52 | >12 lelong 6 audio/x-dec-basic
53 | >12 lelong 7 audio/x-dec-basic
54 | # compressed (G.721 ADPCM)
55 | >12 lelong 23 audio/x-dec-adpcm
56 |
57 | # Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM"
58 | # AIFF audio data
59 | 8 string AIFF audio/x-aiff
60 | # AIFF-C audio data
61 | 8 string AIFC audio/x-aiff
62 | # IFF/8SVX audio data
63 | 8 string 8SVX audio/x-aiff
64 |
65 | # Creative Labs AUDIO stuff
66 | # Standard MIDI data
67 | 0 string MThd audio/unknown
68 | #>9 byte >0 (format %d)
69 | #>11 byte >1 using %d channels
70 | # Creative Music (CMF) data
71 | 0 string CTMF audio/unknown
72 | # SoundBlaster instrument data
73 | 0 string SBI audio/unknown
74 | # Creative Labs voice data
75 | 0 string Creative\ Voice\ File audio/unknown
76 | ## is this next line right? it came this way...
77 | #>19 byte 0x1A
78 | #>23 byte >0 - version %d
79 | #>22 byte >0 \b.%d
80 |
81 | # [GRR 950115: is this also Creative Labs? Guessing that first line
82 | # should be string instead of unknown-endian long...]
83 | #0 long 0x4e54524b MultiTrack sound data
84 | #0 string NTRK MultiTrack sound data
85 | #>4 long x - version %ld
86 |
87 | # Microsoft WAVE format (*.wav)
88 | # [GRR 950115: probably all of the shorts and longs should be leshort/lelong]
89 | # Microsoft RIFF
90 | 0 string RIFF audio/unknown
91 | # - WAVE format
92 | >8 string WAVE audio/x-wav
93 | # MPEG audio.
94 | 0 beshort&0xfff0 0xfff0 audio/mpeg
95 | # C64 SID Music files, from Linus Walleij
96 | 0 string PSID audio/prs.sid
97 |
98 | #------------------------------------------------------------------------------
99 | # c-lang: file(1) magic for C programs or various scripts
100 | #
101 |
102 | # XPM icons (Greg Roelofs, newt@uchicago.edu)
103 | # ideally should go into "images", but entries below would tag XPM as C source
104 | 0 string /*\ XPM image/x-xbm 7bit
105 |
106 | # this first will upset you if you're a PL/1 shop... (are there any left?)
107 | # in which case rm it; ascmagic will catch real C programs
108 | # C or REXX program text
109 | 0 string /* text/plain
110 | # C++ program text
111 | 0 string // text/plain
112 |
113 | #------------------------------------------------------------------------------
114 | # compress: file(1) magic for pure-compression formats (no archives)
115 | #
116 | # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc.
117 | #
118 | # Formats for various forms of compressed data
119 | # Formats for "compress" proper have been moved into "compress.c",
120 | # because it tries to uncompress it to figure out what's inside.
121 |
122 | # standard unix compress
123 | 0 string \037\235 application/octet-stream x-compress
124 |
125 | # gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver)
126 | 0 string \037\213 application/octet-stream x-gzip
127 |
128 | # According to gzip.h, this is the correct byte order for packed data.
129 | 0 string \037\036 application/octet-stream
130 | #
131 | # This magic number is byte-order-independent.
132 | #
133 | 0 short 017437 application/octet-stream
134 |
135 | # XXX - why *two* entries for "compacted data", one of which is
136 | # byte-order independent, and one of which is byte-order dependent?
137 | #
138 | # compacted data
139 | 0 short 0x1fff application/octet-stream
140 | 0 string \377\037 application/octet-stream
141 | # huf output
142 | 0 short 0145405 application/octet-stream
143 |
144 | # Squeeze and Crunch...
145 | # These numbers were gleaned from the Unix versions of the programs to
146 | # handle these formats. Note that I can only uncrunch, not crunch, and
147 | # I didn't have a crunched file handy, so the crunch number is untested.
148 | # Keith Waclena
149 | #0 leshort 0x76FF squeezed data (CP/M, DOS)
150 | #0 leshort 0x76FE crunched data (CP/M, DOS)
151 |
152 | # Freeze
153 | #0 string \037\237 Frozen file 2.1
154 | #0 string \037\236 Frozen file 1.0 (or gzip 0.5)
155 |
156 | # lzh?
157 | #0 string \037\240 LZH compressed data
158 |
159 | #------------------------------------------------------------------------------
160 | # frame: file(1) magic for FrameMaker files
161 | #
162 | # This stuff came on a FrameMaker demo tape, most of which is
163 | # copyright, but this file is "published" as witness the following:
164 | #
165 | 0 string \
177 | # and Anna Shergold
178 | #
179 | 0 string \
192 | 0 string \14 byte 12 (OS/2 1.x format)
257 | #>14 byte 64 (OS/2 2.x format)
258 | #>14 byte 40 (Windows 3.x format)
259 | #0 string IC icon
260 | #0 string PI pointer
261 | #0 string CI color icon
262 | #0 string CP color pointer
263 | #0 string BA bitmap array
264 |
265 | 0 string \x89PNG image/png
266 | 0 string FWS application/x-shockwave-flash
267 | 0 string CWS application/x-shockwave-flash
268 |
269 | #------------------------------------------------------------------------------
270 | # lisp: file(1) magic for lisp programs
271 | #
272 | # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
273 | 0 string ;; text/plain 8bit
274 | # Emacs 18 - this is always correct, but not very magical.
