Restricting AEM Dispatcher Access in Lower Environments

Published
AEM's dispatcher is not restricted and is publicly accessible by default. While unrestricted access is suitable for production environments, it's recommended to restrict access in lower environments such as dev and stage to your organization or specific users. This can be achieved through IP Allow Lists or Basic Authentication.

Restricting through IP Allow Lists

To configure IP Allow Lists for AEM Dispatcher, the Require directive (provided by the mod_authz_host module) can be utilized to allow access based on either individual IP addresses or CIDR blocks.
conf.d / allowlists / 001_client_allowlist.rules
<RequireAny> # Ensure that the AllowIP environment variable is enforced Require env AllowIP # Define rules for CIDR IP blocks and individual addresses Require ip 192.150.16.0/23 Require ip 120.242.180.10 </RequireAny>
After configuring the IP allow list, it's necessary to include the allowlist rules into the site vhost file to restrict access. This can be toggled on or off using a variable such as PUBLISH_ALLOWLIST_ENABLED. In lower environments, ensure that value is set to 1, while in production environments, it should be set to 0.
conf.d / aem-demo.vhost
<If "${PUBLISH_ALLOWLIST_ENABLED} == 1"> Include conf.d/allowlists/*_allowlist.rules </If>

Restricting through Basic Authentication

Basic authentication can be set up to authorize individual users, groups with multiple users, or any valid user. With this approach, users can access the site from anywhere, but valid credentials are required for access.
To provide access to individual users, create a user account and allow to that particular user. For group permissions, create multiple user accounts and assign them to the relevant group. Access to the group will subsequently be granted.
First, create a password file, typically using the htpasswd utility provided by Apache. Place this file in a location not accessible from the web, such as /etc/httpd/.htpasswd.
etc / httpd
htpasswd /etc/httpd/.htpasswd sabuj New password: ******** Re-type new password: ******** Adding password for user sabuj
Upon execution, htpasswd will prompt to enter and confirm the password for the designated user. Subsequently, the hashed password will be saved in the file, formatted as username:hashpassword.
etc / httpd / .htpasswd
sabuj:$apr1$yrc1aAF/$KPgwnCKCpLOiLBL.ZJju/0
Next, configure the virtual host to configure password file and specify which user are allowed access.
conf.d / available_vhosts / domain.vhost
<Directory "${PUBLISH_DOCROOT}"> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/httpd/.htpasswd Require user sabuj </Directory>
Instead of specifying a specific user like "sabuj" you can allow anyone listed in the password file to access by using Require valid-user. This directive allows access to any user who correctly enters their password.
To allow multiple users, you must create a group file associating group names with the list of users in that group. The format of this file is straightforward and can be created using any text editor.
etc / httpd / groups
GroupName: user1 user2 user3
After creating the group file, you'll need to update the vhost configuration to specify the group name to allow access. With this configuration, anyone listed in the group "GroupName" and with an entry in the password file will be granted access if they enter the correct password.
conf.d / available_vhosts / domain.vhost
<Directory "${PUBLISH_DOCROOT}"> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/httpd/.htpasswd AuthGroupFile /etc/httpd/groups Require group GroupName </Directory>