Add uWSGI and Nginx configs

2023-04-06 20:35:08 +10:00 · 2023-04-06 20:35:08 +10:00 · 0c3e579b8d
commit 0c3e579b8d
parent 95c7e803e7
2 changed files with 88 additions and 0 deletions
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@ -0,0 +1,51 @@
 upstream {{ site_name }}_django_wsgi {
    keepalive 2;  # Cache 2 connections.
    server unix:/run/{{ site_name }}/django_uwsgi.sock;
 }
 # server {
 #     listen 80;
 #     server_name {{ env.domain }};
 #     return 301 https://{{ env.domain }}$request_uri;
 # }
 server {
    listen 80; # 443 ssl http2;
    server_name {{ env.domain }};
    client_max_body_size 50M;
    ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem;
    # Ask for HTTPS for 180 days.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    # Advise browsers not to use content type sniffing to reduce chance of XSS attacks.
    add_header X-Content-Type-Options nosniff;
    # Advise browser to only load external content from these sites.
    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
    location / {
        # Django web application including static files (via WhiteNoise).
        uwsgi_pass {{ site_name }}_django_wsgi;
        include uwsgi_params;
        # Disable gzip compression when where traffic might be over SSL
        # to avoid an attack that may compromise Django's CSRF
        # protection. See:
        # https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
        gzip off;
    }
    location /media/ {
        # User-uploaded files and generated reports.
        alias {{ project_dir }}/media/;
        expires 1y;
    }
    location /.well-known/ {
        # Used for "acmi-challenge".
        alias {{ project_dir }}/htdocs/.well-known/;
    }
 }
--- a/deploy/uwsgi.ini
+++ b/deploy/uwsgi.ini
@ -0,0 +1,37 @@
 [uwsgi]
 strict = true  # Fail if unknown config parameter found.
 plugins = python3
 chdir = {{ project_dir }}
 home = {{ virtualenv }}
 module = project.wsgi
 master = true
 socket = /run/{{ site_name }}/django_uwsgi.sock
 processes = 3
 # Reduced this again now that reports are deferred to a queued task. Could
 # potentially be further reduced.
 harakiri = 15
 max-requests = 5000
 vacuum = true
 # For Sentry, see https://docs.sentry.io/clients/python/advanced/#a-note-on-uwsgi.
 enable-threads = true
 log-prefix = {{ site_name }}
 # Enable uWSGI stats server for use with uwsgitop.
 # Run with: `sudo -u www-data uwsgitop /run/{{ site_name }}/django_uwsgi_stats.socket`
 stats = /run/{{ site_name }}/django_uwsgi_stats.socket
 # Memory reporting is useful for reviewing memory consumption with uwsgitop, but
 # makes the logs a little noiser.
 # memory-report = true
 # Always use UTF-8 as the encoding for reading/writing files and other,
 # regardless of system preferences. Will be default in Python 3.15. We were
 # originally specifying LANG=en_AU.UTF-8 here, to handle Unicode chars in
 # uploaded filenames, but this broke down when that locale wasn't
 # installed. Using Python's UTF Mode should side-step this. See
 # https://docs.python.org/3/library/os.html#utf8-mode.
 env = PYTHONUTF8=1
 # Haven't decided how to securely handle code being able to write __pycache__
 # directories and bytecode into read-only directories.
 env = PYTHONDONTWRITEBYTECODE=true
 # Per Django deployment checklist.
 env = PYTHONHASHSEED=random