apache config proxy security System Administrator Jahia 7.3 Jahia 8

List of URLs to block

Question

What is the list of URL that might be blocked from the proxy to avoid users to access them?

Answer

URL		Description
`/start`		login page
`/jahia/*`		technical urls with Jahia 8
`/cms/login*`		login page
`/cms/admin/*`		administration
`*/welcome/adminmode`		administration
`/cms/edit/*`		edit mode
`/cms/contribute/*`		contribute mode
`/cms/studio/*`		studio mode
`/findUser`		retrieval ofuser
`/findUsersAndGroups`		retrieval of users and groups
`/findUsersAndGroupsInAcl`		retrieval of users and groups for a specific ACL
`/tools/`		admin tools for debugging (secured with basic HTTP authentication)
`*/modules/tools`		admin tools for debugging (secured with basic HTTP authentication)
`/repository/`		Webdav access to the repository
`/server/`		Webdav access to the repository

Here is a very easy way to do it on an Apache HTTP Server Version 2.4 using the Apache module mod_authz_host :

# secure login/admin/contrib/edit URLs from outside our network
# allowed_ip list all authorized IPs separed by space
Define allowed_ip "192.168.1.10 192.168.1.18 10.1.123.21"
<LocationMatch "^.*/(start|cms.*\/login.*|cms.*\/admin.*|welcome\/adminmode|cms.*\/edit|cms\/contribute.*|cms.*\/studio.*|tools|modules\/tools|repository|server)">
    Require ip ${allowed_ip}
</LocationMatch>
<LocationMatch "(findUser|findUsersAndGroups|findUsersAndGroupsInAcl)">
    Require ip ${allowed_ip}
</LocationMatch>

Starting from Jahia 8.0, you can also filter URLs starting of this kind: /jahia/*.

To do so, you can an additional directive of this kind:


<LocationMatch "^/jahia/.*">
    Require ip ${allowed_ip}
</LocationMatch>

Here is also an example with HAProxy:

acl authorized_ips req.hdr_ip(x-forwarded-for,-1) -m ip 8.8.8.8/32
acl technical_urls path_sub -i /cms /tools /modules /administration /start /jahia /findUser /findUsersAndGroups /findUsersAndGroupsInAcl
http-request deny if technical_urls !authorized_ips