Merge branch 'develop'

README.md

@@ -1,7 +1,7 @@
 <img src="https://wcm.io/images/favicon-16@2x.png"/> CONGA AEM Definitions
 ======
 [![Build](https://github.com/wcm-io-devops/conga-aem-definitions/workflows/Build/badge.svg?branch=develop)](https://github.com/wcm-io-devops/conga-aem-definitions/actions?query=workflow%3ABuild+branch%3Adevelop)
-[![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem/badge.svg)](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)
+[![Maven Central](https://img.shields.io/maven-central/v/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)](https://repo1.maven.org/maven2/io/wcm/devops/conga/definitions/io.wcm.devops.conga.definitions.aem)
 
 Documentation: https://devops.wcm.io/conga/definitions/aem/<br/>
 Issues: https://wcm-io.atlassian.net/projects/WDCONGA<br/>

changes.xml

@@ -23,6 +23,27 @@
     xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
   <body>
 
+    <release version="1.13.0" date="2022-10-13">
+      <action type="add" dev="trichter">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce (optional) httpd.headers.permissionsPolicy to allow configuration of the Permissions-Policy header.
+      </action>
+      <action type="add" dev="trichter">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce (optional) httpd.headers.featurePolicy to allow configuration of the Feature-Policy header.
+      </action>
+      <action type="add" dev="trichter">
+        Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce dispatcher.passError to allow configuration of DispatcherPassError parameter.
+      </action>
+      <action type="add" dev="trichter">
+        Role aem-dispatcher-ams, aem-dispatcher-cloud: Don't show exact Apache/Dispatcher footer.
+      </action>
+      <action type="fix" dev="trichter">
+        Role aem-dispatcher: Don't show exact Apache/Dispatcher version in Server footer.
+      </action>
+      <action type="fix" dev="trichter">
+        Role aem-dispatcher-ams, aem-dispatcher-cloud fix duplicate X-Frame-Options header.
+      </action>
+    </release>
+
     <release version="1.12.2" date="2022-05-11">
       <action type="add" dev="trichter">
         Role aem-dispatcher: Add remoteip functionality to author vhosts.

conga-aem-definitions/pom.xml

@@ -25,13 +25,13 @@
   <parent>
     <groupId>io.wcm.devops.conga.definitions</groupId>
     <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-    <version>1.12.2</version>
+    <version>1.13.0</version>
     <relativePath>../parent/pom.xml</relativePath>
   </parent>
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem</artifactId>
-  <version>1.12.2</version>
+  <version>1.13.0</version>
   <packaging>config-definition</packaging>
 
   <name>CONGA AEM Definitions</name>

conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml

@@ -277,6 +277,10 @@ config:
     headers:
       # Enables/Configures the Content-Security-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
       contentSecurityPolicy:
+      # Enables/Configures the Feature-Policy  header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+      featurePolicy:
+      # Enables/Configures the Permissions-Policy header on publish dispatcher (see https://w3c.github.io/webappsec-permissions-policy/)
+      permissionsPolicy:
       # Enables/Configures the Referrer-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
       referrerPolicy: "origin-when-cross-origin"
       # Enables/Configures the X-XSS-Protection header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
@@ -405,6 +409,12 @@ config:
     # Name of the farm
     farmName: publishfarm
 
+    # Controls the DispatcherPassError setting
+    # 0 = spool all errors to client
+    # 1 = pass all error coded >= 400 over to apache
+    # code or code range = pass specific errors to apache
+    passError: 0
+
     # Configure dispatcher cache
     cache:
 

conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml

@@ -335,6 +335,10 @@ config:
     headers:
       # Enables/Configures the Content-Security-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
       contentSecurityPolicy:
+      # Enables/Configures the Feature-Policy  header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+      featurePolicy:
+      # Enables/Configures the Permissions-Policy header on publish dispatcher (see https://w3c.github.io/webappsec-permissions-policy/)
+      permissionsPolicy:
       # Enables/Configures the Referrer-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
       referrerPolicy: "origin-when-cross-origin"
       # Enables/Configures the X-XSS-Protection header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
@@ -400,6 +404,12 @@ config:
     logging:
       level: Warn
 
+    # Controls the DispatcherPassError setting
+    # 0 = spool all errors to client
+    # 1 = pass all error coded >= 400 over to apache
+    # code or code range = pass specific errors to apache
+    passError: 0
+
     # Configure dispatcher cache
     cache:
 

conga-aem-definitions/src/main/roles/aem-dispatcher.yaml

@@ -305,6 +305,10 @@ config:
     headers:
       # Enables/Configures the Content-Security-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
       contentSecurityPolicy:
+      # Enables/Configures the Feature-Policy  header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+      featurePolicy:
+      # Enables/Configures the Permissions-Policy header on publish dispatcher (see https://w3c.github.io/webappsec-permissions-policy/)
+      permissionsPolicy:
       # Enables/Configures the Referrer-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
       referrerPolicy: "origin-when-cross-origin"
       # Enables/Configures the X-XSS-Protection header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
@@ -373,6 +377,12 @@ config:
     # Defines the path for the DispatcherConfig
     configPath: dispatcher.d/dispatcher.any
 
