Merge branch 'develop'

.github/workflows/maven-build.yml

@@ -19,20 +19,20 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        java: [8, 11, 17]
+        java: [11, 17]
         os: [ubuntu-latest]
         distribution: [temurin]
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup JDK
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: ${{ matrix.distribution }}
           java-version: ${{ matrix.java }}
-          cache: 'maven'
+          cache: maven
 
       - name: Build and verify
         run: ./mvnw -s ./.maven-settings.xml -Pcontinuous-integration -B -U clean verify

.github/workflows/maven-deploy.yml

@@ -1,4 +1,4 @@
-# Deploy snapshots to Sonatpe OSS repository and deploy site to GitHub Pages
+# Deploy snapshots to Sonatype OSS repository and deploy site to GitHub Pages
 
 name: Deploy
 
@@ -15,19 +15,19 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Configure GIT
         run: |
           git config --global user.email "${{ secrets.GH_SITE_DEPLOY_EMAIL }}"
           git config --global user.name "${{ secrets.GH_SITE_DEPLOY_NAME }}"
 
       - name: Setup JDK
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: temurin
-          java-version: 8
-          cache: 'maven'
+          java-version: 11
+          cache: maven
 
       - name: Build, verify, deploy, generate site
         env:

.github/workflows/release-from-tag.yml

@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: ncipollo/release-action@v1
       with:
         body: 'Changes: https://devops.wcm.io/conga/definitions/aem/changes-report.html'

README.md

@@ -4,7 +4,7 @@
 [![Maven Central](https://img.shields.io/maven-central/v/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)](https://repo1.maven.org/maven2/io/wcm/devops/conga/definitions/io.wcm.devops.conga.definitions.aem)
 
 Documentation: https://devops.wcm.io/conga/definitions/aem/<br/>
-Issues: https://wcm-io.atlassian.net/projects/WDCONGA<br/>
+Issues: https://github.com/wcm-io-devops/conga-aem-definitions/issues<br/>
 Wiki: https://wcm-io.atlassian.net/wiki/<br/>
 Continuous Integration: https://github.com/wcm-io-devops/conga-aem-definitions/actions<br/>
 Commercial support: https://wcm.io/commercial-support.html

changes.xml

@@ -23,6 +23,24 @@
     xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
   <body>
 
+    <release version="1.14.0" date="2023-01-12">
+      <action type="add" dev="trichter">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce dispatcher.filterAppend filter list.
+      </action>
+      <action type="add" dev="trichter">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Block form selector with a non-empty suffix on all URLs in order to fix form validator bypass issue.
+      </action>
+      <action type="update" dev="trichter">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Move "security-related" existing deny rules e.g. to prevent content grabbing to dispatcher.filterAppend filter list.
+      </action>
+      <action type="update" dev="nbellack">
+        Role aem-dispatcher-cloud: Sync with default dispatcher configuration from Adobe project archetype 36 to 39.
+      </action>
+      <action type="update" dev="sseifert">
+        Switch to Java 11 as minimum version.
+      </action>
+    </release>
+
     <release version="1.13.0" date="2022-10-13">
       <action type="add" dev="trichter">
         Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce (optional) httpd.headers.permissionsPolicy to allow configuration of the Permissions-Policy header.

conga-aem-definitions/pom.xml

@@ -25,13 +25,13 @@
   <parent>
     <groupId>io.wcm.devops.conga.definitions</groupId>
     <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-    <version>1.13.0</version>
+    <version>1.14.0</version>
     <relativePath>../parent/pom.xml</relativePath>
   </parent>
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem</artifactId>
-  <version>1.13.0</version>
+  <version>1.14.0</version>
   <packaging>config-definition</packaging>
 
   <name>CONGA AEM Definitions</name>

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/available_vhosts/default.vhost

