On Thursday 12 October 2017 14:52:55 Ioan Eugen Stan wrote: > Hello, Hi,
> I'm working to prepare our deployment of Sling based CMS in production. > I could use some feedback and help to secure Sling. I wish to reduce the > attack surface by removing features that are not needed in my setup. > This work should help other people with their particular setups. > > To bootstrap the process I created a git repo to serve as a sandbox [1]. > The README there has more information on the goals and what you will > find in the repo. Contributions are more than welcomed. > > First feedback: I did not found a quick way to get started in building > my custom distribution. Eventually I copy-pasted that project and > updated the pom.xml [2]. This initial step could be made easier by > Sling - maybe a maven artifact? > > ---- > I would like to reduce the attack surface of Sling by removing all the > dependencies that I don't use. > > One problem that I have is that is difficult to find out what is used > and what is not. why not starting the other way round and only install what you need? Have a look at Sling's Karaf Features: https://github.com/apache/sling/tree/trunk/karaf Regards, O. > I plan to use Sling + Composum + Oak RDMBS. That means I could get rid > of Mongo, Slinghsot, Webdav dependencies and other. > > We don't plan to use Sling features yet except the Composum > functionality. After we get some experience with Sling we will be using > it more and more. > > Since I plan to work in Cluster mode, I might deploy the removed > functionality (Webdav, etc) on another server (maybe not public ?) > > Could you help me out to identify/split these services? > > > Regards, > > [1] https://github.com/netdava/sling-cms-sandbox > > [2] > http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-apache-sl > ing-to-run-your-sling-application/