Merge branch 'master' into 2.0

conf/etc/nginx/sites-available/nadine

@@ -0,0 +1,36 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    include snippets/ssl-nadine.conf;
+    include snippets/ssl-params.conf;
+
+    client_max_body_size 4G;
+    keepalive_timeout 70;
+
+    access_log  /home/nadine/logs/nginx_access.log;
+    error_log  /home/nadine/logs/nginx_error.log notice;
+
+    location = /favicon.ico {
+      root /home/nadine/webapp/static/;
+    }
+
+    location /static/ {
+        alias   /home/nadine/webapp/static/;
+    }
+
+    location /media/ {
+        alias   /home/nadine/webapp/media/;
+    }
+
+    location / {
+      include uwsgi_params;
+      uwsgi_pass unix:/home/nadine/webapp/run/uwsgi_nadine.sock;
+    }
+}

conf/etc/nginx/snippets/ssl-nadine.conf

@@ -0,0 +1,2 @@
+ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

conf/etc/nginx/snippets/ssl-params.conf

@@ -0,0 +1,20 @@
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;

conf/etc/systemd/system/uwsgi.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=uWSGI Emperor service
+
+[Service]
+ExecStartPre=/bin/bash -c 'mkdir -p /run/uwsgi; chown sammy:www-data /run/uwsgi'
+ExecStart=/usr/local/bin/uwsgi --emperor /etc/uwsgi/sites
+Restart=always
+KillSignal=SIGQUIT
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target

conf/etc/uwsgi/apps-available/nadine.yaml

@@ -0,0 +1,10 @@
+uwsgi:
+  chdir: /home/nadine/webapp
+  logfile: file:/home/nadine/logs/uwsgi.log
+  module: nadine.wsgi:application
+  socket: /home/nadine/webapp/run/uwsgi_nadine.sock
+  chown-socket: nadine:www-data
+  chmod-socket: 660
+  master: true
+  processes: 5
+  vacuum: true

docs/conf.py

@@ -67,7 +67,7 @@
 # The short X.Y version.
 version = u'2.0'
 # The full version, including alpha/beta/rc tags.
-release = u'2.0.5'
+release = u'2.0.6'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/index.rst

@@ -40,7 +40,8 @@ Indices and tables
   requirements
   quickstart
   settings
-
+  production
+
 .. toctree::
   :maxdepth: 1
   :glob:

docs/production.rst

@@ -0,0 +1,75 @@
+Production Setup
+================
+
+In a production environment you want a webserver in front of the Django engine
+and the preferred one is Nginx.  This will handle all inbound requests, server
+your ssl certificate, redirect http requests to https, and serve up static
+content in /media and /static.
+
+
+Create Nadine User
+------------------
+
+.. code-block:: console
+
+  $ sudo adduser nadine
+  $ sudo su - nadine
+
+Follow all the instructions in :doc:`quickstart<quickstart>` as the nadine user.
+
+Create a few important directories for later.
+
+.. code-block:: console
+
+  $ mkdir -p /home/nadine/logs/
+  $ mkdir -p /home/nadine/backups/
+  $ mkdir -p /home/nadine/webapp/run/
+  $ mkdir -p /home/nadine/webapp/media/
+  $ mkdir -p /home/nadine/webapp/static/
+
+
+Install Nginx and Certbot
+-------------------------
+
+.. code-block:: console
+
+  $ sudo apt-get install nginx certbot openssl
+
+
+Get your LetsEncrypt certificate
+--------------------------------
+
+Follow instructions here:  `https://certbot.eff.org/all-instructions/ <https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx>`
+
+If you test your server using the `SSL Labs Server Test <https://www.ssllabs.com/ssltest/>`_ now,
+it will only get a B grade due to weak Diffie-Hellman parameters.
+We can fix this by creating a new dhparam.pem file and adding it to our server block.
+
+.. code-block:: console
+
+  $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+
+
+Copy configuration files in to place
+------------------------------------
+
+.. code-block:: console
+
+  $ cd /home/nadine/webapp/nadine/conf
+  $ sudo cp etc/nginx/sites-available/nadine /etc/nginx/sites-available/nadine
+  $ sudo ln -sf /etc/nginx/sites-available/nadine /etc/nginx/sites-enabled/default
+  $ sudo cp etc/nginx/snippets/ssl-nadine.conf /etc/nginx/snippets/
+  $ sudo cp etc/nginx/snippets/ssl-params.conf /etc/nginx/snippets/
+  $ sudo cp etc/uwsgi/apps-available/nadine.yaml /etc/uwsgi/apps-available/
+  $ sudo ln -s /etc/uwsgi/apps-available/nadine.yaml /etc/uwsgi/apps-enabled/
+
+  Edit all configuration files to make sure your domain is correct.
+
+
+Restart Nginx
+-------------
+
+.. code-block:: console
+
+  $ sudo nginx -t
+  $ sudo systemctl restart nginx