Posts

Secure Apache from Clickjacking

In this post, I will explain an important Apache2 configuration, this configuration is used to stop clickjacking. I got to know about clickjacking when I was working with security checklist in AEM.

Q1. What is clickjacking?
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link to another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. If it is still not clear to you then I am attaching a video URL that will explain it in a much better way.

Q2. How to stop clickjacking in the AEM using Apache2 Server?
There is a header configuration named as X-Frame-Options, using this configuration, you can stop the clickjacking.

Q3. What is the syntax of this configuration?
Header set X-Frame-Options: “sameorigin”

Q4. Where do we find this configuration?
In Apache2.4 you have a security.conf file in conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.
  1. Uncomment this setting and restart your Apache2 server. 
  2. Copy and paste this setting in apche2.conf file, uncomment it, and restart your Apache server.

In my case, I copied and pasted this setting in apche2.conf file, uncommented it and restarted my Apche2 server.

Q5. Apache Server is throwing error when restarting after this configuration?
It may be possible that you will get an error  at the time of starting the Apache2 server, after adding this configuration, the reason is, this configuration requires mod_headers.so module enabled, which is by default disabled. So enable mod_headers.so module and your Apache server will start running successfully.

Q6. How to enable Headers.mod in Apache2 server?
For enabling this module you have a headers.load file present in mods-available directory in your Apache2 server. In my case, it is present at /etc/apche2/mods-available. Just do one thing, create a softlink in your mods-enabled folder. If you are an Ubuntu user execute this command-

Now you will see this soft link in your mods-enabled folder. Restart your Apache2 Server.

Q7. How to check whether it’s working or not?
After restarting your Apache2 server, just hit a non cached page via Apache2 Server. Open debugger and check the response header. You will  see X-Frame-Options header field, as shown below

If you get this option on your page it means your configuration is working.

Happy Coding..!!

Ankur Chauhan
Tech Lead.

AEM Dispatcher Setup for Linux

Installing dispatcher for AEM in Apache Web-server in Linux may get little tricky, as documentation provided by Adobe on Installation of Dispatcher in Linux is not sufficient, and if we take it in analogy and try doing same way we do in Windows, then we face some issues locating the appropriate files.

Prerequisites for Dispatcher Setup

  • Apache 2.2 web-server – In Ubuntu 12.0 and higher, Apache 2.2 web-server is pre-installed, but in case it is not there, you can find the installation instructions here.
  • Dispatcher Module – Appropriate dispatcher module can be downloaded from Adobe Package Share.

Installation Instructions

  1. Considering Apache web-server is already setup in system, go ahead and extract dispatcher module using following command:
  2. Once you have extracted the files, now you have to move the appropriate files to their respective apt path.
  3. Move “dispatcher-apache2.x-4.1.x.so” to “/usr/lib/apache2/modules”. There you will find all the modules already being loaded by apache 2 webserver.
  4. Adobe recommends to give a soft name to your dispatcher module, but you don’t need it as once setup is done, you will be hardly using it again.
  5. Now go ahead and create a folder conf under “/etc/apache2/”, and move “dispatcher.any” file under this folder. Make sure that you don’t move your dispatcher.any file to ‘conf.d’ folder which is already present.
  6. Now is the time to edit and map module file that you added and map the dispatcher.any file. Go ahead and edit apache2.conf file present under “etc/apache2/”.
  7. Scroll to the end, put some nice comments about you adding some new configs, and add following:

     
  8. Also add the following config to the end of apache2.conf file, which loads the dispatcher in web-server.

     
  9. Comments given above are self explanatory but, you can still go and edit configs if needed as per following descriptions:
    • DispatcherConfig: Location and name of the configuration file (Can be given as an absolute or relative path)
    • DispatcherLog: Location and name of the log file (Can be given as an absolute or relative path)
    • DispatcherLogLevel: Log level for the log file
    • DispatcherNoServerHeader: Whether to use the Apache or CQ server header
    • DispatcherDeclineRoot: Defines whether to decline requests to the root “/”
    • DispatcherUseProcessedURL: Defines whether to use the original request URL or to use one already processed by other handlers (ie: mod_rewrite)
      • Note: This is essential for rewriting incoming links (stripping away the ‘content/{site_name}’)
    • DispatcherPassError: Defines whether CQ or Apache will handle HTTP 40x error codes
    • SetHandler (Apache parameter): Forces all matching files to be processed by a handler
  10. Make sure, that path that is provided for load module, matches with the path where you placed your dispatcher module. Also match the name and version of dispatcher module, and change the config as required.
  11. Now configure dispatcher.any file. Edit /renders section in dispatcher.any.

     

    By default you may find port set to 8000 or 8080, change it to 80.
    Give whatever soft-name you want to give to your cache folder in place of “cqcache”

  12. Restart the apache server to let webserver take effect. You can restart apache server by using following command:

     

  13. Once server is restarted and you get [OK] message, go and check /var/log/apache2/dispatcher.log file. If it says dispatcher initialized with correct cache path, it means dispatcher is successfully setup and ready to be used.

Now you just need to configure your CQ replication agent, and point dispatcher flush agents to correct port.

 

I tested this today itself i.e. 14th Oct 2013 on Ubuntu 13 64 bit debian based OS. It worked like wonder for me. Please post your comments and queries if you have any issues with it, and also if there are better ways to do it. Cheeeerz.