Re: preparing sling deployment in production
Hi, On 18.10.2017 22:15, Oliver Lietz wrote: > why not starting the other way round and only install what you need? > Have a look at Sling's Karaf Features: > https://github.com/apache/sling/tree/trunk/karaf Thank you, that is what I am going to do. I cloned the new git repositories. Hopefully I will be able to push things upstream. Regards, signature.asc Description: OpenPGP digital signature
Re: preparing sling deployment in production
On Thursday 12 October 2017 14:52:55 Ioan Eugen Stan wrote: > Hello, Hi, > I'm working to prepare our deployment of Sling based CMS in production. > I could use some feedback and help to secure Sling. I wish to reduce the > attack surface by removing features that are not needed in my setup. > This work should help other people with their particular setups. > > To bootstrap the process I created a git repo to serve as a sandbox [1]. > The README there has more information on the goals and what you will > find in the repo. Contributions are more than welcomed. > > First feedback: I did not found a quick way to get started in building > my custom distribution. Eventually I copy-pasted that project and > updated the pom.xml [2]. This initial step could be made easier by > Sling - maybe a maven artifact? > > > I would like to reduce the attack surface of Sling by removing all the > dependencies that I don't use. > > One problem that I have is that is difficult to find out what is used > and what is not. why not starting the other way round and only install what you need? Have a look at Sling's Karaf Features: https://github.com/apache/sling/tree/trunk/karaf Regards, O. > I plan to use Sling + Composum + Oak RDMBS. That means I could get rid > of Mongo, Slinghsot, Webdav dependencies and other. > > We don't plan to use Sling features yet except the Composum > functionality. After we get some experience with Sling we will be using > it more and more. > > Since I plan to work in Cluster mode, I might deploy the removed > functionality (Webdav, etc) on another server (maybe not public ?) > > Could you help me out to identify/split these services? > > > Regards, > > [1] https://github.com/netdava/sling-cms-sandbox > > [2] > http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-apache-sl > ing-to-run-your-sling-application/
Re: preparing sling deployment in production
Hello, Thank you Robert. I apreciate your help. Don't know how to do some of the stuff yet but I will dig into documentation. I've added your suggestions + credits to the readme [1]. I'll continue again to work on the project. Because I need JDBC and probably some other functionality I am considering providing Karaf features as I have some previous experience with the platform. Regards, [1] https://github.com/netdava/sling-cms-sandbox On 17.10.2017 14:21, Robert Munteanu wrote: > Hi Eugen, > > On Thu, 2017-10-12 at 14:52 +0300, Ioan Eugen Stan wrote: >> Hello, >> >> I'm working to prepare our deployment of Sling based CMS in >> production. >> I could use some feedback and help to secure Sling. I wish to reduce >> the >> attack surface by removing features that are not needed in my setup. >> This work should help other people with their particular setups. >> >> To bootstrap the process I created a git repo to serve as a sandbox >> [1]. >> The README there has more information on the goals and what you will >> find in the repo. Contributions are more than welcomed. > A good starting point is the AEM security checklist [3]. Not all things > apply to Sling ( e.g. dispatcher ) but others do. > >> First feedback: I did not found a quick way to get started in >> building >> my custom distribution. Eventually I copy-pasted that project and >> updated the pom.xml [2]. This initial step could be made easier by >> Sling - maybe a maven artifact? > We have a slingstart archetype, not sure if that works for you or not. > [4] > >> >> I would like to reduce the attack surface of Sling by removing all >> the >> dependencies that I don't use. >> >> One problem that I have is that is difficult to find out what is used >> and what is not. >> >> I plan to use Sling + Composum + Oak RDMBS. That means I could get >> rid >> of Mongo, Slinghsot, Webdav dependencies and other. >> >> We don't plan to use Sling features yet except the Composum >> functionality. After we get some experience with Sling we will be >> using >> it more and more. >> >> Since I plan to work in Cluster mode, I might deploy the removed >> functionality (Webdav, etc) on another server (maybe not public ?) >> >> Could you help me out to identify/split these services? > Besides the AEM security checklist, you might want to enumerate the > Servlet instances in your repository, notably: > > - those that are path-bound > - those that are not handled by the SlingMainServlet > > Servlets bound by resource types are usually much easier to control. > > I would also encourage you to make sure to block certain paths from > external clients: > > - /libs > - /apps > - /system > > Are probably sensitive enough to filter out. > > Hope that points in you the right direction. > > Robert > >> >> Regards, >> >> [1] https://github.com/netdava/sling-cms-sandbox >> >> [2] >> http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-ap >> ache-sling-to-run-your-sling-application/ >> >> > [3]: https://docs.adobe.com/docs/en/aem/6-3/administer/security/securit > y-checklist.html > [4]: https://svn.apache.org/repos/asf/sling/trunk/tooling/maven/archety > pes/slingstart/ signature.asc Description: OpenPGP digital signature
Re: preparing sling deployment in production
Hi Eugen, On Thu, 2017-10-12 at 14:52 +0300, Ioan Eugen Stan wrote: > Hello, > > I'm working to prepare our deployment of Sling based CMS in > production. > I could use some feedback and help to secure Sling. I wish to reduce > the > attack surface by removing features that are not needed in my setup. > This work should help other people with their particular setups. > > To bootstrap the process I created a git repo to serve as a sandbox > [1]. > The README there has more information on the goals and what you will > find in the repo. Contributions are more than welcomed. A good starting point is the AEM security checklist [3]. Not all things apply to Sling ( e.g. dispatcher ) but others do. > First feedback: I did not found a quick way to get started in > building > my custom distribution. Eventually I copy-pasted that project and > updated the pom.xml [2]. This initial step could be made easier by > Sling - maybe a maven artifact? We have a slingstart archetype, not sure if that works for you or not. [4] > > > I would like to reduce the attack surface of Sling by removing all > the > dependencies that I don't use. > > One problem that I have is that is difficult to find out what is used > and what is not. > > I plan to use Sling + Composum + Oak RDMBS. That means I could get > rid > of Mongo, Slinghsot, Webdav dependencies and other. > > We don't plan to use Sling features yet except the Composum > functionality. After we get some experience with Sling we will be > using > it more and more. > > Since I plan to work in Cluster mode, I might deploy the removed > functionality (Webdav, etc) on another server (maybe not public ?) > > Could you help me out to identify/split these services? Besides the AEM security checklist, you might want to enumerate the Servlet instances in your repository, notably: - those that are path-bound - those that are not handled by the SlingMainServlet Servlets bound by resource types are usually much easier to control. I would also encourage you to make sure to block certain paths from external clients: - /libs - /apps - /system Are probably sensitive enough to filter out. Hope that points in you the right direction. Robert > > > Regards, > > [1] https://github.com/netdava/sling-cms-sandbox > > [2] > http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-ap > ache-sling-to-run-your-sling-application/ > > [3]: https://docs.adobe.com/docs/en/aem/6-3/administer/security/securit y-checklist.html [4]: https://svn.apache.org/repos/asf/sling/trunk/tooling/maven/archety pes/slingstart/