Add uWSGI and Nginx configs

2023-04-06 20:35:08 +10:00 · 2023-04-06 20:35:08 +10:00 · 0c3e579b8d
commit 0c3e579b8d
parent 95c7e803e7
2 changed files with 88 additions and 0 deletions
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@ -0,0 +1,51 @@
+upstream {{ site_name }}_django_wsgi {
+    keepalive 2;  # Cache 2 connections.
+    server unix:/run/{{ site_name }}/django_uwsgi.sock;
+}
+
+# server {
+#     listen 80;
+#     server_name {{ env.domain }};
+#     return 301 https://{{ env.domain }}$request_uri;
+# }
+
+server {
+    listen 80; # 443 ssl http2;
+    server_name {{ env.domain }};
+    client_max_body_size 50M;
+
+    ssl_certificate /etc/letsencrypt/live/{{ env.domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ env.domain }}/privkey.pem;
+
+    # Ask for HTTPS for 180 days.
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
+
+    # Advise browsers not to use content type sniffing to reduce chance of XSS attacks.
+    add_header X-Content-Type-Options nosniff;
+
+    # Advise browser to only load external content from these sites.
+    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'";
+
+    location / {
+        # Django web application including static files (via WhiteNoise).
+        uwsgi_pass {{ site_name }}_django_wsgi;
+        include uwsgi_params;
+
+        # Disable gzip compression when where traffic might be over SSL
+        # to avoid an attack that may compromise Django's CSRF
+        # protection. See:
+        # https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
+        gzip off;
+    }
+
+    location /media/ {
+        # User-uploaded files and generated reports.
+        alias {{ project_dir }}/media/;
+        expires 1y;
+    }
+
+    location /.well-known/ {
+        # Used for "acmi-challenge".
+        alias {{ project_dir }}/htdocs/.well-known/;
+    }
+}
--- a/deploy/uwsgi.ini
+++ b/deploy/uwsgi.ini
@ -0,0 +1,37 @@
+[uwsgi]
+strict = true  # Fail if unknown config parameter found.
+plugins = python3
+chdir = {{ project_dir }}
+home = {{ virtualenv }}
+module = project.wsgi
+master = true
+socket = /run/{{ site_name }}/django_uwsgi.sock
+processes = 3
+# Reduced this again now that reports are deferred to a queued task. Could
+# potentially be further reduced.
+harakiri = 15
+max-requests = 5000
+vacuum = true
+# For Sentry, see https://docs.sentry.io/clients/python/advanced/#a-note-on-uwsgi.
+enable-threads = true
+log-prefix = {{ site_name }}
+
+# Enable uWSGI stats server for use with uwsgitop.
+# Run with: `sudo -u www-data uwsgitop /run/{{ site_name }}/django_uwsgi_stats.socket`
+stats = /run/{{ site_name }}/django_uwsgi_stats.socket
+# Memory reporting is useful for reviewing memory consumption with uwsgitop, but
+# makes the logs a little noiser.
+# memory-report = true
+
+# Always use UTF-8 as the encoding for reading/writing files and other,
+# regardless of system preferences. Will be default in Python 3.15. We were
+# originally specifying LANG=en_AU.UTF-8 here, to handle Unicode chars in
+# uploaded filenames, but this broke down when that locale wasn't
+# installed. Using Python's UTF Mode should side-step this. See
+# https://docs.python.org/3/library/os.html#utf8-mode.
+env = PYTHONUTF8=1
+# Haven't decided how to securely handle code being able to write __pycache__
+# directories and bytecode into read-only directories.
+env = PYTHONDONTWRITEBYTECODE=true
+# Per Django deployment checklist.
+env = PYTHONHASHSEED=random