diff --git a/README.md b/README.md
index 1ccec14..d036e7a 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
CONGA AEM Definitions
======
[](https://github.com/wcm-io-devops/conga-aem-definitions/actions?query=workflow%3ABuild+branch%3Adevelop)
-[](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)
+[](https://repo1.maven.org/maven2/io/wcm/devops/conga/definitions/io.wcm.devops.conga.definitions.aem)
Documentation: https://devops.wcm.io/conga/definitions/aem/
Issues: https://wcm-io.atlassian.net/projects/WDCONGA
diff --git a/changes.xml b/changes.xml
index 5cada4e..246bdd1 100644
--- a/changes.xml
+++ b/changes.xml
@@ -23,6 +23,27 @@
xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
+
+
+ Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce (optional) httpd.headers.permissionsPolicy to allow configuration of the Permissions-Policy header.
+
+
+ Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce (optional) httpd.headers.featurePolicy to allow configuration of the Feature-Policy header.
+
+
+ Role aem-dispatcher, aem-dispatcher-ams, aem-dispatcher-cloud: Introduce dispatcher.passError to allow configuration of DispatcherPassError parameter.
+
+
+ Role aem-dispatcher-ams, aem-dispatcher-cloud: Don't show exact Apache/Dispatcher footer.
+
+
+ Role aem-dispatcher: Don't show exact Apache/Dispatcher version in Server footer.
+
+
+ Role aem-dispatcher-ams, aem-dispatcher-cloud fix duplicate X-Frame-Options header.
+
+
+
Role aem-dispatcher: Add remoteip functionality to author vhosts.
diff --git a/conga-aem-definitions/pom.xml b/conga-aem-definitions/pom.xml
index bb84d73..c32c4e2 100644
--- a/conga-aem-definitions/pom.xml
+++ b/conga-aem-definitions/pom.xml
@@ -25,13 +25,13 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.parent
- 1.12.2
+ 1.13.0
../parent/pom.xml
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem
- 1.12.2
+ 1.13.0
config-definition
CONGA AEM Definitions
diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml
index 6fef649..6df2f92 100644
--- a/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml
+++ b/conga-aem-definitions/src/main/roles/aem-dispatcher-ams.yaml
@@ -277,6 +277,10 @@ config:
headers:
# Enables/Configures the Content-Security-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
contentSecurityPolicy:
+ # Enables/Configures the Feature-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+ featurePolicy:
+ # Enables/Configures the Permissions-Policy header on publish dispatcher (see https://w3c.github.io/webappsec-permissions-policy/)
+ permissionsPolicy:
# Enables/Configures the Referrer-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
referrerPolicy: "origin-when-cross-origin"
# Enables/Configures the X-XSS-Protection header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
@@ -405,6 +409,12 @@ config:
# Name of the farm
farmName: publishfarm
+ # Controls the DispatcherPassError setting
+ # 0 = spool all errors to client
+ # 1 = pass all error coded >= 400 over to apache
+ # code or code range = pass specific errors to apache
+ passError: 0
+
# Configure dispatcher cache
cache:
diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml
index d833eff..238d85b 100644
--- a/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml
+++ b/conga-aem-definitions/src/main/roles/aem-dispatcher-cloud.yaml
@@ -335,6 +335,10 @@ config:
headers:
# Enables/Configures the Content-Security-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
contentSecurityPolicy:
+ # Enables/Configures the Feature-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+ featurePolicy:
+ # Enables/Configures the Permissions-Policy header on publish dispatcher (see https://w3c.github.io/webappsec-permissions-policy/)
+ permissionsPolicy:
# Enables/Configures the Referrer-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
referrerPolicy: "origin-when-cross-origin"
# Enables/Configures the X-XSS-Protection header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
@@ -400,6 +404,12 @@ config:
logging:
level: Warn
+ # Controls the DispatcherPassError setting
+ # 0 = spool all errors to client
+ # 1 = pass all error coded >= 400 over to apache
+ # code or code range = pass specific errors to apache
+ passError: 0
+
# Configure dispatcher cache
cache:
diff --git a/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml b/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml
index 8dcb35d..06f2050 100644
--- a/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml
+++ b/conga-aem-definitions/src/main/roles/aem-dispatcher.yaml
@@ -305,6 +305,10 @@ config:
headers:
# Enables/Configures the Content-Security-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
contentSecurityPolicy:
+ # Enables/Configures the Feature-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+ featurePolicy:
+ # Enables/Configures the Permissions-Policy header on publish dispatcher (see https://w3c.github.io/webappsec-permissions-policy/)