+    # Controls the DispatcherPassError setting
+    # 0 = spool all errors to client
+    # 1 = pass all error coded >= 400 over to apache
+    # code or code range = pass specific errors to apache
+    passError: 0
+
     # Configure dispatcher cache
     cache:
 

conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs

@@ -72,7 +72,7 @@ DocumentRoot "${PUBLISH_DOCROOT}"
   # Make sure proxies don't deliver the wrong content
   Header append Vary User-Agent env=!dont-vary
   # Prevent clickjacking
-  Header always append X-Frame-Options SAMEORIGIN
+  Header always set X-Frame-Options SAMEORIGIN
 </Directory>
 <Directory "${PUBLISH_DOCROOT}">
   AllowOverride None
@@ -82,7 +82,7 @@ DocumentRoot "${PUBLISH_DOCROOT}"
   # Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
   DispatcherUseProcessedURL  On
   # Default setting to allow all errors to come from the aem instance
-  DispatcherPassError    0
+  DispatcherPassError {{dispatcher.passError}}
 </IfModule>
 <IfModule mod_rewrite.c>
   RewriteEngine  on
@@ -93,6 +93,9 @@ DocumentRoot "${PUBLISH_DOCROOT}"
 
 # Do not allow RFC 2616 trace requests
 TraceEnable Off
+
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
 {{/block}}
 
 {{~#block "customVHostConfigBeforeSslEnforce"}}
@@ -181,6 +184,14 @@ Header edit Cache-Control "^$" "public, must-revalidate"
 # Send CSP header to client
 Header set Content-Security-Policy "{{httpd.headers.contentSecurityPolicy}}"
 {{~/if}}
+{{~#if httpd.headers.featurePolicy}}
+# Send feature policy header to client
+Header set Feature-Policy "{{httpd.headers.featurePolicy}}"
+{{~/if}}
+{{~#if httpd.headers.permissionsPolicy}}
+# Send permissions policy header to client
+Header set Permissions-Policy "{{httpd.headers.permissionsPolicy}}"
+{{~/if}}
 {{~#if httpd.headers.referrerPolicy}}
 # Send Referrer-Policy header to client
 Header set Referrer-Policy "{{httpd.headers.referrerPolicy}}"

conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs

@@ -60,13 +60,13 @@ AllowEncodedSlashes NoDecode
   # Don't compress images & videos
   SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|webm|mp4)$ no-gzip dont-vary
   # Prevent clickjacking
-  Header always append X-Frame-Options SAMEORIGIN
+  Header always set X-Frame-Options SAMEORIGIN
 </Directory>
 <IfModule disp_apache2.c>
   # Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
   DispatcherUseProcessedURL  On
   # Default setting to allow all errors to come from the aem instance
-  DispatcherPassError    0
+  DispatcherPassError {{dispatcher.passError}}
 </IfModule>
 <IfModule mod_rewrite.c>
   RewriteEngine  on
@@ -75,6 +75,9 @@ AllowEncodedSlashes NoDecode
 
 # Do not allow RFC 2616 trace requests
 TraceEnable Off
+
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
 {{/block}}
 
 
@@ -139,6 +142,14 @@ Header set Cache-Control "public, must-revalidate"
 # Send CSP header to client
 Header set Content-Security-Policy "{{httpd.headers.contentSecurityPolicy}}"
 {{~/if}}
+{{~#if httpd.headers.featurePolicy}}
+# Send feature policy header to client
+Header set Feature-Policy "{{httpd.headers.featurePolicy}}"
+{{~/if}}
+{{~#if httpd.headers.permissionsPolicy}}
+# Send permissions policy header to client
+Header set Permissions-Policy "{{httpd.headers.permissionsPolicy}}"
+{{~/if}}
 {{~#if httpd.headers.referrerPolicy}}
 # Send Referrer-Policy header to client
 Header set Referrer-Policy "{{httpd.headers.referrerPolicy}}"

conga-aem-definitions/src/main/templates/aem-dispatcher/author/vhost_author.partials.hbs

@@ -34,6 +34,9 @@ CustomLog ${APACHE_LOG_DIR}/vhost_author_access.log {{httpd.logging.accessLogFor
 
 
 {{~#block "generalSettings"}}
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
+
 # Enable rewrite engine
 RewriteEngine On
 {{/block}}

conga-aem-definitions/src/main/templates/aem-dispatcher/common/dispatcher.conf.hbs

@@ -35,7 +35,7 @@
   # be left to web server to handle, e.g.
   #
   # DispatcherPassError 400-404,501
-  DispatcherPassError 0
+  DispatcherPassError {{dispatcher.passError}}
 