@@ -1,5 +1,5 @@
 #
-# This is the default publish virtualhost definition for Apache.
+# This is the default publish virtualhost definition for Apache. 
 #
 # DO NOT EDIT this file, your changes will have no impact on your deployment.
 #
@@ -23,7 +23,7 @@ Include conf.d/variables/custom.vars
 	<IfModule mod_headers.c>
 		Header add X-Vhost "publish"
 	</IfModule>
-	<Directory "${DOCROOT}">
+	<Directory />
 		<IfModule disp_apache2.c>
 			# Some items cache with the wrong mime type
 			# Use this option to use the name to auto-detect mime types when cached improperly
@@ -37,14 +37,17 @@ Include conf.d/variables/custom.vars
 		</IfModule>
 		Options FollowSymLinks
 		AllowOverride None
-		Require all granted
 		# Insert filter
 		SetOutputFilter DEFLATE
 		# Don't compress images
 		SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
 		# Prevent clickjacking
 		Header always append X-Frame-Options SAMEORIGIN
 	</Directory>
+	<Directory "${DOCROOT}">
+		AllowOverride None
+		Require all granted
+	</Directory>
 	<IfModule disp_apache2.c>
 		# Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
 		DispatcherUseProcessedURL	On
@@ -57,6 +60,12 @@ Include conf.d/variables/custom.vars
 
 		# Rewrite index page internally, pass through (PT)
 		RewriteRule "^(/?)$" "/index.html" [PT]
-
 	</IfModule>
+
+    # Content Services/Sling Model Exporter: Cache for 5min with background refresh 1h on browser and 12h on CDN to avoid MISS
+    <LocationMatch "^/content/.*\.model\.json$">
+       Header set Cache-Control "max-age=300,stale-while-revalidate=3600" "expr=%{REQUEST_STATUS} < 400"
+       Header set Surrogate-Control "stale-while-revalidate=43200,stale-if-error=43200" "expr=%{REQUEST_STATUS} < 400"
+       Header set Age 0
+    </LocationMatch>
 </VirtualHost>

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/dispatcher_vhost.conf

@@ -10,6 +10,28 @@ ServerName dispatcher
 Include conf.d/variables/default.vars
 Include conf.d/variables/global.vars
 
+
+# WARNING!!! The probe paths below are INTERNAL and RESERVED - please DO NOT USE them in your virtual host configurations!
+
+# Liveness probe URL
+Alias "/system/probes/live" /etc/httpd/probes/live-status.json
+# Readiness probe URL
+Alias "/system/probes/ready" /etc/httpd/probes/ready-status.json
+# Startup probe URL
+Alias "/system/probes/start" /etc/httpd/probes/startup-status.json
+
+# internal probes endpoint
+<LocationMatch "/system/probes">
+    RewriteEngine Off
+</LocationMatch>
+
+<Directory "/etc/httpd/probes">
+    SetHandler default-handler
+    AllowOverride None
+    Require all granted
+</Directory>
+
+
 #SKYOPS-13837: Proxy static frontend code requests through dispatcher
 <IfDefine FRONTEND_SUPPORT>
     SSLProxyEngine on
@@ -32,6 +54,24 @@ Include conf.d/variables/global.vars
     </LocationMatch>
 </IfDefine>
 
+# SITES-5185 - Ensure all GraphQL Queries to production publisher are using Persistent Queries and not direct query requests
+<IfDefine ENVIRONMENT_PROD>
+    SSLProxyEngine on
+    <LocationMatch "^/content/_cq_graphql/.*/endpoint.json$">
+        RewriteCond %{ENV:ENABLE_GRAPHQL_ENDPOINT} ^$ [OR]
+        RewriteCond %{ENV:ENABLE_GRAPHQL_ENDPOINT} ^false$
+        RewriteRule ^/(.*)$ - [R=404,L]
+    </LocationMatch>
+</IfDefine>
+<IfDefine ENVIRONMENT_STAGE>
+    SSLProxyEngine on
+    <LocationMatch "^/content/_cq_graphql/.*/endpoint.json$">
+        RewriteCond %{ENV:ENABLE_GRAPHQL_ENDPOINT} ^$ [OR]
+        RewriteCond %{ENV:ENABLE_GRAPHQL_ENDPOINT} ^false$
+        RewriteRule ^/(.*)$ - [R=404,L]
+    </LocationMatch>
+</IfDefine>
+
 # If the module loads correctly then apply base settings for the module
 <IfModule disp_apache2.c>
 	# location of the configuration file. eg: 'conf/dispatcher.any'
@@ -76,12 +116,23 @@ Include conf.d/variables/global.vars
 	Header unset Age
 </IfDefine>
 
