FAQs

This page answers some of the most frequently asked questions (FAQs) about DX Cloud. It is split into the following high-level sections:

Content delivery and site access

How do I cache URLs with parameters?

Expand for answer

By default, Magnolia does not cache URLs with parameters, unlike Fastly, which caches them automatically. If you inspect the response headers, you may see a Cache-Control directive like:

no-cache, no-store, must-revalidate, max-age=0, private (1)
1 This indicates that Magnolia is instructing browsers and proxies not to cache the page.

To allow Magnolia to cache product URLs with query parameters, you need to whitelist the parameters explicitly. You can do this by modifying Magnolia’s cache configuration.

Follow these steps:

  1. Locate your cache configuration file.

    This is usually under cache/configuration/contentCaching/defaultPageCache/cachePolicy/shouldBypassVoters/deny/parameters/whitelist in your Magnolia instance.

  2. Whitelist the necessary parameters. You must specify which URL parameters should be considered cacheable.

    Example configuration
    cache:
  config:
    contentCaching:
      defaultPageCache:
        cachePolicy:
          shouldBypassVoters:
            deny:
              parameters:
                whitelist:
                  productId: ^\d+$ (1)
                  category: ^\w+$ (2)
    1 Example that allows caching for productId parameters that are numeric.
    2 Example that allows caching for category parameters that are alphanumeric.
    Verifying changes

    Once the configuration is updated, check the response headers for your product URL. You should see Cache-Control directives indicating that the content is now cacheable.

For more, see Whitelisting specific parameters.

Is there a way to manage site traffic spikes?

Expand for answer

Yes. With our premium Fastly Waiting Room feature.

For more, see Waiting room.

Can I cache backend responses?

Expand for answer

Yes, you can cache responses from the backend server with some slight tweaks to your Magnolia configuration.

For more on how to do this, see the article here.

How do I set Fastly as my CDN provider for an ingress?

Expand for answer

To set your CDN provider to Fastly in the ingress:

  1. First, Connect to Fastly.

  2. Then, set magnolia.info/cdn-provider to fastly.

    magnolia.info/cdn-provider: fastly (1)
    1 In this example, fastly is set as the CDN provider.

With this setup, you’ll be able to whitelist the IPs necessary for Fastly to retrieve pages from the ingress.

For more on whitelisting, see Secure ingresses.

Can I configure a wildcard ingress?

Expand for answer

Yes.

For more on how to do this, check out the dedicated section here.

Do I need extra configuration for CDN caching?

Expand for answer

Only if you are using a headless approach with a frontend server, in this case, you will have to make sure you set the Cache-Control headers with the values you want the CDN to use.

Can I customize the CDN cache configuration?

Expand for answer

For setups that aren’t exclusively headless, yes.

For more on this, see here.

Can I add additional headers to the CDN?

Expand for answer

Yes. However, this is done with an incubator module.

For more on this, see here.

Are 404 errors cached? Can I exclude them?

Expand for answer

Yes the following are cached by default.

  • 200 OK

  • 203 Non-Authoritative Information

  • 300 Multiple Choices

  • 301 Moved Permanently

  • 302 Moved Temporarily

  • 404 Not Found

  • 410 Gone

You can exclude 404 errors. If you want to do this, please contact the HELPDESK.

Doing this could allow bots to hammer your site with requests. By not caching 404 errors, there will be more requests to your backend.

Is the CDN cache flushed automatically after publishing?

Expand for answer

Option 1 You can manually purge the CDN in the Cockpit.

For more details, see the Purge CDN section.

By default, CSS, JavaScript, and images are cached. Pages are not cached by default. However, you can configure your policy to cache Pages.

See Server cache policy for help with that.

Option 2 You can configure a REST Client to trigger CDN cache flushing.

For more details, see Automate flushing of CDN cache.

Development

Does DX Cloud support JCR clustering?

Expand for answer

DX Cloud does not support JCR clustering. This is primarily for performance reasons.

Can I deploy a frontend with PaaS?

Expand for answer

Yes, you can. You can deploy as many frontend applications as you need. In fact, we have a few frontend templates to get you started.

Check them out here.

I can’t create a password in the Passwords App. What do I do?

Expand for answer

If you are upgrading Helm to version 1.14 or later and running Magnolia 6.2.44+, you must manually move the password manager keypair properties file to the expected location for the DX Cloud Helm chart.