+ permissionsPolicy:
# Enables/Configures the Referrer-Policy header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
referrerPolicy: "origin-when-cross-origin"
# Enables/Configures the X-XSS-Protection header on publish dispatcher (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
@@ -373,6 +377,12 @@ config:
# Defines the path for the DispatcherConfig
configPath: dispatcher.d/dispatcher.any
+ # Controls the DispatcherPassError setting
+ # 0 = spool all errors to client
+ # 1 = pass all error coded >= 400 over to apache
+ # code or code range = pass specific errors to apache
+ passError: 0
+
# Configure dispatcher cache
cache:
diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs
index e1fa391..9266439 100644
--- a/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs
+++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-ams/conf.d/available_vhosts/tenant.vhost.partials.hbs
@@ -72,7 +72,7 @@ DocumentRoot "${PUBLISH_DOCROOT}"
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
# Prevent clickjacking
- Header always append X-Frame-Options SAMEORIGIN
+ Header always set X-Frame-Options SAMEORIGIN
AllowOverride None
@@ -82,7 +82,7 @@ DocumentRoot "${PUBLISH_DOCROOT}"
# Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
DispatcherUseProcessedURL On
# Default setting to allow all errors to come from the aem instance
- DispatcherPassError 0
+ DispatcherPassError {{dispatcher.passError}}
RewriteEngine on
@@ -93,6 +93,9 @@ DocumentRoot "${PUBLISH_DOCROOT}"
# Do not allow RFC 2616 trace requests
TraceEnable Off
+
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
{{/block}}
{{~#block "customVHostConfigBeforeSslEnforce"}}
@@ -181,6 +184,14 @@ Header edit Cache-Control "^$" "public, must-revalidate"
# Send CSP header to client
Header set Content-Security-Policy "{{httpd.headers.contentSecurityPolicy}}"
{{~/if}}
+{{~#if httpd.headers.featurePolicy}}
+# Send feature policy header to client
+Header set Feature-Policy "{{httpd.headers.featurePolicy}}"
+{{~/if}}
+{{~#if httpd.headers.permissionsPolicy}}
+# Send permissions policy header to client
+Header set Permissions-Policy "{{httpd.headers.permissionsPolicy}}"
+{{~/if}}
{{~#if httpd.headers.referrerPolicy}}
# Send Referrer-Policy header to client
Header set Referrer-Policy "{{httpd.headers.referrerPolicy}}"
diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs
index 96159d0..066e97c 100644
--- a/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs
+++ b/conga-aem-definitions/src/main/templates/aem-dispatcher-cloud/conf.d/available_vhosts/tenant.vhost.partials.hbs
@@ -60,13 +60,13 @@ AllowEncodedSlashes NoDecode
# Don't compress images & videos
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|webm|mp4)$ no-gzip dont-vary
# Prevent clickjacking
- Header always append X-Frame-Options SAMEORIGIN
+ Header always set X-Frame-Options SAMEORIGIN
# Enabled to allow rewrites to take affect and not be ignored by the dispatcher module
DispatcherUseProcessedURL On
# Default setting to allow all errors to come from the aem instance
- DispatcherPassError 0
+ DispatcherPassError {{dispatcher.passError}}
RewriteEngine on
@@ -75,6 +75,9 @@ AllowEncodedSlashes NoDecode
# Do not allow RFC 2616 trace requests
TraceEnable Off
+
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
{{/block}}
@@ -139,6 +142,14 @@ Header set Cache-Control "public, must-revalidate"
# Send CSP header to client
Header set Content-Security-Policy "{{httpd.headers.contentSecurityPolicy}}"
{{~/if}}
+{{~#if httpd.headers.featurePolicy}}
+# Send feature policy header to client
+Header set Feature-Policy "{{httpd.headers.featurePolicy}}"
+{{~/if}}
+{{~#if httpd.headers.permissionsPolicy}}
+# Send permissions policy header to client
+Header set Permissions-Policy "{{httpd.headers.permissionsPolicy}}"
+{{~/if}}
{{~#if httpd.headers.referrerPolicy}}
# Send Referrer-Policy header to client
Header set Referrer-Policy "{{httpd.headers.referrerPolicy}}"
diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher/author/vhost_author.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher/author/vhost_author.partials.hbs
index 6cf3578..3992f95 100644
--- a/conga-aem-definitions/src/main/templates/aem-dispatcher/author/vhost_author.partials.hbs
+++ b/conga-aem-definitions/src/main/templates/aem-dispatcher/author/vhost_author.partials.hbs
@@ -34,6 +34,9 @@ CustomLog ${APACHE_LOG_DIR}/vhost_author_access.log {{httpd.logging.accessLogFor
{{~#block "generalSettings"}}
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
+
# Enable rewrite engine
RewriteEngine On
{{/block}}
diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher/common/dispatcher.conf.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher/common/dispatcher.conf.hbs
index df8ea74..5305003 100644
--- a/conga-aem-definitions/src/main/templates/aem-dispatcher/common/dispatcher.conf.hbs
+++ b/conga-aem-definitions/src/main/templates/aem-dispatcher/common/dispatcher.conf.hbs