   # DispatcherKeepAliveTimeout specifies the number of seconds a
   # connection to a backend should be kept alive. If not set or

conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs

@@ -47,6 +47,9 @@ CustomLog ${APACHE_LOG_DIR}/vhost_publish_{{httpd.serverName}}_access.log {{http
 # Do not allow RFC 2616 trace requests
 TraceEnable Off
 
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
+
 # Enable rewrite engine
 RewriteEngine On
 {{/block}}
@@ -186,6 +189,14 @@ RewriteRule ^(.*)$ http://{{httpHost httpd.serverName port=httpd.serverPort}}$1
 # Send CSP header to client
 Header set Content-Security-Policy "{{httpd.headers.contentSecurityPolicy}}"
 {{~/if}}
+{{~#if httpd.headers.featurePolicy}}
+# Send feature policy header to client
+Header set Feature-Policy "{{httpd.headers.featurePolicy}}"
+{{~/if}}
+{{~#if httpd.headers.permissionsPolicy}}
+# Send permissions policy header to client
+Header set Permissions-Policy "{{httpd.headers.permissionsPolicy}}"
+{{~/if}}
 {{~#if httpd.headers.referrerPolicy}}
 # Send Referrer-Policy header to client
 Header set Referrer-Policy "{{httpd.headers.referrerPolicy}}"

example/pom.xml

@@ -32,7 +32,7 @@
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem.example</artifactId>
   <packaging>config</packaging>
-  <version>1.12.2</version>
+  <version>1.13.0</version>
 
   <name>CONGA AEM Definitions Example</name>
   <description>Example environment definition.</description>
@@ -43,7 +43,7 @@
     <dependency>
       <groupId>io.wcm.devops.conga.definitions</groupId>
       <artifactId>io.wcm.devops.conga.definitions.aem</artifactId>
-      <version>1.12.2</version>
+      <version>1.13.0</version>
     </dependency>
 
   </dependencies>

example/src/main/environments/test.yaml

@@ -68,6 +68,7 @@ nodes:
           - _merge_
       dispatcher:
         configPath: /opt/apache2/dispatcher.d/dispatcher.any
+        passError: 1
         cache:
           rootPath: /var/cache/publish1
           statFilesLevel: 3
@@ -114,7 +115,10 @@ nodes:
           - _merge_
         headers:
           htmlExpirationTimeMin: 3
+          featurePolicy: "geolocation 'self' https://example.com; camera 'none';"
+          permissionsPolicy: 'geolocation=(self "https://example.com"), camera=()'
       dispatcher:
+        passError: 403,404
         cache:
           rootPath: /var/cache/publish1
           statFilesLevel: 3
@@ -161,8 +165,12 @@ nodes:
               - _merge_
           headers:
             htmlExpirationTimeMin: 6
+            featurePolicy: 'geolocation *;'
+            permissionsPolicy: 'geolocation=*'
+
         dispatcher:
           farmName: custom_farm_name
+          passError: 400-599
           cache:
             rootPath: /var/cache/publish1
             statFilesLevel: 3
@@ -278,6 +286,8 @@ tenants:
       rootRedirect.url: /de.html
       headers:
         contentSecurityPolicy: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sample1.com;"
+        featurePolicy: "fullscreen 'none'; geolocation 'none';"
+        permissionsPolicy: "fullscreen=(), geolocation=()"
         xssProtection: "1; mode=block"
         referrerPolicy: "strict-origin-when-cross-origin"
         cacheControl:

parent/pom.xml

@@ -31,7 +31,7 @@
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-  <version>1.12.2</version>
+  <version>1.13.0</version>
   <packaging>pom</packaging>
 
   <name>CONGA AEM Definitions</name>

pom.xml

@@ -23,13 +23,13 @@
   <parent>
     <groupId>io.wcm.devops.conga.definitions</groupId>
     <artifactId>io.wcm.devops.conga.definitions.aem.parent</artifactId>
-    <version>1.12.2</version>
+    <version>1.13.0</version>
     <relativePath>parent/pom.xml</relativePath>
   </parent>
 
   <groupId>io.wcm.devops.conga.definitions</groupId>
   <artifactId>io.wcm.devops.conga.definitions.aem.root</artifactId>
-  <version>1.12.2</version>
+  <version>1.13.0</version>
   <packaging>pom</packaging>
 
   <name>CONGA AEM Definitions</name>

src/site/markdown/index.md

@@ -4,7 +4,7 @@ wcm.io DevOps CONfiguration GenerAtor Roles and Templates for [Adobe Experience
 
 The current version of AEM Definitions is 1.x. Guideline for migration from AEM Definitions 0.x: [Migrate from wcm.io CONGA AEM Definitions 0.x to 1.x][aem-definitions-migration]
 
-[![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem/badge.svg)](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)
+[![Maven Central](https://img.shields.io/maven-central/v/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)](https://repo1.maven.org/maven2/io/wcm/devops/conga/definitions/io.wcm.devops.conga.definitions.aem)
 
 
 ### Documentation