-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
159 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
server { | ||
listen 80 default_server; | ||
listen [::]:80 default_server; | ||
server_name _; | ||
return 301 https://$server_name$request_uri; | ||
} | ||
|
||
server { | ||
listen 443 ssl default_server; | ||
listen [::]:443 ssl default_server; | ||
include snippets/ssl-nadine.conf; | ||
include snippets/ssl-params.conf; | ||
|
||
client_max_body_size 4G; | ||
keepalive_timeout 70; | ||
|
||
access_log /home/nadine/logs/nginx_access.log; | ||
error_log /home/nadine/logs/nginx_error.log notice; | ||
|
||
location = /favicon.ico { | ||
root /home/nadine/webapp/static/; | ||
} | ||
|
||
location /static/ { | ||
alias /home/nadine/webapp/static/; | ||
} | ||
|
||
location /media/ { | ||
alias /home/nadine/webapp/media/; | ||
} | ||
|
||
location / { | ||
include uwsgi_params; | ||
uwsgi_pass unix:/home/nadine/webapp/run/uwsgi_nadine.sock; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# from https://cipherli.st/ | ||
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | ||
|
||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_prefer_server_ciphers on; | ||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | ||
ssl_ecdh_curve secp384r1; | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; | ||
ssl_stapling on; | ||
ssl_stapling_verify on; | ||
resolver 8.8.8.8 8.8.4.4 valid=300s; | ||
resolver_timeout 5s; | ||
# Disable preloading HSTS for now. You can use the commented out header line that includes | ||
# the "preload" directive if you understand the implications. | ||
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | ||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | ||
add_header X-Frame-Options DENY; | ||
add_header X-Content-Type-Options nosniff; | ||
ssl_dhparam /etc/ssl/certs/dhparam.pem; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
[Unit] | ||
Description=uWSGI Emperor service | ||
|
||
[Service] | ||
ExecStartPre=/bin/bash -c 'mkdir -p /run/uwsgi; chown sammy:www-data /run/uwsgi' | ||
ExecStart=/usr/local/bin/uwsgi --emperor /etc/uwsgi/sites | ||
Restart=always | ||
KillSignal=SIGQUIT | ||
Type=notify | ||
NotifyAccess=all | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
uwsgi: | ||
chdir: /home/nadine/webapp | ||
logfile: file:/home/nadine/logs/uwsgi.log | ||
module: nadine.wsgi:application | ||
socket: /home/nadine/webapp/run/uwsgi_nadine.sock | ||
chown-socket: nadine:www-data | ||
chmod-socket: 660 | ||
master: true | ||
processes: 5 | ||
vacuum: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,7 +40,8 @@ Indices and tables | |
requirements | ||
quickstart | ||
settings | ||
|
||
production | ||
|
||
.. toctree:: | ||
:maxdepth: 1 | ||
:glob: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
Production Setup | ||
================ | ||
|
||
In a production environment you want a webserver in front of the Django engine | ||
and the preferred one is Nginx. This will handle all inbound requests, server | ||
your ssl certificate, redirect http requests to https, and serve up static | ||
content in /media and /static. | ||
|
||
|
||
Create Nadine User | ||
------------------ | ||
|
||
.. code-block:: console | ||
$ sudo adduser nadine | ||
$ sudo su - nadine | ||
Follow all the instructions in :doc:`quickstart<quickstart>` as the nadine user. | ||
|
||
Create a few important directories for later. | ||
|
||
.. code-block:: console | ||
$ mkdir -p /home/nadine/logs/ | ||
$ mkdir -p /home/nadine/backups/ | ||
$ mkdir -p /home/nadine/webapp/run/ | ||
$ mkdir -p /home/nadine/webapp/media/ | ||
$ mkdir -p /home/nadine/webapp/static/ | ||
Install Nginx and Certbot | ||
------------------------- | ||
|
||
.. code-block:: console | ||
$ sudo apt-get install nginx certbot openssl | ||
Get your LetsEncrypt certificate | ||
-------------------------------- | ||
|
||
Follow instructions here: `https://certbot.eff.org/all-instructions/ <https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx>` | ||
|
||
If you test your server using the `SSL Labs Server Test <https://www.ssllabs.com/ssltest/>`_ now, | ||
it will only get a B grade due to weak Diffie-Hellman parameters. | ||
We can fix this by creating a new dhparam.pem file and adding it to our server block. | ||
|
||
.. code-block:: console | ||
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | ||
Copy configuration files in to place | ||
------------------------------------ | ||
|
||
.. code-block:: console | ||
$ cd /home/nadine/webapp/nadine/conf | ||
$ sudo cp etc/nginx/sites-available/nadine /etc/nginx/sites-available/nadine | ||
$ sudo ln -sf /etc/nginx/sites-available/nadine /etc/nginx/sites-enabled/default | ||
$ sudo cp etc/nginx/snippets/ssl-nadine.conf /etc/nginx/snippets/ | ||
$ sudo cp etc/nginx/snippets/ssl-params.conf /etc/nginx/snippets/ | ||
$ sudo cp etc/uwsgi/apps-available/nadine.yaml /etc/uwsgi/apps-available/ | ||
$ sudo ln -s /etc/uwsgi/apps-available/nadine.yaml /etc/uwsgi/apps-enabled/ | ||
Edit all configuration files to make sure your domain is correct. | ||
Restart Nginx | ||
------------- | ||
|
||
.. code-block:: console | ||
$ sudo nginx -t | ||
$ sudo systemctl restart nginx |