For instructions on how to do this, see Setup: Password manager key.

Why don’t I see thumbnail previews for my assets?

Expand for answer

By default, thumbnails are disabled to ensure optimal performance in DX Cloud. Projects with a large volume of assets per folder can cause serious performance issues when thumbsnails are enabled. If you wish to turn thumbnails back on, you can do so by setting thumbnails: true in the dam.subApps.yaml file.

For more details, see Storing assets.

How do I handle redirects?

Expand for answer

To use redirects in DX Cloud, you’ll create them directly via the Cockpit if you are dealing with more than 10 redirects. If you have fewer than 10, you can manage them directly in a redirects ingress.

We recommend you use the Cockpit redirects option, especially if you have greater than 10 redirects.

Can I have a dedicated custom error page per site?

Expand for answer

Yes, you can have a dedicated custom error page per site by using Virtual URI mapping. However, you should always proceed with extra caution when using Virtual URI mapping.

For more details, see Virtual URI mapping.

  1. In your configuration at server/filters/cms/bypasses/, remove the docroot bypass.

  2. In your configuration at server/webContainerResources/mappings/, change /docroot/ to /modules/.

    faq virtualUri mapping valueChange

  3. Now, configure your Virtual URI mapping.

    Example configuration
    class: info.magnolia.virtualuri.mapping.DefaultVirtualUriMapping
fromUri: /docroot/404.html (1)
toUri: forward:/404.html (2)
    1 Routes from the root 404 page (which happens by default).
    2 Routes to the 404 page found in the site tree.

SSO on DX Cloud isn’t working. What do I do?

Expand for answer

If SSO in DX Cloud is failing due to incorrect protocol inference, setting the port to https in the Helm chart ensures Magnolia will generate redirect URLs using HTTPS.

Example
  - host: {{ .Env.DEPLOYMENT }}.author.paastraining.magnolia-platform.io
    paths:
    - path: /
      instance: author
      port: https (1)
1 To do this, ideally, you should be using Helm 1.17.2 or 1.17.1.

Domains and Certificates

Do SSL certificates have to be configured on Fastly and Kubernetes?

Expand for answer

Yes.

However, this is done automatically.

You just need to add the certificate via the Cockpit.

Once the certificate is ready and the Fastly annotation has been correctly applied, the certificate is automatically sent and configured in Fastly.

You must manage renewing any custom certificates.

Where do I point A records to?

Expand for answer

If you need to map a domain using an A record, point the domain to the IPs associated with the load balance servers.

You can retrieve this with the following command:

Command
dig https://adb8bffe76c8c422087e3732eabd17b9-58b5e8e7a952af5b.elb.eu-central-1.amazonaws.com (1)
1 The load balancer domain.
Response
https://adb8bffe76c8c422087e3732eabd17b9-58b5e8e7a952af5b.elb.eu-central-1.amazonaws.com  300  IN  A  203.0.113.1 (1)
1 The IP address associated with the domain. This is the IP address you should use for your A record.

Can I use a wildcard when adding a certificate?

Expand for answer

Yes, you can use wildcards for custom certificates, which are handled in the Cockpit.

However, if using LetsEncrypt, you must file a Support request for wildcard certificates as of 2025-07-13.

General

Are DX Cloud users automatically logged out after a period of inactivity?

Expand for answer

Yes. After 15 minutes of inactivity, the user is automatically logged out of the Cockpit.

Can you send emails with DX Cloud?

Expand for answer

In short, no. This is not currently in scope for DX Cloud.

At the moment, we recommend that you use some of the available external services such as Mailgun, Mailchimp, etc.

The above statement is not an endorsement of any particular service, but is solely intended to provide a starting point for your mail service search.

How many authors can work in Magnolia on DX Cloud?

Expand for answer

There is technically no exact maximum to the number of concurrent authors that can be working on Magnolia on DX Cloud.

However, we recommend that no more than 50 authors work in Admincentral concurrently. This helps avoid latency issues in Admincentral due to too many authors using the Pages app, too many authors publishing, or just generally too many actions occurring simultaneously.

Helm

How do I find the latest Helm chart version?

Expand for answer

The latest helm chart version is 1.17.2.

Check out the Magnolia helm repo for more details.

Do I need to use the latest Helm chart version?

