Configurability of CDN in AEM Cloud Service
In this presentation, we will explore how to enhance the capabilities of the Adobe Managed CDN by utilizing CDN Rules and the Configuration Pipeline.
Attendees will gain insights into:
- Traffic Filtering: Learn to filter traffic to your website using Traffic Filter Rules, ensuring optimal performance and security.
- Enhanced Security: Discover how to protect your website against malicious attacks, including those outlined in the OWASP Top 10, by leveraging the Adobe Web Application Firewall (WAF).
- Proxy Requests: Understand how to use the Adobe Managed CDN to efficiently proxy requests to non-AEM origins.
- Edge Transformations: Explore methods for transforming request and response properties directly at the edge.
- Traffic Redirection: Learn techniques for redirecting traffic directly from the edge.
- Edge Authentication: Implement robust authentication mechanisms at the edge to enhance security and user experience.
Join us to unlock the full potential of the Adobe Managed CDN and elevate your website's performance, security, and flexibility.
qvecchio
AMS doesn't use AEM Managed CDN but provided CDNs (Cloudfront/FrontDoor) offer the same level of flexibility
wolf
The answer given is not an answer for this…
mpetria
use a random url to bypass the cdn cache and add it to ignoreurlparams in dispatcher so that it does not also bypass the cdn cache. You cannot bypass the cdn layer at infrastructure layer.
Robert
Disatcher is invalidated ootb (based on its configuration). For e.g. Akamai Cache invalidation you need a custom implementation.
mpetria
You can purge the AEMaaCS OOTB CDN manually [1]. But there is no automation built in AEM to do this. [1] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/cdn-cache-purge
Anian Weber - TechDivision
Is there a way to test and develop the CDN features somewhere (locally)? Doing try and error on the Cloud environment doesn't seem like that good of an idea.
Tad
At least the config pipeline runs quickly (~1min execution time) and does have rde/dev/stage/prod that you can test on, but I haven't figured out how to test these rules locally. RDE is the best & fastest way so far.
mpetria
These are good rules for a public website https://github.com/adobe/aem-guides-wknd/blob/main/dispatcher/src/conf.d/available_vhosts/wknd.vhost#L147
puradawid
Is there a static analysis tool to check this configuration before submitting it to the repository?
mpetria
not yet.
Tad
The default backend for Managed CDN is the AEMaaCS backend for that environment. You can set an EDS site as an alternative backend for path-based request proxying, but the default is AEM Sites/Assets.
mpetria
Actually it is the other way around. The CDN configuration is currently available for the CDN that comes by default for AEMaaCS. However, we are working also to offer this configuration for a Managed CDN that one can put in front of EDS.
Alexander
Is there any tool to help migrate AEM dispatcher configuration to Fastly CDN configuration?
mpetria
No. We have discussed this internally and I do not think we will build such a tool.
Vugar Aghayev
Can we still configure & use the ootb CDN( strip out query params, rate limiter and etc) even if you bring your own CDN ?
Tomasz Sobczyk
Yes you can
Wojtek
Where is this built-in WAF "located" ?
Tomasz Sobczyk
One use case would be if you want to run edge functions - you dont have access to fastly compute in AEMaaCS so the only way is to do it in your own cdn. Example --we use Edge compute to enforce users to login to see the content
wolf
Also, comparing the WAF capabilties of this solution to e.g. Akamai’s shows you how rudimentary it still is.
wolf
You also apparently get charged for the traffic routed to those external sources (see the other question) as if it was going to the AEMaaCS.
qvecchio
WAF is running at the CDN and is based on Fastly technologies
Barry
CDN logs are available in the Cloud Manager UI or via the aio cli
Tomek Niedzwiedz
Any chance of enabling Edge Side Includes in the future?
Tomasz Sobczyk
Thye are there already
Tomek Niedzwiedz
Wow, must be a recent addition. Completely missed that. Thanks! https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/edge-side-includes
Tomasz Sobczyk
There is a lot of cool features that were added to the cdn setup recently. Worth checking!
Robert
Are there any plans to geg feature parity with Akamais ESI support (e.g. like if/than/else, setting/reading cookies, generate random numbers)?
mpetria
> Are there any plans to geg feature parity with Akamais ESI support (e.g. like if/than/else, setting/reading cookies, generate random numbers)? Not really. The ESI support is minimal, only includes, and that is mainly because our CDN Provider does not support more advanced features.
royteeuwen
What about allowing Edge Functions?
mpetria
we are actively considering this. Do you have some usecases in mind?
Dominik Suess
Just curious, do we support esi:include ? (Edge Side Includes) ?
Tomek Niedzwiedz
Apparently, yes https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/edge-side-includes
Beo
do you know if all of https://www.fastly.com/documentation/reference/vcl/statements/esi/ is supported?
Tomek Niedzwiedz
Alas, no. Literally just found out about it
qvecchio
Yes we do support esi, we offer all features provided by Fastly
Georg Henzler
When using external origins, do the requests to those non-AEM origins count to the "content requests" KPI of the AEM licensing?
Tad
What I was told (as of June of this year) is that in the current state of the product, requests to non-AEM backends do still indeed count toward your AEMaaCS license pageview count total.
mpetria
yes
mpetria
I think I was too general regarding EDS. The html pages do not accept query params. In general, if your origin needs some query params just allow those.
Barry
When blocking traffic can you set a custom response HTML or will it give a technical/unbranded page?
Tomek Niedzwiedz
We ran into this too. When a security auditor typed a URL matching an old classic UI console, they got a blank HTTP 403, rather than a branded 404, which would've happened if they hit our Apache. It was cut off at the CDN level but still flagged as a vulnerability (path enumeration to find out what resources might be hidden under the hood)
qvecchio
You can use custom error page feature to deliver a custom response when requests are blocked (or when your origin is unavailable) Ref: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/cdn-error-pages
Tomasz Sobczyk
Are there any plans to provide online version of these Dashboards which will not require Downloading logs?
qvecchio
There is no plan as of today, the only possible alternative is to forward your logs to your own logging infrastructure (eg. Splunk, but we will soon support other logging vendors)
qvecchio
The WAF is sold as an uplift of your AEMCS content request license. You can reach out to the Adobe Sales team to get more information
Simon
Doesn't the "Cache-Control" header wit the "stale-if-error" directive do the trick? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
qvecchio
Yes it does, as Simon mentioned, it is controlled via the Cache-Control header and the property `stale-if-error`
chrisp
Do triggered alerts just show in the logs or somewhere else?
qvecchio
Triggered alerts shows up in CDN logs as well as in Action Center https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/actions-center
Barry
Does it still make sense to keep using the dispatcher if the CDN is more mature and a lot of config shifts to the edge?
mpetria
The obvious limitation of CDN configuration is the size (100 KB). Also, dispatcher will be there whether you configure it or not. At least for the forseable future. It is good that you content is also cached in dispatcher as the CDN caches are per datacenter.
mpetria
You should block bots that do not respect robots.txt.
qvecchio
I guess it depends on your use cases, user-agent can easily be changed by the client but official bots usually keep using the same user-agent.