275 | 0 string \012( application/x-elc
276 | # Emacs 19
277 | 0 string ;ELC\023\000\000\000 application/x-elc
278 |
279 | #------------------------------------------------------------------------------
280 | # mail.news: file(1) magic for mail and news
281 | #
282 | # There are tests to ascmagic.c to cope with mail and news.
283 | 0 string Relay-Version: message/rfc822 7bit
284 | 0 string #!\ rnews message/rfc822 7bit
285 | 0 string N#!\ rnews message/rfc822 7bit
286 | 0 string Forward\ to message/rfc822 7bit
287 | 0 string Pipe\ to message/rfc822 7bit
288 | 0 string Return-Path: message/rfc822 7bit
289 | 0 string Path: message/news 8bit
290 | 0 string Xref: message/news 8bit
291 | 0 string From: message/rfc822 7bit
292 | 0 string Article message/news 8bit
293 | #------------------------------------------------------------------------------
294 | # msword: file(1) magic for MS Word files
295 | #
296 | # Contributor claims:
297 | # Reversed-engineered MS Word magic numbers
298 | #
299 |
300 | 0 string \376\067\0\043 application/msword
301 | 0 string \333\245-\0\0\0 application/msword
302 |
303 | # disable this one because it applies also to other
304 | # Office/OLE documents for which msword is not correct. See PR#2608.
305 | #0 string \320\317\021\340\241\261 application/msword
306 |
307 |
308 |
309 | #------------------------------------------------------------------------------
310 | # printer: file(1) magic for printer-formatted files
311 | #
312 |
313 | # PostScript
314 | 0 string %! application/postscript
315 | 0 string \004%! application/postscript
316 |
317 | # Acrobat
318 | # (due to clamen@cs.cmu.edu)
319 | 0 string %PDF- application/pdf
320 |
321 | #------------------------------------------------------------------------------
322 | # sc: file(1) magic for "sc" spreadsheet
323 | #
324 | 38 string Spreadsheet application/x-sc
325 |
326 | #------------------------------------------------------------------------------
327 | # tex: file(1) magic for TeX files
328 | #
329 | # XXX - needs byte-endian stuff (big-endian and little-endian DVI?)
330 | #
331 | # From
332 |
333 | # Although we may know the offset of certain text fields in TeX DVI
334 | # and font files, we can't use them reliably because they are not
335 | # zero terminated. [but we do anyway, christos]
336 | 0 string \367\002 application/x-dvi
337 | #0 string \367\203 TeX generic font data
338 | #0 string \367\131 TeX packed font data
339 | #0 string \367\312 TeX virtual font data
340 | #0 string This\ is\ TeX, TeX transcript text
341 | #0 string This\ is\ METAFONT, METAFONT transcript text
342 |
343 | # There is no way to detect TeX Font Metric (*.tfm) files without
344 | # breaking them apart and reading the data. The following patterns
345 | # match most *.tfm files generated by METAFONT or afm2tfm.
346 | #2 string \000\021 TeX font metric data
347 | #2 string \000\022 TeX font metric data
348 | #>34 string >\0 (%s)
349 |
350 | # Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com)
351 | #0 string \\input\ texinfo Texinfo source text
352 | #0 string This\ is\ Info\ file GNU Info text
353 |
354 | # correct TeX magic for Linux (and maybe more)
355 | # from Peter Tobias (tobias@server.et-inf.fho-emden.de)
356 | #
357 | 0 leshort 0x02f7 application/x-dvi
358 |
359 | # RTF - Rich Text Format
360 | 0 string {\\rtf application/rtf
361 |
362 | #------------------------------------------------------------------------------
363 | # animation: file(1) magic for animation/movie formats
364 | #
365 | # animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8)
366 | # MPEG file
367 | 0 string \000\000\001\263 video/mpeg
368 | #
369 | # The contributor claims:
370 | # I couldn't find a real magic number for these, however, this
371 | # -appears- to work. Note that it might catch other files, too,
372 | # so BE CAREFUL!
373 | #
374 | # Note that title and author appear in the two 20-byte chunks
375 | # at decimal offsets 2 and 22, respectively, but they are XOR'ed with
376 | # 255 (hex FF)! DL format SUCKS BIG ROCKS.
377 | #
378 | # DL file version 1 , medium format (160x100, 4 images/screen)
379 | 0 byte 1 video/unknown
380 | 0 byte 2 video/unknown
381 | # Quicktime video, from Linus Walleij
382 | # from Apple quicktime file format documentation.
383 | 4 string moov video/quicktime
384 | 4 string mdat video/quicktime
385 |
386 |
--------------------------------------------------------------------------------