堆栈内存溢出
  简体   繁体   English

Django的文件权限:Gunicorn,Nginx和静态文件

[英]File permissions for Django: Gunicorn, Nginx, and Static Files

 原文  2014-07-25 01:54:55       linux/ django/ nginx

问题描述

I have a standard ubuntu 14.04 machine. 我有一台标准的ubuntu 14.04机器。 I use it daily under the user mh00h . 我每天在用户mh00h下使用它。 I'm interested in using this machine as a production server. 我有兴趣将这台机器用作生产服务器。 How do I manage file permissions for Django and Nginx? 如何管理Django和Nginx的文件权限?

Nginx is currently configured to run under the www-data:www-data . Nginx目前配置为在www-data:www-data下运行。 This minimizes risk of the rest of a machine being compromised. 这可以最大限度地降低机器其他部件受到危害的风险。 Django/gunicorn likewise should run under a user other than mh00h . Django / gunicorn同样应该在mh00h以外的用户下运行。 But under what user should gunicorn actually be run under? 但是用户应该使用gunicorn实际运行? nobody , correct? nobody ,对吗?

Next: I am storing all of my web development files under /home/mh00h/development . 下一篇:我将所有的web开发文件存储在/home/mh00h/development Owned by mh00h . mh00h拥有。 /home/mh00h/development/project1 (plus all dir/files but /media and /static) ? /home/mh00h/development/project1 (plus all dir/files but /media and /static) Owned by mh00h . mh00h拥有。 I follow django two-scoops best practices to create a project directory with static files inside of it. 我遵循django双勺最佳实践来创建一个包含静态文件的项目目录。 Of course, Nginx is unable to access /home/mh00h/development/project1/project1/static now because all of those parent directories are owned by mh00h , not www-data ( ./static is owned by www-data ). 当然,Nginx现在无法访问/home/mh00h/development/project1/project1/static因为所有这些父目录都归mh00h ,而不是www-data./staticwww-data )。

To complicate the matter, virtualenvwrapper creates my virtual environments under /home/mh00h/.virtualenvs/ . 为了使问题复杂化,virtualenvwrapper在/home/mh00h/.virtualenvs/下创建我的虚拟环境。

I am hesitant to fraction away from two scoop's best practices and store /static separately in /var/www , because I want all of these directories to stay nicely packaged together for easy transport off to some other server later. 我不愿意在/var/www分别从两个scoop的最佳实践和store /static分离出来,因为我希望所有这些目录保持良好的打包状态,以便以后轻松传输到其他服务器。 Plus, it makes me messy if I compare myself against how two-scoops did it. 另外,如果我将自己与双勺的比较方式进行比较,那会让我感到麻烦。

  1. Where should my static files be stored? 我的静态文件应该存储在哪里?
  2. Where should django specific files be stored? django应该在哪里存储特定文件?
  3. What users/groups should be able to access which of 1 and 2? 哪些用户/组应该能够访问1和2中的哪一个?
  4. Where should virtualenvwrapper environments be stored? virtualenvwrapper环境应该存储在哪里?
  5. What permissions should these locations have? 这些位置应具有哪些权限?

Thank you. 谢谢。

1 个解决方案

解决方案1
 4 已采纳  2014-07-25 12:35:08

All files and directories in our production environment are owned by root:root with 755/644 file permissions, unless otherwise required. 除非另有要求,否则我们的生产环境中的所有文件和目录都由root:root拥有,具有755/644文件权限。 Some private files (think private keys etc.) are only readable by the user/process that needs them, while still being writable only by root . 一些私有文件(想想私钥等)只能由需要它们的用户/进程读取,同时仍然只能由root写入。

As for the project structure: all our projects have a dedicated directory under /srv/www/vhosts.d/ . 至于项目结构:我们所有项目都在/srv/www/vhosts.d/下有一个专用目录。 Virtual environments are stored under /srv/www/virtualenvs . 虚拟环境存储在/srv/www/virtualenvs It is perfectly possible to store them in your home folder, but I feel this central approach is more in line with the idea of a production server. 将它们存储在您的主文件夹中是完全可能的,但我觉得这种核心方法更符合生产服务器的想法。 With the right settings, all virtual envs are also accessible by all users. 通过正确的设置,所有用户也可以访问所有虚拟环境。

Our main project directory contains several scripts (manage.py and several deployment/update scripts) and is further split out into subdirectores: ie web contains public files, src contains the source code, and frontend contains the template folder and sass folder. 我们的主项目目录包含几个脚本(manage.py和几个部署/更新脚本),并进一步拆分为子目录:即web包含公共文件, src包含源代码, frontend包含模板文件夹和sass文件夹。 The whole project directory is contained in a git repository, but deployment-specific files (user uploaded files, search indexes, encryption keys) are all in .git-ignore . 整个项目目录包含在git存储库中,但特定于部署的文件(用户上载的文件,搜索索引,加密密钥)都在.git-ignore

Our nginx process runs as www-data . 我们的nginx进程以www-data运行。 In general each Django project has its own user, and the gunicorn process runs as this user. 通常,每个Django项目都有自己的用户,gunicorn进程以该用户身份运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Nginx / Django文件上传权限 - Nginx/Django File Upload Permissions Django / NGINX / Gunicorn / Ubuntu:媒体文件-[Errno 13]权限被拒绝 - Django/NGINX/Gunicorn/Ubuntu: Media files - [Errno 13] Permission denied Flask和NGINX Streaming File通过Gunicorn上传 - Flask and NGINX Streaming File Upload through Gunicorn Gunicorn 没有使用正确的设置文件 Django? - Gunicorn not using right settings file Django? NGINX 文件夹中新文件的自动读取权限 - Auto permissions for new files in folder for NGINX to read Django问题,代码找不到css和js static文件。 不知何故我没有 django nginx conf - Django problem, code cannot find css and js static files. Somehow I haven't django nginx conf Rails应用程序部署和Nginx文件权限 - Rails application deployment and Nginx file permissions 在Django中实现静态文件时出错 - error in implementing static files in django /var/www/...中的 Django static_root - 没有收集静态的权限 - Django static_root in /var/www/... - no permissions to collectstatic 修改使用 php 创建的文件的文件权限 - Modify file permissions for files created with php
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM