I witnessed an excellent presentation by Boyen Borisov entitle "Drupal in the Cloud - Serverless & more" at Drupal Europe. There were many topics he covered, all hugely stimulating, but what piqued my interest the most was his idea of converting Drupal sites to be static html.
Initially this appeared retrograde. Drupal after all has amazing capabilities for creating dynamic pages, so why remove this capability? If we go static, then we:
- Remove the two biggest attack vectors on the site - PHP & MySQL
- Remove the need for slavishly applying security fixes to Drupal immediately after they are announced
- DrupalGeddon type events cease to be time-critical. Exploitations in the wild cannot harm us!
- No arms race to keep ahead of the exploiters
- Less complex production stack to maintain - reducing devops and ops requirements.
Of course I am not suggesting that Drupal should be removed entirely from the estate. There will still be need to create the website's content through the CMS in a secure environment. In an organisation this could be achieved over an intranet, or on a Virtual Private Cloud (VPC). For lone bloggers, their sandbox instance would suffice.
Once content has been authored, an automated script can be used to generate the static site and a deployment to a cloud server undertaken.
There are of course limitations to static sites. They would probably be limited to brochure websites or any site with limited user interactions, and the following capabilities would either have to be removed, or alternative methods sought to replicate their functionality:
- Ajax and paginators
- Forms such as Search, Newsletter Signups and Contact Us
- Views contextual filters
- Anything dynamic, anything user focused.
The loss of search on most Drupal sites would be catastrophic, but there are alternatives.
- Google Site Search - but now carries ads in the free version which deters me
- Algolia - not free
- Elasticsearch + elasticsearch.js client
To me, the option with the most potential is Elasticsearch. Elasticsearch can be indexed in a local / sandboxed environment, and then dumped using Elasticdump, and copied into a production instance of Elasticsearch visible to the static site.
Newsletter sign-ups are still possible, by redirecting the user to a provider such as Mailchimp, or leverage the white label capabilities of dotMailer.
Contact Me lends itself to the new emerging serverless technologies. A static form could be posted to (using AWS products as an example) API Gateway, Lambda and SES which will result in an email being sent to the desired recipient.
Over the coming blogs I will provide a detailed account how I created a static version of Badzilla!