-# Allow ingressroute checks through on /systemready (regardless of dispatcher filters)
+# SITES-3659 Prevent re-encodes of URLs sent to GraphQL Persisted Queries API endpoint
+<LocationMatch "/graphql/execute.json/.*">
+    ProxyPassMatch http://${AEM_HOST}:${AEM_PORT} nocanon
+</LocationMatch>
+
+# (legacy) Allow ingressroute checks through on /systemready (regardless of dispatcher filters)
 <Location "/systemready">
 	ProxyPass http://${AEM_HOST}:${AEM_PORT}/systemready
 	RewriteEngine Off
 </Location>
 
+# new Health probe URL to legacy /systemready URL mapping
+<Location "/system/probes/health">
+	ProxyPass http://${AEM_HOST}:${AEM_PORT}/systemready
+	RewriteEngine Off
+</Location>
+
 # Allow access to CRXDE on dev environment
 <IfDefine ENVIRONMENT_DEV>
     <LocationMatch "/crx/(de|server)/">
@@ -93,20 +144,89 @@ Include conf.d/variables/global.vars
 # CQ-4287185: Allow access to magento reverse-proxy endpoint
 <IfDefine COMMERCE>
 	SSLProxyEngine on
-	<LocationMatch "/api/graphql">
-		ProxyPass        ${COMMERCE_ENDPOINT}
+	# CIF-2557 add ProxyRemote to tunnel reverse-proxy traffic through egress proxy if available
+	<IfDefine HTTP_EGRESS_PROXY>
+		ProxyRemote ${COMMERCE_ENDPOINT} "http://${AEM_HTTP_PROXY_HOST}:${AEM_HTTP_PROXY_PORT}"
+	</IfDefine>
+	<LocationMatch "/api/graphql(/default)?$">
+		# Use an empty back reference from ProxyPassMatch to the LocationMatch regex to prevent the
+		# original URL being appended to the proxy request
+		ProxyPassMatch   ${COMMERCE_ENDPOINT}$2
 		ProxyPassReverse ${COMMERCE_ENDPOINT}
-		RewriteEngine Off
+		RewriteEngine 	 Off
+	</LocationMatch>
+</IfDefine>
+<IfDefine COMMERCE_ENDPOINT_2>
+	SSLProxyEngine on
+	<IfDefine HTTP_EGRESS_PROXY>
+		ProxyRemote ${AEM_COMMERCE_ENDPOINT_2} "http://${AEM_HTTP_PROXY_HOST}:${AEM_HTTP_PROXY_PORT}"
+	</IfDefine>
+	<LocationMatch "/api/graphql/endpoint-2$">
+		ProxyPassMatch   ${AEM_COMMERCE_ENDPOINT_2}$2
+		ProxyPassReverse ${AEM_COMMERCE_ENDPOINT_2}
+		RewriteEngine 	 Off
+	</LocationMatch>
+</IfDefine>
+<IfDefine COMMERCE_ENDPOINT_3>
+	SSLProxyEngine on
+	<IfDefine HTTP_EGRESS_PROXY>
+		ProxyRemote ${AEM_COMMERCE_ENDPOINT_3} "http://${AEM_HTTP_PROXY_HOST}:${AEM_HTTP_PROXY_PORT}"
+	</IfDefine>
+	<LocationMatch "/api/graphql/endpoint-3$">
+		ProxyPassMatch	 ${AEM_COMMERCE_ENDPOINT_3}$2
+		ProxyPassReverse ${AEM_COMMERCE_ENDPOINT_3}
+		RewriteEngine 	 Off
+	</LocationMatch>
+</IfDefine>
+<IfDefine COMMERCE_ENDPOINT_4>
+	SSLProxyEngine on
+	<IfDefine HTTP_EGRESS_PROXY>
+		ProxyRemote ${AEM_COMMERCE_ENDPOINT_4} "http://${AEM_HTTP_PROXY_HOST}:${AEM_HTTP_PROXY_PORT}"
+	</IfDefine>
+	<LocationMatch "/api/graphql/endpoint-4$">
+		ProxyPassMatch	 ${AEM_COMMERCE_ENDPOINT_4}$2
+		ProxyPassReverse ${AEM_COMMERCE_ENDPOINT_4}
+		RewriteEngine 	 Off
+	</LocationMatch>
+</IfDefine>
+<IfDefine COMMERCE_ENDPOINT_5>
+	SSLProxyEngine on
+	<IfDefine HTTP_EGRESS_PROXY>
+		ProxyRemote ${AEM_COMMERCE_ENDPOINT_5} "http://${AEM_HTTP_PROXY_HOST}:${AEM_HTTP_PROXY_PORT}"
+	</IfDefine>
+	<LocationMatch "/api/graphql/endpoint-5$">
+		ProxyPassMatch	 ${AEM_COMMERCE_ENDPOINT_5}$2
+		ProxyPassReverse ${AEM_COMMERCE_ENDPOINT_5}
+		RewriteEngine 	 Off
 	</LocationMatch>
 </IfDefine>
 