Expand for answer

As of Magnolia 6.2.59, the latest Helm chart is required for compatibility and optimal performance. We strongly recommend always deploying the latest Helm chart to leverage enhanced stability, security updates, and streamlined configuration management.

For detailed guidance on Helm charts and the values.yml file, refer to Helm values.

What is the minimum Helm chart version needed for Magnolia 6.3?

Expand for answer

The minimum Helm chart version needed for Magnolia 6.3 is 1.15.0.

You upgrade your version in the .gitlab-ci.yaml file.

...
helm upgrade prod mironet magnolia-helm --version 1.17.2 -f values_new.yml -n prod
...

The latest helm chart version is 1.17.2.

Check out the Magnolia helm repo for more details.

For more on Magnolia 6.3, see Magnolia 6.3.

How can I access a specific Public?

Expand for answer

You need to create an ingress for each public.

See Creating an ingress for steps on how to do that.

How do I update the Helm chart version?

Expand for answer

You update the Helm chart version in the .gitlab-ci.yaml file. You must modify the version, the values file, and the namespace. Pipeline configuration may vary by customer implementation; though we do provide blueprints. Ensure you adapt the configuration accordingly to fit the project requirements.

  • Global variable

  • Command line

Specify the desired Helm chart version here. This shows the latest version.

gitlab.ci.yaml file
variables:
  HELM_CHART_VERSION: 1.17.2
...
helm upgrade prod mironet magnolia-helm --version 1.17.2 -f values_new.yml -n prod
...

Licenses

How do I add my Magnolia license for DX Cloud?

Expand for answer

For DX Cloud, you bootstrap your license in your project values.yml file provided to you at the start of your project.

  magnoliaAuthor:
    ...
    env:
      ...
      - name: magnolia.bootstrap.license.owner
        value: "[replace with email]"
      - name: magnolia.bootstrap.license.key
        value: "[replace with key]"

The license gets injected only when an environment gets created via the Helm chart, meaning this only happens once, when the environment is created.

If you need to update your license, it should be handled directly in Magnolia.

How do I update my Magnolia license key?

Expand for answer

Your license key is entered in the values.yml file during onboarding for DX Cloud, so you don’t need to worry about entering it to get started.

However, you may need to update your license at some point. For example, when your license expires, you need to update to a license that isn’t expired. In this case, you should update your license key directly within Magnolia instead of the values.yml file.

For steps on how to do this, see Updating a license key.

Managing PaaS

What is a sticky session?

Expand for answer

Sticky sessions, or session persistence, is when you instruct the load balancer to remain linked to a specific node (server) to avoid losing the session data if the request goes to the other server. Essentially, you send the request from a given IP to the delivery server, but continue to send follow-up requests to the same server until the session expires. Session persistence is needed when the project has transactions or required data in the session.

Sticky sessions are typically used in situations where you have some data in the session and the sessions are not replicated between servers, but you also need to ensure that the data doesn’t get lost.

How do I configure sticky sessions?

Expand for answer

To enable sticky sessions:

  1. Go to your values.yml file in your DX Cloud project.

  2. Set the following ingress annotations:

    ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/proxy-body-size: 512m
    cert-manager.io/cluster-issuer: "letsencrypt-prod-dns"
    nginx.ingress.kubernetes.io/affinity: "cookie" (1)
    nginx.ingress.kubernetes.io/affinity-mode: "persistent" (2)
    nginx.ingress.kubernetes.io/session-cookie-name: "INGRESSCOOKIE" (3)
    nginx.ingress.kubernetes.io/session-cookie-max-age: "3600" (4)
    nginx.ingress.kubernetes.io/default-backend: {{ .Env.DEPLOYMENT }}-magnolia-error-page-svc
    nginx.ingress.kubernetes.io/custom-http-errors: "503"
  hosts:
    - host: {{ .Env.DEPLOYMENT }}.eu-playground.magnolia-platform.com
      paths:
          - path: /
            instance: public
          - path: /author
            instance: author
...
    1 Set nginx.ingress.kubernetes.io/affinity to cookie.
    2 Set nginx.ingress.kubernetes.io/affinity-mode to persistent.
    3 Put the INGRESSCOOKIE at nginx.ingress.kubernetes.io/session-cookie-name. If you use a Cookie based redirect server, the name must be the same as the value in the nginx.ingress.kubernetes.io/session-cookie-name ingress annotation in your values.yml file.
    4 Set nginx.ingress.kubernetes.io/session-cookie-max-age to the time (in seconds) you want the cookie to persist. After this configured time, the cookie is deleted.

