[英]File permissions for Django: Gunicorn, Nginx, and Static Files
I have a standard ubuntu 14.04 machine. 我有一台标准的ubuntu 14.04机器。 I use it daily under the user mh00h
. 我每天在用户mh00h
下使用它。 I'm interested in using this machine as a production server. 我有兴趣将这台机器用作生产服务器。 How do I manage file permissions for Django and Nginx? 如何管理Django和Nginx的文件权限?
Nginx is currently configured to run under the www-data:www-data
. Nginx目前配置为在www-data:www-data
下运行。 This minimizes risk of the rest of a machine being compromised. 这可以最大限度地降低机器其他部件受到危害的风险。 Django/gunicorn likewise should run under a user other than mh00h
. Django / gunicorn同样应该在mh00h
以外的用户下运行。 But under what user should gunicorn actually be run under? 但是用户应该使用gunicorn实际运行? nobody
, correct? nobody
,对吗?
Next: I am storing all of my web development files under /home/mh00h/development
. 下一篇:我将所有的web开发文件存储在/home/mh00h/development
。 Owned by mh00h
. 由mh00h
拥有。 /home/mh00h/development/project1 (plus all dir/files but /media and /static)
? /home/mh00h/development/project1 (plus all dir/files but /media and /static)
? Owned by mh00h
. 由mh00h
拥有。 I follow django two-scoops best practices to create a project directory with static files inside of it. 我遵循django双勺最佳实践来创建一个包含静态文件的项目目录。 Of course, Nginx is unable to access /home/mh00h/development/project1/project1/static
now because all of those parent directories are owned by mh00h
, not www-data
( ./static
is owned by www-data
). 当然,Nginx现在无法访问/home/mh00h/development/project1/project1/static
因为所有这些父目录都归mh00h
,而不是www-data
( ./static
归www-data
)。
To complicate the matter, virtualenvwrapper creates my virtual environments under /home/mh00h/.virtualenvs/
. 为了使问题复杂化,virtualenvwrapper在/home/mh00h/.virtualenvs/
下创建我的虚拟环境。
I am hesitant to fraction away from two scoop's best practices and store /static
separately in /var/www
, because I want all of these directories to stay nicely packaged together for easy transport off to some other server later. 我不愿意在/var/www
分别从两个scoop的最佳实践和store /static
分离出来,因为我希望所有这些目录保持良好的打包状态,以便以后轻松传输到其他服务器。 Plus, it makes me messy if I compare myself against how two-scoops did it. 另外,如果我将自己与双勺的比较方式进行比较,那会让我感到麻烦。
Thank you. 谢谢。
All files and directories in our production environment are owned by root:root
with 755/644 file permissions, unless otherwise required. 除非另有要求,否则我们的生产环境中的所有文件和目录都由root:root
拥有,具有755/644文件权限。 Some private files (think private keys etc.) are only readable by the user/process that needs them, while still being writable only by root
. 一些私有文件(想想私钥等)只能由需要它们的用户/进程读取,同时仍然只能由root
写入。
As for the project structure: all our projects have a dedicated directory under /srv/www/vhosts.d/
. 至于项目结构:我们所有项目都在/srv/www/vhosts.d/
下有一个专用目录。 Virtual environments are stored under /srv/www/virtualenvs
. 虚拟环境存储在/srv/www/virtualenvs
。 It is perfectly possible to store them in your home folder, but I feel this central approach is more in line with the idea of a production server. 将它们存储在您的主文件夹中是完全可能的,但我觉得这种核心方法更符合生产服务器的想法。 With the right settings, all virtual envs are also accessible by all users. 通过正确的设置,所有用户也可以访问所有虚拟环境。
Our main project directory contains several scripts (manage.py and several deployment/update scripts) and is further split out into subdirectores: ie web
contains public files, src
contains the source code, and frontend
contains the template folder and sass folder. 我们的主项目目录包含几个脚本(manage.py和几个部署/更新脚本),并进一步拆分为子目录:即web
包含公共文件, src
包含源代码, frontend
包含模板文件夹和sass文件夹。 The whole project directory is contained in a git repository, but deployment-specific files (user uploaded files, search indexes, encryption keys) are all in .git-ignore
. 整个项目目录包含在git存储库中,但特定于部署的文件(用户上载的文件,搜索索引,加密密钥)都在.git-ignore
。
Our nginx process runs as www-data
. 我们的nginx进程以www-data
运行。 In general each Django project has its own user, and the gunicorn process runs as this user. 通常,每个Django项目都有自己的用户,gunicorn进程以该用户身份运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.