Dispatcher Protects Adobe Experience Manager

Screenshot 2015-03-18 08.42.21The Dispatcher secures your website by restricting URLs. It is the last line of defense in a Adobe Experience Manager setup. It allows restricting access to URLs from the outside that are still needed from within.Dispatcher can facilitate this sort of dual mode access to a publish server. It prevents denial of service attacks by caching content. By blocking bad requests and caching good ones, it helps keep the bad guys at bay.

The best way to secure Dispatcher is to deny access to everything and then allow what is needed by the customer. Make the deny rules as broad as possible and the allow rules as specific as possible.

Since version 4.1.5, Dispatcher can be configured to filter by query values. This is powerful and Dispatcher can allow only requests with specific parameters. Below is an example that restricts all GET requests for any content, except for content with the a query parameter in the /etc/ directory.

/filter {
    /0001 { /type "deny" /method "GET" /url "/*" }
    /0002 { /type "deny" /method "POST" /url "/*" }
    /0003 { /type "allow" /method "GET" /url "/etc/*" /query "a=*" }

Screenshot 2015-03-17 18.17.24Andrew Khoury created a presentation for securing Dispatcher when used with CDNs. It is a good overview of the security that can be configured into the Dispatcher. As an irrelevant side note, I like the illustrations of the wolf and the Three Little Pigs he uses. This presentation is part of a webinar that explains some of the new features of Dispatcher in version 4.1.9 that were not in version 4.1.0.

He also created a webinar on the subject of configuring Dispatcher. His samples from that webinar can be found at GitHub. A recording of the webinar is available via Adobe Connect.