How do I define custom environment variables?

Expand for answer

You can define custom environment variables in the Helm Values file in your project.

To define a variable for the OS

Define the name and value of the variable like so:

...
magnoliaAuthor:
  env:
    - name: VARIABLE
      value: "VALUE"
...
To define a variable for the Java Virtual Machine (JVM)

Set the value for the specified object like so:

...
magnoliaAuthor:
  catalinaExtraEnv:
    variable: "VALUE"
...

Can I delete environment indexes?

Expand for answer

Yes you can.

  • Cockpit

  • k8s

To delete the index folders:

  1. Go to Environments > Manage.

  2. Click Delete indexes for the desired environment.

To delete the index folders:

  1. In Rancher, click on the Execute shell navigation item on the desired Author environment.

    rancher execute shell screenshot

  2. Run the following commands:

    cd /mgnl-home/repositories/magnolia/workspaces/ (1)
find . -name index -exec rm -rf {} \; (2)
    1 Changes to your workspaces directory.
    2 Finds and removes the index folders.

What is the Fastly maintenance page?

Expand for answer

The Fastly maintenance page is at the CDN level. To use this approach, reach out to the Helpdesk for assistance.

How I regenerate a new activation key pair?

Expand for answer

The re-creation of the key pair must be done on the author instance.

  1. Go to AdminCentral.

  2. Open the Publishing Tools app.

    click publishing tools app

  3. Click on Generate new key.

    publishing tools app click generate new key

    The system creates both keys and stores them in the magnolia-activation-keypair.properties file. In addition, the system stores the public key in the author system’s JCR.

When using DX Cloud, the keys are automatically distributed to the public instance with the help of a dedicated sidecar.

Setup and deployment

What is the minimum Java version needed for PaaS?

Expand for answer

Currently, the minimum supported Java version for DX Cloud is Java 11 (LTS).

For more details, see Set up DX Cloud.

How do I add a public instance?

Expand for answer

DX Cloud does not support autoscaling. You must scale up or down by changing the replicas value.

You can add a public instance in the values.yml file or in the Cockpit.

What is the base image used for Magnolia as part of PaaS?

Expand for answer

The recommended base image is:

Key Type Default Description

image.tomcat.tag

string

"9.0-jre11-temurin"

Tomcat repo tag.

This is defined in the image.tomcat.tag helm value. For more, see Helm values.

Can I deploy anything I want with DX Cloud?

Expand for answer

No.

DX Cloud is a solution designed to deploy Magnolia only. In some instances, headless frontends are also deployed as part of DX Cloud.

Can I have a custom deployment script or setup?

Expand for answer

We don’t allow custom helm charts or operators for DX Cloud.

Only the official DX Cloud helm chart is used for deployments. Certain properties in the values.yml file which is created during setup can be configured. However, only those properties available in the official DX Cloud Helm chart are available at all.

The latest helm chart version is 1.17.2.

Check out the Magnolia helm repo for more details.

Can I have standby clusters?

Expand for answer

Yes, you can.

For more on this topic, see Multicluster environments.

Can I have clusters in different regions?

Expand for answer

Yes, you can.

For more on this topic, see Multicluster environments.

What is the latest Maven archetype version?

Expand for answer

The latest maven archetype version for the cloud bundle is 1.10.

For more, see Create a project using the Maven archetype.

How do I ensure database scaling?

Expand for answer

By default, your database and application will scale if you are performing the action in the Cockpit.

However, if you notice the database isn’t scaling, check your helm values.yaml file to ensure the following are set to true:

  • magnoliaPublic.db.backup.enabled

  • magnoliaPublic.db.contentsync.enabled

For more, see Helm Values reference.

Why is my application slow to start?

Expand for answer

Of course, there could be a number of a reasons why your DX Cloud application is slow to start.

It could be that you need to enable startupProbe in your values.yml file to accommodate a large amount of storage or if you’re migrating to DX Cloud.

This applies to both magnoliaAuthor and magnoliaPublic.

