View Issue Details

IDProjectCategoryView StatusLast Update
0006224Talerdeployment and operationspublic2021-08-24 16:23
ReporterbuckE Assigned TobuckE  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Target Version0.8Fixed in Version0.7.1 
Summary0006224: Consider Production Deployment of Weblate
DescriptionProblem:

Running weblate with built-in webserver requires running in Debug mode, which is not recommended. Details are here:
https://docs.djangoproject.com/en/3.0/ref/settings/#std:setting-DEBUG

Options:

The alternatives are

1 - Run Debug = False with no other modifications, which will cause CSS styles to fail

2 - Perform undocumented customizations on the built-in webserver or

3 - Deploy weblate in production environment as described here: https://docs.weblate.org/en/latest/admin/install.html#running-web-server

(Note: this is probably why port 8000 was not customizable)
TagsNo tags attached.
Attached Files
weblate.site (2,152 bytes)   
server {
  listen 80;
  listen   [::]:80; ## listen for ipv4; this line is default and implied

  root /dev/null;
  server_name weblate.taler.net;

  include conf.d/acme-challenge.conf;

  location / {
     rewrite ^ https://$host$request_uri? permanent;
   }
}

server {
  listen 443 ssl;
  listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
  # listen   [::]:80 default_server ipv6only=on; ## listen for ipv6

  root /home/weblate/;

  # Make site accessible from http://localhost/
  server_name weblate.taler.net;

  ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem;

  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Content-Type-Options "nosniff";
  add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;";
  add_header Referrer-Policy "same-origin";

  include conf.d/acme-challenge.conf;

 location ~ ^/favicon.ico$ {
        # DATA_DIR/static/favicon.ico
        alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/favicon.ico;
        expires 30d;
    }

    location /static/ {
        # DATA_DIR/static/
        alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/static/;
        expires 30d;
    }

    location /media/ {
        # DATA_DIR/media/
        alias /home/weblate/weblate-env/lib/python3.8/site-packages/weblate/media/;
        expires 30d;
    }

    location / {
        include conf.d/uwsgi_params;
        # Needed for long running operations in admin interface
        uwsgi_read_timeout 3600;
        # Adjust based to uwsgi configuration:
        uwsgi_pass unix:///home/weblate/uwsgi.sock;
        # uwsgi_pass 127.0.0.1:8080;
    }

  include conf.d/favicon_robots.conf;
}
weblate.site (2,152 bytes)   

Activities

Christian Grothoff

2020-04-28 16:50

manager   ~0015796

Last edited: 2020-04-28 16:50

Sounds to me like I should just do (3) using

    listen 80;
    server_name weblate;
    root /usr/share/weblate;

    location ~ ^/favicon.ico$ {
        # DATA_DIR/static/favicon.ico
        alias /var/lib/weblate/static/favicon.ico;
        expires 30d;
    }

    location /static/ {
        # DATA_DIR/static/
        alias /var/lib/weblate/static/;
        expires 30d;
    }

    location /media/ {
        # DATA_DIR/media/
        alias /var/lib/weblate/media/;
        expires 30d;
    }

    location / {
        include uwsgi_params;
        # Needed for long running operations in admin interface
        uwsgi_read_timeout 3600;
        # Adjust based to uwsgi configuration:
        uwsgi_pass unix:///run/uwsgi/app/weblate/socket;
        # uwsgi_pass 127.0.0.1:8080;
    }
}

for the nginx configuration, using /home/weblate and /home/weblatetest for DATADIR respectively. Please confirm if you agree that this is what I should do.

buckE

2020-04-29 10:02

reporter   ~0015799

I confirm. Let's see if we're right.

I have disabled the weblate systemd service that starts weblate (ie - the site is now down)

I set DEBUG = False. So when you restart nginx, if weblate.taler.net site comes up and is not obviously style-less, this worked.

If we are running weblate this way, do you still want celery to run under weblate user? I am not sure if it matters, and maybe we try it how it is first? Anyway these are instructions if you prefer: https://docs.weblate.org/en/latest/admin/install.html#running-celery-as-system-service

Christian Grothoff

2020-04-29 13:28

manager   ~0015807

We still need to run uwsgi:
$ uwsgi --home=/home/weblate/weblate-env --module weblate.wsgi:application -s /home/weblate/uwsgi.sock
(please setup a systemd user service for that).
Also, we need to make sure uwsgi.sock is group-accessible (660) as otherwise nginx can't read the socket. There is likely some other option needed to set the permissions (=> please investigate and update the systemd service file accordingly).

Finally, the static resources of django need to be generated, otherwise the site won't work. See:
https://docs.djangoproject.com/en/3.0/ref/contrib/staticfiles/#django-admin-collectstatic
Note that this command won't work until you've configured django-admin for weblate. Messy, I know.

