From 0c3e579b8d361857d7cc5909bacd30d7220bf28b Mon Sep 17 00:00:00 2001 From: Ben Sturmfels Date: Thu, 6 Apr 2023 20:35:08 +1000 Subject: [PATCH] Add uWSGI and Nginx configs --- deploy/nginx.conf | 51 +++++++++++++++++++++++++++++++++++++++++++++++ deploy/uwsgi.ini | 37 ++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 deploy/nginx.conf create mode 100644 deploy/uwsgi.ini diff --git a/deploy/nginx.conf b/deploy/nginx.conf new file mode 100644 index 00000000..3ea0b880 --- /dev/null +++ b/deploy/nginx.conf @@ -0,0 +1,51 @@ +upstream {{ site_name }}_django_wsgi { + keepalive 2; # Cache 2 connections. + server unix:/run/{{ site_name }}/django_uwsgi.sock; +} + +# server { +# listen 80; +# server_name {{ env.domain }}; +# return 301 https://{{ env.domain }}$request_uri; +# } + +server { + listen 80; # 443 ssl http2; + server_name {{ env.domain }}; + client_max_body_size 50M; + + ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem; + + # Ask for HTTPS for 180 days. + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; + + # Advise browsers not to use content type sniffing to reduce chance of XSS attacks. + add_header X-Content-Type-Options nosniff; + + # Advise browser to only load external content from these sites. + add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'"; + + location / { + # Django web application including static files (via WhiteNoise). + uwsgi_pass {{ site_name }}_django_wsgi; + include uwsgi_params; + + # Disable gzip compression when where traffic might be over SSL + # to avoid an attack that may compromise Django's CSRF + # protection. See: + # https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ + gzip off; + } + + location /media/ { + # User-uploaded files and generated reports. + alias {{ project_dir }}/media/; + expires 1y; + } + + location /.well-known/ { + # Used for "acmi-challenge". + alias {{ project_dir }}/htdocs/.well-known/; + } +} \ No newline at end of file diff --git a/deploy/uwsgi.ini b/deploy/uwsgi.ini new file mode 100644 index 00000000..cd8a080f --- /dev/null +++ b/deploy/uwsgi.ini @@ -0,0 +1,37 @@ +[uwsgi] +strict = true # Fail if unknown config parameter found. +plugins = python3 +chdir = {{ project_dir }} +home = {{ virtualenv }} +module = project.wsgi +master = true +socket = /run/{{ site_name }}/django_uwsgi.sock +processes = 3 +# Reduced this again now that reports are deferred to a queued task. Could +# potentially be further reduced. +harakiri = 15 +max-requests = 5000 +vacuum = true +# For Sentry, see https://docs.sentry.io/clients/python/advanced/#a-note-on-uwsgi. +enable-threads = true +log-prefix = {{ site_name }} + +# Enable uWSGI stats server for use with uwsgitop. +# Run with: `sudo -u www-data uwsgitop /run/{{ site_name }}/django_uwsgi_stats.socket` +stats = /run/{{ site_name }}/django_uwsgi_stats.socket +# Memory reporting is useful for reviewing memory consumption with uwsgitop, but +# makes the logs a little noiser. +# memory-report = true + +# Always use UTF-8 as the encoding for reading/writing files and other, +# regardless of system preferences. Will be default in Python 3.15. We were +# originally specifying LANG=en_AU.UTF-8 here, to handle Unicode chars in +# uploaded filenames, but this broke down when that locale wasn't +# installed. Using Python's UTF Mode should side-step this. See +# https://docs.python.org/3/library/os.html#utf8-mode. +env = PYTHONUTF8=1 +# Haven't decided how to securely handle code being able to write __pycache__ +# directories and bytecode into read-only directories. +env = PYTHONDONTWRITEBYTECODE=true +# Per Django deployment checklist. +env = PYTHONHASHSEED=random