After indexing is complete, you should revert the startupProbe to the default settings.

  startupProbe:
    enabled: True
    failureThreshold: 720 (1)
    periodSeconds: 10 (2)
1 Increase failureThreshold (number of attempts before failing) to accommodate indexing time for large storage or migrating customers in order to avoid indexing failures.
2 periodSeconds defines the interval (in seconds) between each probe check.

In this example, the probe is checked every 10 seconds 720 times, meaning 2 hours (7200 seconds) before the application officially fails.

For more on this topic, see Helm values.

Security

Can I restrict access to my site through the Cockpit?

Expand for answer

You can restrict access to your site in a couple of different ways:

  • Access control: restricts certain paths on your site.

  • Geofencing: blocks visitors from defined countries from entering your site.

For more details, see CDN settings.

Is Two-Factor Authentication (2FA) used to access the Cockpit?

Expand for answer

Yes, 2FA is used for all customer and partner accounts.

How do you prevent DDoS attacks?

Expand for answer

To prevent and mitigate DDoS attacks, DX Cloud grants all customers (using Fastly as their CDN):

  • Access to origin shielding

    Origin shielding is designed to reduce the load on an origin server by centralizing cache fill operations to a limited set of CDN locations. For more details, see Shielding.

  • Automatic resistance to availability attacks

  • Access to Fastly cache IP space

  • Custom DDoS filter creation abilities

Learn more at Fastly’s Always-on DDos Mitigation page.

What if I’m not using Fastly?

  1. Go to https://ipinfo.io/www.xxx.yyy.zzz (where www.xxx.yyy.zzz is the suspicious IP).

    ipinfo report abuse

  2. Update your values.yml file with the following snippet:

    kind: Ingress (1)
metadata:
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: deny www.xxx.yyy.zzz; (2)
    1 Specifies the kind Ingress.
    2 Denies the specific IP address.
    Only use the `server-snippet` exactly as instructed. Otherwise, you may cause issues with your PaaS deployment.
For more details, see Preventing DDoS attacks.

What happens if the WAF detects attacks?

Expand for answer

WAF Intro

Web Application Firewalls, or WAFs, protect web applications from common malicious attacks such as cross-site-scripting (XSS) and SQL injections. Essentially, they act as a type of wall or shield between your web application and the internet. If you have your own CDN for your project, you’ll likely have your own WAF.

If you choose to go with the default CDN for DX Cloud, you’ll be protected with the Fastly WAF.

The Fastly WAF inspects the web traffic at the HTTP application layer by looking at all HTTP and HTTPS requests (both header and body included). This can be configured specifically for your deployment.

What happens if attacks are detected?

If the WAF detects any of the owasp or application-multi attacks, it automatically blocks the request. If they detect there is an increased volume of requests, Fastly notifies us at Magnolia, and we perform a security review.

If needed, we send the logs to you to check if the requests have come form the same IP and if the requests are legitimate or not. If you need to block the IP, you can do it through the cockpit.

We encourage you to use the cockpit. However, if you feel you need to, you can request our help directly with the issue.

See Web Application Firewall (WAF) for more details.

What type of security do we have for REST requests?

Expand for answer

There are three levels of control when REST requests are issued:

  • Web access

  • JCR access

  • Command-level access

Permissions to issue REST requests are controlled using Magnolia’s standard role-based security mechanism.

The rest-anonymous role is handled differently in DX Cloud than in on-prem Magnolia.

Any change to the anonymous user may cause Cockpit functionality to break.
Table 1. Web access
Permission Path

Requests within PaaS all require a valid JSON Web Token (JWT) which is only available to the Magnolia Bootstrap sidecar.

Get & Post

/.rest/configuration/*

Get & Post

/.rest/cloud/*

Get

/.rest/status

For more details on rest security generally for Magnolia, see REST security.

Snippets

Is it okay to use ingress-nginx snippets?

Expand for answer

Generally, no. You should only use configuration and/or server snippets exactly as instructed by documentation or the DX Cloud team. Making changes to these snippets without consultation or approval could lead to unintended consequences for your PaaS project.

I want to add snippets for redirect rules. Is this okay?

Expand for answer

No. As stated in Is it okay to use ingress-nginx snippets?, we generally advise against using nginx-ingress configuration and server snippets and you should only use it exactly as instructed by the documentation or the DX Cloud team.

For redirects, use our Redirects feature in the Cockpit.

Feedback

PaaS

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the Magnolia PaaS docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules