I am currently developping an application using Django.
What I'm trying to achieve is to have a remote server that will host configuration files. Those files are going to be numerous but quite small.
The configuration of my server is the following : on the adress 172.x.x.51 I have my Django app running with uwsgi and on 172.x.x.52 I have my nginx service connected to my uwsgi instance.
What I would like is to host the files on the nginx server.
Inside the application, I will need to access to the files and to save them (they are calculated from data from the database, so there's no need for a fileupload).
I looked on the documentation and found that I can use a Custom Storage System. The thing is, I don't think that's what I need because I want to store them the way it's done by default. I would just like to define the place where the files should be updated from Django.
Would it be better if I stored them in the media folder on my nginx instance ? How would I say to Django to go look on nginx's instance for the files ? On the server where nginx is hosted, I already host my static files and it's working.
This isn't a question about Django really. Storage backends are for file uploads, but as you say you're not doing that.
You need some way of allowing your Django instance on *.51 write to your nginx server on *.52. This might be via SSH/SCP, or by sharing directories over NFS, for example. Then you can simply save the files over that protocol to the relevant place, from where nginx can serve them.
Related
I've seen many questions on stackoverflow about handling static files in django during deployment. I saw that many answers said something like this - "With debug turned off Django won't handle static files for you any more - your production web server (Apache or something) should take care of that."
Why can't we use the server hosting the django project to host the static files too?
Static files don't require any kind of logic or processing. It is more efficient to deliver them directly to the end-user directly from disk via a web server, rather than running them through the middle layer of Django. That middle layer (such as gunicorn, uwsgi, or mod_wsgi) is what allows things like views to be processed and for the ORM to connect with a database. Since static files require none of that, bypassing it is the most efficient. The same is true for media files that are uploaded by the end user. Good luck!
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I'm a django newbie. I've read that all django projects, deployed in production environment, should serve media files (uploads) through web server such as apache. My question is - why is that?
There are lots of PHP frameworks - eg. symfony 1 and 2 - which don't follow the rule. Once you've made your app accessible through a web server, you don't have to change anything depending on the env you deploy. There is just the DOCUMENT_ROOT configured on the web server and somewhere inside this directory lies the upload directory - that's all. You can be sure that no one will access PHP, sql files and so on - thanks to the proper framework architecture and the document root. Why is it different in django?
edit: besides, preparing different code for different environments (e.g. this) is quite a bad approach, since you can't use exactly the same code to deploy a project in different envs (and the code from the link makes sense only for debug env.
Because with PHP your code is served from web server's public directories together with static and media files. So when you request any of these static files web server serves them directly without executing any PHP code along the way.
In Django your code is running separately and all requests are processed by python code in Django. This is inefficient to serve static files, it's more efficient to serve allow a web server like Apache or Nginx to serve them directly without going through any python code.
I'm building app in django which I want to deploy on aws ec2 server. The app will run on gunicorn, and I want to place static files on s3. So my question is - do I need to use nginx at all?
Is there any other benefit of using nginx beside serving static files?
Arek
Putting nginx in the front of your stack not only allows you to route static content requests to your s3 storage but also give you the ability to do things like caching your django requests and lower the hits in your app and database. You can set up fine grain cache policies and have more control of exactly where requests will go, all while still under the same url structure as your set up in django.
Even though you're placing static files on S3, you still need a web server to serve them, right? I don't see how S3 changes the fact that with Apache/WSGI or gunicorn it's better to have something like nginx serving static files.
Also, read this: http://gunicorn.org/deploy.html
For some reason i can't figure out, other than the 'stupid' errors that keep creeping up when I try to access media files (files uploaded by the user) in my Django app, why I just can't server media files!
In this particular case, all I want for example is to be able to serve up images to the front that have been uploaded. My up correctly serves static files via /static/, but when I try to serve my /site_media/ files hell breaks loose! What could I be doing wrong?
So, after realizing that Django wasn't essentially crafted to actually handle media files, I decided to resort to using Apache via the recommended mod_python option like it is recommended to do in production. But I've never done this before, and am wondering whether this is worth the trouble on the development server.
Well, I know eventually I have to go down this path when I go production, and so will still have to learn how to do this, but what are the pros and cons for this route on the development server?
First, mod_python is not recommended. In fact, it's specifically recommended against. Use mod_wsgi instead.
Secondly, we have no possible way of telling what you're doing wrong when serving static media via the dev server, because you have provided no code or details of your setup.
Finally, there is no reason why you can't use Apache - or even better, a lightweight server such as nginx - and point it at your static directory only. Then, set STATIC_URL in your settings.py to the address served by that server. It makes no difference what port it is on while you're in development.
It is surely a pro since the django serves the requests faster without having to deal with the media.
A con is that, if and when you edit the media, you need to also restart the apache, for the media to refresh.
update based on your comment:
You can of-course easily do it. One simple way I practice this is, by using the nginx and symlinking the media folder into nginx sites-enabled and run nginx on port 80 (or any other).
You can set the MEDIA_URL in your settings, where you point it to the url with the appropriate port.