@@ -35,7 +35,7 @@
# be left to web server to handle, e.g.
#
# DispatcherPassError 400-404,501
- DispatcherPassError 0
+ DispatcherPassError {{dispatcher.passError}}
# DispatcherKeepAliveTimeout specifies the number of seconds a
# connection to a backend should be kept alive. If not set or
diff --git a/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs b/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs
index 3bc49bf..2ff4965 100644
--- a/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs
+++ b/conga-aem-definitions/src/main/templates/aem-dispatcher/publish/vhost_publish_tenant.partials.hbs
@@ -47,6 +47,9 @@ CustomLog ${APACHE_LOG_DIR}/vhost_publish_{{httpd.serverName}}_access.log {{http
# Do not allow RFC 2616 trace requests
TraceEnable Off
+# Suppress leaking the exact Apache/Dispatcher version
+ServerSignature Off
+
# Enable rewrite engine
RewriteEngine On
{{/block}}
@@ -186,6 +189,14 @@ RewriteRule ^(.*)$ http://{{httpHost httpd.serverName port=httpd.serverPort}}$1
# Send CSP header to client
Header set Content-Security-Policy "{{httpd.headers.contentSecurityPolicy}}"
{{~/if}}
+{{~#if httpd.headers.featurePolicy}}
+# Send feature policy header to client
+Header set Feature-Policy "{{httpd.headers.featurePolicy}}"
+{{~/if}}
+{{~#if httpd.headers.permissionsPolicy}}
+# Send permissions policy header to client
+Header set Permissions-Policy "{{httpd.headers.permissionsPolicy}}"
+{{~/if}}
{{~#if httpd.headers.referrerPolicy}}
# Send Referrer-Policy header to client
Header set Referrer-Policy "{{httpd.headers.referrerPolicy}}"
diff --git a/example/pom.xml b/example/pom.xml
index 0b0c9f5..b96f9d8 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -32,7 +32,7 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.example
config
- 1.12.2
+ 1.13.0
CONGA AEM Definitions Example
Example environment definition.
@@ -43,7 +43,7 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem
- 1.12.2
+ 1.13.0
diff --git a/example/src/main/environments/test.yaml b/example/src/main/environments/test.yaml
index e3c8d87..302674f 100644
--- a/example/src/main/environments/test.yaml
+++ b/example/src/main/environments/test.yaml
@@ -68,6 +68,7 @@ nodes:
- _merge_
dispatcher:
configPath: /opt/apache2/dispatcher.d/dispatcher.any
+ passError: 1
cache:
rootPath: /var/cache/publish1
statFilesLevel: 3
@@ -114,7 +115,10 @@ nodes:
- _merge_
headers:
htmlExpirationTimeMin: 3
+ featurePolicy: "geolocation 'self' https://example.com; camera 'none';"
+ permissionsPolicy: 'geolocation=(self "https://example.com"), camera=()'
dispatcher:
+ passError: 403,404
cache:
rootPath: /var/cache/publish1
statFilesLevel: 3
@@ -161,8 +165,12 @@ nodes:
- _merge_
headers:
htmlExpirationTimeMin: 6
+ featurePolicy: 'geolocation *;'
+ permissionsPolicy: 'geolocation=*'
+
dispatcher:
farmName: custom_farm_name
+ passError: 400-599
cache:
rootPath: /var/cache/publish1
statFilesLevel: 3
@@ -278,6 +286,8 @@ tenants:
rootRedirect.url: /de.html
headers:
contentSecurityPolicy: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sample1.com;"
+ featurePolicy: "fullscreen 'none'; geolocation 'none';"
+ permissionsPolicy: "fullscreen=(), geolocation=()"
xssProtection: "1; mode=block"
referrerPolicy: "strict-origin-when-cross-origin"
cacheControl:
diff --git a/parent/pom.xml b/parent/pom.xml
index 3849548..7239867 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -31,7 +31,7 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.parent
- 1.12.2
+ 1.13.0
pom
CONGA AEM Definitions
diff --git a/pom.xml b/pom.xml
index b13d4b8..ed9db8b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,13 +23,13 @@
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.parent
- 1.12.2
+ 1.13.0
parent/pom.xml
io.wcm.devops.conga.definitions
io.wcm.devops.conga.definitions.aem.root
- 1.12.2
+ 1.13.0
pom
CONGA AEM Definitions
diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md
index 695207e..caec5a0 100644
--- a/src/site/markdown/index.md
+++ b/src/site/markdown/index.md
@@ -4,7 +4,7 @@ wcm.io DevOps CONfiguration GenerAtor Roles and Templates for [Adobe Experience
The current version of AEM Definitions is 1.x. Guideline for migration from AEM Definitions 0.x: [Migrate from wcm.io CONGA AEM Definitions 0.x to 1.x][aem-definitions-migration]
-[](https://maven-badges.herokuapp.com/maven-central/io.wcm.devops.conga.definitions/io.wcm.devops.conga.definitions.aem)
+[](https://repo1.maven.org/maven2/io/wcm/devops/conga/definitions/io.wcm.devops.conga.definitions.aem)
### Documentation