I'm attaching the nginx config we are using.

buckE

2020-04-30 07:44

reporter   ~0015808

First:
I missed your mention of '/home/weblatetest' above. weblatetest has nothing to do with setting up weblate. weblatetest has nothing to do with this ticket. (That is a test project under weblate, not related to testing the installation of weblate.)

uwsgi:
  - user-level systemd running with --chmod-socket=66-
  - Result:
           - uwsgi running
           - srw-rw---- 1 weblate weblate 0 Apr 30 07:06 uwsgi.sock

The file is in /home/weblate/uswgi.sock (Will the socket still be found by nginx at uwsgi_pass unix:///run/uwsgi/app/weblate/socket ?)

Because we're staying with user-level config, I will send updates to the nginx config soon.

buckE

2020-04-30 08:19

reporter   ~0015809

Please use the attached file's settings instead. diff is probably easiest but:

```
server {
  listen 443 ssl;
  listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
  # listen [::]:80 default_server ipv6only=on; ## listen for ipv6

  root /home/weblate/webroot;
.
.
.
location ~ ^/favicon.ico$ {
        # DATA_DIR/static/favicon.ico
        alias /home/weblate/DATA_DIR/static/favicon.ico;
        expires 30d;
    }

    location /static/ {
        # DATA_DIR/static/
        alias /home/weblate/DATA_DIR/static/;
        expires 30d;
    }

    location /media/ {
        # DATA_DIR/media/
        alias /home/weblate/DATA_DIR/media/;
        expires 30d;
    }
```
weblate.site-30.04.20 (2,042 bytes)   
server {
  listen 80;
  listen   [::]:80; ## listen for ipv4; this line is default and implied

  root /dev/null;
  server_name weblate.taler.net;

  include conf.d/acme-challenge.conf;

  location / {
     rewrite ^ https://$host$request_uri? permanent;
   }
}

server {
  listen 443 ssl;
  listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
  # listen   [::]:80 default_server ipv6only=on; ## listen for ipv6

  root /home/weblate/webroot;

  # Make site accessible from http://localhost/
  server_name weblate.taler.net;

  ssl_certificate /etc/letsencrypt/live/weblate.taler.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/weblate.taler.net/privkey.pem;

  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Content-Type-Options "nosniff";
  add_header Content-Security-Policy "default-src 'self' https://weblate.taler.net/;";
  add_header Referrer-Policy "same-origin";

  include conf.d/acme-challenge.conf;

 location ~ ^/favicon.ico$ {
        # DATA_DIR/static/favicon.ico
        alias /home/weblate/DATA_DIR/static/favicon.ico;
        expires 30d;
    }

    location /static/ {
        # DATA_DIR/static/
        alias /home/weblate/DATA_DIR/static/;
        expires 30d;
    }

    location /media/ {
        # DATA_DIR/media/
        alias /home/weblate/DATA_DIR/media/;
        expires 30d;
    }

    location / {
        include conf.d/uwsgi_params;
        # Needed for long running operations in admin interface
        uwsgi_read_timeout 3600;
        # Adjust based to uwsgi configuration:
        uwsgi_pass unix:///home/weblate/uwsgi.sock;
        # uwsgi_pass 127.0.0.1:8080;
    }

  include conf.d/favicon_robots.conf;
}
weblate.site-30.04.20 (2,042 bytes)   

buckE

2020-04-30 09:35

reporter   ~0015813

PS I think django-admin is already configured and running `weblate configurestatic --noinput` creates the static files. But we'll see when the new settings are implemented.

Christian Grothoff

2020-04-30 11:37

manager   ~0015817

New settings implemented, site works (at least static resources load nicely!).

Issue History

Date Modified Username Field Change
2020-04-28 11:25 buckE New Issue
2020-04-28 11:25 buckE Status new => assigned
2020-04-28 11:25 buckE Assigned To => Christian Grothoff
2020-04-28 16:50 Christian Grothoff Note Added: 0015796
2020-04-28 16:50 Christian Grothoff Note Edited: 0015796
2020-04-29 10:02 buckE Note Added: 0015799
2020-04-29 13:28 Christian Grothoff Note Added: 0015807
2020-04-29 13:30 Christian Grothoff File Added: weblate.site
2020-04-29 17:05 Christian Grothoff Assigned To Christian Grothoff => buckE
2020-04-30 07:44 buckE Note Added: 0015808
2020-04-30 08:19 buckE File Added: weblate.site-30.04.20
2020-04-30 08:19 buckE Note Added: 0015809
2020-04-30 09:35 buckE Note Added: 0015813
2020-04-30 11:37 Christian Grothoff Status assigned => resolved
2020-04-30 11:37 Christian Grothoff Resolution open => fixed
2020-04-30 11:37 Christian Grothoff Fixed in Version => 0.7.1
2020-04-30 11:37 Christian Grothoff Note Added: 0015817
2020-07-24 11:56 Christian Grothoff Target Version => 0.8
2021-08-24 16:23 Christian Grothoff Status resolved => closed