List of URLs to block

Question

Answer

Here is a very easy way to do it on an Apache HTTP Server Version 2.4 using the Apache module mod_authz_host :

# secure login/admin/contrib/edit URLs from outside our network
# allowed_ip list all authorized IPs separed by space
Define allowed_ip "192.168.1.10 192.168.1.18 10.1.123.21"
<LocationMatch "^.*/(start|cms.*|welcome\/adminmode|tools|modules\/tools|repository|server)">
    Require ip ${allowed_ip}
</LocationMatch>
<LocationMatch "(findUser|findUsersAndGroups|findUsersAndGroupsInAcl)">
    Require ip ${allowed_ip}
</LocationMatch>

Starting from Jahia 8.0, you can also filter URLs starting of this kind: /jahia/*.

To do so, you can an additional directive of this kind:

<LocationMatch "^/jahia/.*">
    Require ip ${allowed_ip}
</LocationMatch>

Here is also an example with HAProxy:

acl authorized_ips req.hdr_ip(x-forwarded-for,-1) -m ip 8.8.8.8/32
acl technical_urls path_sub -i /cms /tools /modules /administration /start /jahia /findUser /findUsersAndGroups /findUsersAndGroupsInAcl
http-request deny if technical_urls !authorized_ips

Note that your installed non-Jahia modules can create additional URLs that you would want to block. For more information, please consult the developers of these modules. Additionally, URLs could be renamed/created directly in server configuration. If this is the case, contact your server administrator for more information. Here is a complete list of ways URLs can be registered in Jahia:

• Using Spring controller (custom modules)
• OSGi http service (custom modules)
• jaxrs / REST (custom modules)
• web.xml / tomcat configuration (custom server configurations)