Good practice to serve static files during development in Django - django

I have quite big amount of css and js files (different libraries and plugins) in my Django-1.9 project. And it takes around 3 sec to refresh a page and load all of them, which is quite long. What is the recommended way to serve those static files during development? Should I use somehow Django Cache Framework?

From what you said, I understand that you use Django for serving static files and its performance is low and annoying.
In this case, you could apply same methods as for production use:
use CDN (it can be faster than Django serving static files),
set up separate web server (e.g. nginx) to serve static files,
minimize and combine your scripts and stylesheets.

Related

Why is it suggested to use a different service to host static files (like nginx or apache) for django?

I've seen many questions on stackoverflow about handling static files in django during deployment. I saw that many answers said something like this - "With debug turned off Django won't handle static files for you any more - your production web server (Apache or something) should take care of that."
Why can't we use the server hosting the django project to host the static files too?
Static files don't require any kind of logic or processing. It is more efficient to deliver them directly to the end-user directly from disk via a web server, rather than running them through the middle layer of Django. That middle layer (such as gunicorn, uwsgi, or mod_wsgi) is what allows things like views to be processed and for the ORM to connect with a database. Since static files require none of that, bypassing it is the most efficient. The same is true for media files that are uploaded by the end user. Good luck!

Why are static files served separately in webservers?

It seems like most web servers (Apache, Nginx, Lighthttpd) serve static files separately from the html files (different configuration). Why is this?
I'm trying to deploy my Django app with Apache and the deployment so far has been straightforward. In development the Django server served static files without me bothering to configure it. Why is it different in real webservers?
It's a performance issue.
In a production setup you wouldn't want static content to be served through django. Serving static content through django involves a lot of overhead (loading the static file, processing python bytecode, passing through WSGI, etc) that is totally unnecessary for static content.
Web servers are extremely fast and efficient at serving static content themselves, so there is usually no reason to involve django / python in the request.
For a small site without a lot of load you could have django serve static content (you'd need to configure django to serve static content with DEBUG=False) and it would be relatively harmless, but it wouldn't be the 'right way' to do it.

Why is django's development automatic static file server not suitable for production?

As stated in: https://docs.djangoproject.com/en/dev/howto/static-files/
When DEBUG is set to True, the server automatically serves the static file, but it states:
This method is grossly inefficient and probably insecure, so it is unsuitable for production.
But what exactly is inefficient and insecure about it? I just have a small-ish project on Heroku that I haven't set to "production" mode yet and I'm wondering what are the exact downsides.
Performance related reasons:
web servers are orders of magnitude better at serving static files.
AFAIK the development server is mono-threaded and can respond only one request at time, concurrent requests will block (most browsers make 4 concurrent requests trying to download assets in parallel).
Security related reasons:
using the app to serve static content is overkill (simplification is good for security)
the developers like to be on the safe side, so it is kind of a disclaimer
debug mode exposes a lot of information about the server
Django started in the news publishing industry where in general there is enough traffic to justify serving static content from a dedicated web server, probably the original developers have a bias for this arrangement.
That said, there are projects that replace the default development server by a more robust implementation based on gunicorn or tornado.
Kenneth (the author of requests, employed by Heroku) has a different opinion (source):
In reality, serving static files through Python/Django is fine for
production — those requests are no different than dynamic ones.
Performance will be fantastic, but not as good as nginx.
If you're that heavily concerned about efficiency then you shouldn't
be hosting those files on your server anyway, you'd be pushing them to
an CDN like S3+Cloudfront and the like.
Another benefit to this approach is development:production parity.
And on heroku, you can't use Nginx to server static files, actually you can't do it on most other PaaS too, I got the same problem on cloud foundry last year. But there is a workaround:
On Heroku, your application directly responds to HTTP requests,
instead of going through an additional web server like Apache or
Nginx.
We recommend most applications serve their assets strait from Django
or a CDN.
Django doesn't recommend serving static files in production because of
the design of its static file handler.
Luckily, there is a library called DJ-Static which makes uses a
production-ready WSGI asset server.
I've written up a guide for Django and Static Assets here:
https://devcenter.heroku.com/articles/django-assets
Read the following discussions for more details:
Serving static files for a Django app
serving static files via gunicorn

Media server vs normal server

I am designing an iphone forum application with django running in amazon ec2. Currently I am learning to deploy django using either nginx or apache. I am confused about media server and normal server. A lot of sources say that nginx is good for serving media files or static content, what does that mean? For normal group conversation/forum application, how does apache and nginx differ in performance etc? When is my mobile application serving dynamic content and when is it serving static content?
Googling will find you better results for a comparison between Apache vs Nginx than anyone on this site can give you. It is too broad of a question and can be highly subjective.
Media Files
Media in a django context generally refers to files that have been uploaded by end users. It is common to have a django view that initially uploads the users file, but then any future access to it is served by a traditional web server like nginx.See the docs for more info.
Static Files
Static in a django context refer to images, javascript and css files. While developing your site, the built-in django development server will serve these files for you. However, when moving to production you will want to use a traditional web server like apache to serve these files. See the docs for more details.
Dynamic Content
This would refer to the content (html, json, xml etc.) that is generated by the views that you write within Django.

Security issues with serving static files through Django?

The official docs say, of the staticfiles serve view:
... this view is grossly inefficient and probably insecure
Does this warning apply only to this particular view, or are there security issues inherent in the concept of serving static files through Django? What are they? Assuming I've benchmarked my application and performance is acceptable, are there any other issues I should be aware of?
It's insecure because it doesn't have to be secure
Serving static files through django means you go through the Python code to do something your webserver would do significantly more efficiently.
Given that serving static files is disastrous performance-wise, no-one would use this in production.
Therefore, no-one cares about the security of serving static files in Django.
As a consequence, this view is probably insecure.
Ultimately, it's the same rationale as the development server. You're not supposed to be using it in production and not one is dedicating effort to making it secure. It's just practical for development.
Also, something inefficient is something that exposes you to DoS attacks. So yes, it's insecure.
But you shouldn't be using it.
Why are you serving static files through Django? Is it to control access to those files?
If yes, you should use the X-Accel-Redirect(Nginx) or X-Sendfile (Apache) headers.
But don't do it yourself, use: https://github.com/johnsensible/django-sendfile