+# ASSETS-10359 Prevent rewrites and filtering of Delivery API URLs
+<LocationMatch "^/adobe/dynamicmedia/deliver/.*">
+    ProxyPassMatch http://${AEM_HOST}:${AEM_PORT}
+    RewriteEngine Off
+</LocationMatch>
+
 # Disable access to default CGI scripts
 <Directory "/var/www/localhost/cgi-bin">
     AllowOverride None
     Options None
     Require all denied
 </Directory>
 
+# internal metadata endpoint
+Alias "/gitinit-status" /etc/httpd/metadata/gitinit-status.json
+
+<LocationMatch "/gitinit-status">
+    RewriteEngine Off
+</LocationMatch>
+
+<Directory "/etc/httpd/metadata">
+	SetHandler default-handler
+    AllowOverride None
+    Require expr "%{HTTP_HOST} == '${POD_NAME}'"
+</Directory>
+
 Include conf.d/enabled_vhosts/*.vhost
 
 # Create a catch-all vhost

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/enabled_vhosts/vhosts.conf

@@ -0,0 +1,2 @@
+## Include all of the customers *.vhost files
+Include conf.d/enabled_vhosts/*.vhost

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/rewrites/default_rewrite.rules

@@ -37,3 +37,7 @@ RewriteRule .* - [F]
 
 # Block wp-login
 RewriteRule ^.*wp-login - [F,NC,L]
+
+# Allow caching of persisted queries
+RewriteCond %{REQUEST_URI} ^/graphql/execute.json
+RewriteRule ^/(.*)$ /$1;.json [PT,L]

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/rewrites/rewrite.rules

@@ -6,3 +6,19 @@
 # the default rewrite rules.
 
 Include conf.d/rewrites/default_rewrite.rules
+
+# rewrite for root redirect
+RewriteRule ^/?$ /content/${CONTENT_FOLDER_NAME}/${country}/${language}.html [PT,L]
+
+RewriteCond %{REQUEST_URI} !^/apps
+RewriteCond %{REQUEST_URI} !^/bin
+RewriteCond %{REQUEST_URI} !^/content
+RewriteCond %{REQUEST_URI} !^/etc
+RewriteCond %{REQUEST_URI} !^/home
+RewriteCond %{REQUEST_URI} !^/libs
+RewriteCond %{REQUEST_URI} !^/saml_login
+RewriteCond %{REQUEST_URI} !^/system
+RewriteCond %{REQUEST_URI} !^/tmp
+RewriteCond %{REQUEST_URI} !^/var
+RewriteCond %{REQUEST_URI} (.html|.jpe?g|.png|.svg)$
+RewriteRule ^/(.*)$ /content/${CONTENT_FOLDER_NAME}/$1 [PT,L]

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.d/variables/custom.vars

@@ -3,3 +3,4 @@
 #
 # By default, it is empty and does not define any variable
 #
+Define CONTENT_FOLDER_NAME ${appId}

conga-aem-definitions/src/main/resources/aem-sdk-dispatcher/src/conf.dispatcher.d/available_farms/default.farm

@@ -87,11 +87,15 @@
 		# The ignoreUrlParams section contains query string parameter names that
 		# should be ignored when determining whether some request's output can be
 		# cached or delivered from cache.
-		# In this example configuration, the "q" parameter will be ignored.
-		# /ignoreUrlParams {
-		#	/0001 { /glob "*" /type "deny" }
-		#	/0002 { /glob "q" /type "allow" }
-		# }
+		# In this example configuration, the "q" parameter will be ignored as 
+		# well as general marketing related parameters such as e.g. utm_campaign.
+		# Marketing parameters can normally be ignored on most websites as they are tracked
+		# through different means. 
+		/ignoreUrlParams {
+			/0001 { /glob "*" /type "deny" }
+		# 	/0002 { /glob "q" /type "allow" }
+		#	$include "../cache/marketing_query_parameters.any"
+		}
 
 		# Cache response headers next to a cached file. On the first request to
 		# an uncached resource, all headers matching one of the values found here