View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006224 | Taler | deployment and operations | public | 2020-04-28 11:25 | 2021-08-24 16:23 |
Reporter | buckE | Assigned To | buckE | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 0.8 | Fixed in Version | 0.7.1 | ||
Summary | 0006224: Consider Production Deployment of Weblate | ||||
Description | Problem: Running weblate with built-in webserver requires running in Debug mode, which is not recommended. Details are here: https://docs.djangoproject.com/en/3.0/ref/settings/#std:setting-DEBUG Options: The alternatives are 1 - Run Debug = False with no other modifications, which will cause CSS styles to fail 2 - Perform undocumented customizations on the built-in webserver or 3 - Deploy weblate in production environment as described here: https://docs.weblate.org/en/latest/admin/install.html#running-web-server (Note: this is probably why port 8000 was not customizable) | ||||
Tags | No tags attached. | ||||
Attached Files | weblate.site (2,152 bytes)
server { listen 80; listen [::]:80; ## listen for ipv4; this line is default and implied root /dev/null; server_name weblate.taler.net; include conf.d/acme-challenge.conf; location / { rewrite ^ https://$host$request_uri? permanent; } } server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/; # Make site accessible from http://localhost/ server_name weblate.taler.net; ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;"; add_header Referrer-Policy "same-origin"; include conf.d/acme-challenge.conf; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/media/; expires 30d; } location / { include conf.d/uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///home/weblate/uwsgi.sock; # uwsgi_pass 127.0.0.1:8080; } include conf.d/favicon_robots.conf; } | ||||
|
Sounds to me like I should just do (3) using listen 80; server_name weblate; root /usr/share/weblate; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /var/lib/weblate/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /var/lib/weblate/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /var/lib/weblate/media/; expires 30d; } location / { include uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///run/uwsgi/app/weblate/socket; # uwsgi_pass 127.0.0.1:8080; } } for the nginx configuration, using /home/weblate and /home/weblatetest for DATADIR respectively. Please confirm if you agree that this is what I should do. |
|
I confirm. Let's see if we're right. I have disabled the weblate systemd service that starts weblate (ie - the site is now down) I set DEBUG = False. So when you restart nginx, if weblate.taler.net site comes up and is not obviously style-less, this worked. If we are running weblate this way, do you still want celery to run under weblate user? I am not sure if it matters, and maybe we try it how it is first? Anyway these are instructions if you prefer: https://docs.weblate.org/en/latest/admin/install.html#running-celery-as-system-service |
|
We still need to run uwsgi: $ uwsgi --home=/home/weblate/weblate-env --module weblate.wsgi:application -s /home/weblate/uwsgi.sock (please setup a systemd user service for that). Also, we need to make sure uwsgi.sock is group-accessible (660) as otherwise nginx can't read the socket. There is likely some other option needed to set the permissions (=> please investigate and update the systemd service file accordingly). Finally, the static resources of django need to be generated, otherwise the site won't work. See: https://docs.djangoproject.com/en/3.0/ref/contrib/staticfiles/#django-admin-collectstatic Note that this command won't work until you've configured django-admin for weblate. Messy, I know. I'm attaching the nginx config we are using. |
|
First: I missed your mention of '/home/weblatetest' above. weblatetest has nothing to do with setting up weblate. weblatetest has nothing to do with this ticket. (That is a test project under weblate, not related to testing the installation of weblate.) uwsgi: - user-level systemd running with --chmod-socket=66- - Result: - uwsgi running - srw-rw---- 1 weblate weblate 0 Apr 30 07:06 uwsgi.sock The file is in /home/weblate/uswgi.sock (Will the socket still be found by nginx at uwsgi_pass unix:///run/uwsgi/app/weblate/socket ?) Because we're staying with user-level config, I will send updates to the nginx config soon. |
|
Please use the attached file's settings instead. diff is probably easiest but: ``` server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/webroot; . . . location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/DATA_DIR/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/DATA_DIR/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/DATA_DIR/media/; expires 30d; } ``` weblate.site-30.04.20 (2,042 bytes)
server { listen 80; listen [::]:80; ## listen for ipv4; this line is default and implied root /dev/null; server_name weblate.taler.net; include conf.d/acme-challenge.conf; location / { rewrite ^ https://$host$request_uri? permanent; } } server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/webroot; # Make site accessible from http://localhost/ server_name weblate.taler.net; ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;"; add_header Referrer-Policy "same-origin"; include conf.d/acme-challenge.conf; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/DATA_DIR/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/DATA_DIR/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/DATA_DIR/media/; expires 30d; } location / { include conf.d/uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///home/weblate/uwsgi.sock; # uwsgi_pass 127.0.0.1:8080; } include conf.d/favicon_robots.conf; } |
|
PS I think django-admin is already configured and running `weblate configurestatic --noinput` creates the static files. But we'll see when the new settings are implemented. |
|
New settings implemented, site works (at least static resources load nicely!). |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-04-28 11:25 | buckE | New Issue | |
2020-04-28 11:25 | buckE | Status | new => assigned |
2020-04-28 11:25 | buckE | Assigned To | => Christian Grothoff |
2020-04-28 16:50 | Christian Grothoff | Note Added: 0015796 | |
2020-04-28 16:50 | Christian Grothoff | Note Edited: 0015796 | |
2020-04-29 10:02 | buckE | Note Added: 0015799 | |
2020-04-29 13:28 | Christian Grothoff | Note Added: 0015807 | |
2020-04-29 13:30 | Christian Grothoff | File Added: weblate.site | |
2020-04-29 17:05 | Christian Grothoff | Assigned To | Christian Grothoff => buckE |
2020-04-30 07:44 | buckE | Note Added: 0015808 | |
2020-04-30 08:19 | buckE | File Added: weblate.site-30.04.20 | |
2020-04-30 08:19 | buckE | Note Added: 0015809 | |
2020-04-30 09:35 | buckE | Note Added: 0015813 | |
2020-04-30 11:37 | Christian Grothoff | Status | assigned => resolved |
2020-04-30 11:37 | Christian Grothoff | Resolution | open => fixed |
2020-04-30 11:37 | Christian Grothoff | Fixed in Version | => 0.7.1 |
2020-04-30 11:37 | Christian Grothoff | Note Added: 0015817 | |
2020-07-24 11:56 | Christian Grothoff | Target Version | => 0.8 |
2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed |