0006224: Consider Production Deployment of Weblate - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0006224	Taler	deployment and operations	public	2020-04-28 11:25	2021-08-24 16:23

Reporter	buckE	Assigned To	buckE
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Target Version	0.8	Fixed in Version	0.7.1

Summary	0006224: Consider Production Deployment of Weblate
Description	Problem: Running weblate with built-in webserver requires running in Debug mode, which is not recommended. Details are here: https://docs.djangoproject.com/en/3.0/ref/settings/#std:setting-DEBUG Options: The alternatives are 1 - Run Debug = False with no other modifications, which will cause CSS styles to fail 2 - Perform undocumented customizations on the built-in webserver or 3 - Deploy weblate in production environment as described here: https://docs.weblate.org/en/latest/admin/install.html#running-web-server (Note: this is probably why port 8000 was not customizable)
Tags	No tags attached.
Attached Files	weblate.site (2,152 bytes) server { listen 80; listen [::]:80; ## listen for ipv4; this line is default and implied root /dev/null; server_name weblate.taler.net; include conf.d/acme-challenge.conf; location / { rewrite ^ https://$host$request_uri? permanent; } } server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/; # Make site accessible from http://localhost/ server_name weblate.taler.net; ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;"; add_header Referrer-Policy "same-origin"; include conf.d/acme-challenge.conf; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/media/; expires 30d; } location / { include conf.d/uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///home/weblate/uwsgi.sock; # uwsgi_pass 127.0.0.1:8080; } include conf.d/favicon_robots.conf; } weblate.site (2,152 bytes)

Christian Grothoff 2020-04-28 16:50 manager ~0015796 Last edited: 2020-04-28 16:50	Sounds to me like I should just do (3) using listen 80; server_name weblate; root /usr/share/weblate; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /var/lib/weblate/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /var/lib/weblate/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /var/lib/weblate/media/; expires 30d; } location / { include uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///run/uwsgi/app/weblate/socket; # uwsgi_pass 127.0.0.1:8080; } } for the nginx configuration, using /home/weblate and /home/weblatetest for DATADIR respectively. Please confirm if you agree that this is what I should do.

buckE 2020-04-29 10:02 reporter ~0015799	I confirm. Let's see if we're right. I have disabled the weblate systemd service that starts weblate (ie - the site is now down) I set DEBUG = False. So when you restart nginx, if weblate.taler.net site comes up and is not obviously style-less, this worked. If we are running weblate this way, do you still want celery to run under weblate user? I am not sure if it matters, and maybe we try it how it is first? Anyway these are instructions if you prefer: https://docs.weblate.org/en/latest/admin/install.html#running-celery-as-system-service

Christian Grothoff 2020-04-29 13:28 manager ~0015807	We still need to run uwsgi: $ uwsgi --home=/home/weblate/weblate-env --module weblate.wsgi:application -s /home/weblate/uwsgi.sock (please setup a systemd user service for that). Also, we need to make sure uwsgi.sock is group-accessible (660) as otherwise nginx can't read the socket. There is likely some other option needed to set the permissions (=> please investigate and update the systemd service file accordingly). Finally, the static resources of django need to be generated, otherwise the site won't work. See: https://docs.djangoproject.com/en/3.0/ref/contrib/staticfiles/#django-admin-collectstatic Note that this command won't work until you've configured django-admin for weblate. Messy, I know. I'm attaching the nginx config we are using.

buckE 2020-04-30 07:44 reporter ~0015808	First: I missed your mention of '/home/weblatetest' above. weblatetest has nothing to do with setting up weblate. weblatetest has nothing to do with this ticket. (That is a test project under weblate, not related to testing the installation of weblate.) uwsgi: - user-level systemd running with --chmod-socket=66- - Result: - uwsgi running - srw-rw---- 1 weblate weblate 0 Apr 30 07:06 uwsgi.sock The file is in /home/weblate/uswgi.sock (Will the socket still be found by nginx at uwsgi_pass unix:///run/uwsgi/app/weblate/socket ?) Because we're staying with user-level config, I will send updates to the nginx config soon.

buckE 2020-04-30 08:19 reporter ~0015809	Please use the attached file's settings instead. diff is probably easiest but: ``` server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/webroot; . . . location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/DATA_DIR/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/DATA_DIR/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/DATA_DIR/media/; expires 30d; } ``` weblate.site-30.04.20 (2,042 bytes) server { listen 80; listen [::]:80; ## listen for ipv4; this line is default and implied root /dev/null; server_name weblate.taler.net; include conf.d/acme-challenge.conf; location / { rewrite ^ https://$host$request_uri? permanent; } } server { listen 443 ssl; listen [::]:443 ssl; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 root /home/weblate/webroot; # Make site accessible from http://localhost/ server_name weblate.taler.net; ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;"; add_header Referrer-Policy "same-origin"; include conf.d/acme-challenge.conf; location ~ ^/favicon.ico$ { # DATA_DIR/static/favicon.ico alias /home/weblate/DATA_DIR/static/favicon.ico; expires 30d; } location /static/ { # DATA_DIR/static/ alias /home/weblate/DATA_DIR/static/; expires 30d; } location /media/ { # DATA_DIR/media/ alias /home/weblate/DATA_DIR/media/; expires 30d; } location / { include conf.d/uwsgi_params; # Needed for long running operations in admin interface uwsgi_read_timeout 3600; # Adjust based to uwsgi configuration: uwsgi_pass unix:///home/weblate/uwsgi.sock; # uwsgi_pass 127.0.0.1:8080; } include conf.d/favicon_robots.conf; } weblate.site-30.04.20 (2,042 bytes)

buckE 2020-04-30 09:35 reporter ~0015813	PS I think django-admin is already configured and running `weblate configurestatic --noinput` creates the static files. But we'll see when the new settings are implemented.

Christian Grothoff 2020-04-30 11:37 manager ~0015817	New settings implemented, site works (at least static resources load nicely!).

Date Modified	Username	Field	Change
2020-04-28 11:25	buckE	New Issue
2020-04-28 11:25	buckE	Status	new => assigned
2020-04-28 11:25	buckE	Assigned To	=> Christian Grothoff
2020-04-28 16:50	Christian Grothoff	Note Added: 0015796
2020-04-28 16:50	Christian Grothoff	Note Edited: 0015796
2020-04-29 10:02	buckE	Note Added: 0015799
2020-04-29 13:28	Christian Grothoff	Note Added: 0015807
2020-04-29 13:30	Christian Grothoff	File Added: weblate.site
2020-04-29 17:05	Christian Grothoff	Assigned To	Christian Grothoff => buckE
2020-04-30 07:44	buckE	Note Added: 0015808
2020-04-30 08:19	buckE	File Added: weblate.site-30.04.20
2020-04-30 08:19	buckE	Note Added: 0015809
2020-04-30 09:35	buckE	Note Added: 0015813
2020-04-30 11:37	Christian Grothoff	Status	assigned => resolved
2020-04-30 11:37	Christian Grothoff	Resolution	open => fixed
2020-04-30 11:37	Christian Grothoff	Fixed in Version	=> 0.7.1
2020-04-30 11:37	Christian Grothoff	Note Added: 0015817
2020-07-24 11:56	Christian Grothoff	Target Version	=> 0.8
2021-08-24 16:23	Christian Grothoff	Status	resolved => closed