Re: Restricting sling health checks

2017-08-21 Thread Oliver Lietz 
On Monday 21 August 2017 15:06:19 Robert Munteanu wrote:
> Hi Andrei,
> 
> On Mon, 2017-08-21 at 11:55 +, Andrei Kalfas wrote:
> > Hi,
> > 
> > Well, as far as I can tell, out of the box that URL can be called
> > from anywhere. Thing is that I don’t quite care what would be the
> > means to restrict access to the health check url as long as I don’t
> > have to configure proxies.
> 
> I don't think you have something like that in Sling.

You can use Sling URL Rewriter (contrib/extensions/urlrewriter) to deny access 
to those URLs.

Regards,
O.

> It's a good idea to restrict access to the whole /system when running
> Sling apps. In the AEM world you would use the dispatcher. In the Sling
> world, ... well anything else than the dispatcher :-)
> 
> Hope this helps,
> 
> Robert

Re: Restricting sling health checks

2017-08-21 Thread Bertrand Delacretaz 
On Mon, Aug 21, 2017 at 2:06 PM, Robert Munteanu  wrote:
>>..I don’t quite care what would be the
>> means to restrict access to the health check url as long as I don’t
>> have to configure proxies

If you really want to restrict access with Sling itself, I suppose you
could implement your own Filter.

-Bertrand

Re: Restricting sling health checks

2017-08-21 Thread Andrei Kalfas 
Thank you !
Andrei

> On Aug 21, 2017, at 3:06 PM, Robert Munteanu  wrote:
> 
> Hi Andrei,
> 
> On Mon, 2017-08-21 at 11:55 +, Andrei Kalfas wrote:
>> Hi,
>> 
>> Well, as far as I can tell, out of the box that URL can be called
>> from anywhere. Thing is that I don’t quite care what would be the
>> means to restrict access to the health check url as long as I don’t
>> have to configure proxies. 
> 
> 
> I don't think you have something like that in Sling.
> 
> It's a good idea to restrict access to the whole /system when running
> Sling apps. In the AEM world you would use the dispatcher. In the Sling
> world, ... well anything else than the dispatcher :-)
> 
> Hope this helps,
> 
> Robert



smime.p7s
Description: S/MIME cryptographic signature

Re: Restricting sling health checks

2017-08-21 Thread Robert Munteanu 
Hi Andrei,

On Mon, 2017-08-21 at 11:55 +, Andrei Kalfas wrote:
> Hi,
> 
> Well, as far as I can tell, out of the box that URL can be called
> from anywhere. Thing is that I don’t quite care what would be the
> means to restrict access to the health check url as long as I don’t
> have to configure proxies. 


I don't think you have something like that in Sling.

It's a good idea to restrict access to the whole /system when running
Sling apps. In the AEM world you would use the dispatcher. In the Sling
world, ... well anything else than the dispatcher :-)

Hope this helps,

Robert

Re: Restricting sling health checks

2017-08-21 Thread Andrei Kalfas 
Hi,

Well, as far as I can tell, out of the box that URL can be called from 
anywhere. Thing is that I don’t quite care what would be the means to restrict 
access to the health check url as long as I don’t have to configure proxies. 

Thanks,
Andrei


> On Aug 21, 2017, at 2:46 PM, Nicolas Peltier  
> wrote:
> 
> Hi,
> 
> wouldn't you already have that restriction on an operation level for
> all /system/* URIs ?
> 
> Nicolas
> 
> 2017-08-21 13:10 GMT+02:00 Andrei Kalfas :
>> Hi,
>> 
>> I’m reading about sling health checks [1] and I was wondering if there is a
>> built in capability to restrict the IPs that are allowed to call the health
>> check url exposed by the health check servlet.
>> 
>> More specifically what I would like to achieve: once I’ve configured the
>> health check servlet to respond on /system/health I would like to be able to
>> restrict which IPs are may call that, given that I would use this to check
>> when AEM is up from 2 places, from a script running on the local machine and
>> from different load balancers so whitelisting something like
>> [127.0.0.1/32,10.0.0.0/16].
>> 
>> [1]
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsling.apache.org%2Fdocumentation%2Fbundles%2Fsling-health-check-tool.html=02%7C01%7C%7Cd7896567df8d4a33488c08d4e88a4d53%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636389128078835407=FEB%2BMd2ycAIXYvIwqCP3RYCnkMVVXS8eOXS%2Bqu%2FqxTc%3D=0
>> 
>> Thank you,
>> Andrei
>> 



smime.p7s
Description: S/MIME cryptographic signature

Re: Restricting sling health checks

2017-08-21 Thread Nicolas Peltier 
Hi,

wouldn't you already have that restriction on an operation level for
all /system/* URIs ?

Nicolas

2017-08-21 13:10 GMT+02:00 Andrei Kalfas :
> Hi,
>
> I’m reading about sling health checks [1] and I was wondering if there is a
> built in capability to restrict the IPs that are allowed to call the health
> check url exposed by the health check servlet.
>
> More specifically what I would like to achieve: once I’ve configured the
> health check servlet to respond on /system/health I would like to be able to
> restrict which IPs are may call that, given that I would use this to check
> when AEM is up from 2 places, from a script running on the local machine and
> from different load balancers so whitelisting something like
> [127.0.0.1/32,10.0.0.0/16].
>
> [1]
> https://sling.apache.org/documentation/bundles/sling-health-check-tool.html
>
> Thank you,
> Andrei
>

Restricting sling health checks

2017-08-21 Thread Andrei Kalfas 
Hi,

I’m reading about sling health checks [1] and I was wondering if there is a 
built in capability to restrict the IPs that are allowed to call the health 
check url exposed by the health check servlet.

More specifically what I would like to achieve: once I’ve configured the health 
check servlet to respond on /system/health I would like to be able to restrict 
which IPs are may call that, given that I would use this to check when AEM is 
up from 2 places, from a script running on the local machine and from different 
load balancers so whitelisting something like [127.0.0.1/32,10.0.0.0/16]. 

[1] https://sling.apache.org/documentation/bundles/sling-health-check-tool.html 


Thank you,
Andrei



smime.p7s
Description: S/MIME cryptographic signature