manage.py runserver 0:8000 with SSL [duplicate] - python

./manage.py runserver 0.0.0.0:8000
I am using the line above as part of the code I borrowed from github (https://github.com/ribeiroit/boh-puppet) to run bag of holding installation.
So far so good on http but not https. How do I modify the line above to incorporate https? I have already obtained ssl certificate from Comodo and updated my nginx conf.d file but the website won't display in https. Any ideas please shoot my way.
Thank you

While cezar's recommendation of django-extensions is valid to run a server with https, neither runserver or runserver_plus should ever be used in a production setting.
Quoting Django's documentation:
DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that’s how it’s gonna stay. We’re in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)
Quoting django-extensions' documentation:
WARNING: This should never be used in any kind of production environment. Not even for a quick problem check. I cannot emphasize this enough. The interactive debugger allows you to evaluate python code right against the server. You’ve been warned.
Now yes, this warning from the django-extensions documentation is in reference to a single feature, the interactive console, which will theoretically not be exposed if DEBUG is set to False. But this is precisely how Patreon got hacked, and probably others as well. Why even risk it?
Instead, it would be far better to deploy your application using one of the officially recommended WSGI servers such as gunicorn or uWSGI.

For this purpose I use the the third-party app django-extensions, which offers some nice additional functionalities.
One of those extras is RunServerPlus.
You can then start the server like this:
python manage.py runserver_plus --cert-file /path/to/your/certificate
and open https://localhost:8000 in your browser.

Related

Why not use "runserver" for production at Django?

Everywhere i see that uWSGI and Gunicorn are recommended for production mode from everyone. However, there is a lot more suffering to operate with it, the python manage.py runserver is more faster, simpler, and the logging is also more visible if something goes wrong. Still, why not recommend the "python manage.py runserver" command for live production?
The runserver management command is optimized for different things from a web-server. Here are some things it does that are great for local development but would add unnecessary overhead in a production environment (source):
The development server automatically reloads Python code for each request, as needed
When you start the server, and each time you change Python code while the server is running, the system check framework will check your entire Django project for some common errors
Serves static files if the staticfiles contrib app is enabled (in a manner the docs describe as "grossly inefficient and probably insecure")
Meanwhile, production web-servers are designed to handle massively parallel workloads and are also under much higher security standards as they are the entry-point for all port 80/443 traffic to the server

./manage.py runserver with https

./manage.py runserver 0.0.0.0:8000
I am using the line above as part of the code I borrowed from github (https://github.com/ribeiroit/boh-puppet) to run bag of holding installation.
So far so good on http but not https. How do I modify the line above to incorporate https? I have already obtained ssl certificate from Comodo and updated my nginx conf.d file but the website won't display in https. Any ideas please shoot my way.
Thank you
While cezar's recommendation of django-extensions is valid to run a server with https, neither runserver or runserver_plus should ever be used in a production setting.
Quoting Django's documentation:
DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that’s how it’s gonna stay. We’re in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)
Quoting django-extensions' documentation:
WARNING: This should never be used in any kind of production environment. Not even for a quick problem check. I cannot emphasize this enough. The interactive debugger allows you to evaluate python code right against the server. You’ve been warned.
Now yes, this warning from the django-extensions documentation is in reference to a single feature, the interactive console, which will theoretically not be exposed if DEBUG is set to False. But this is precisely how Patreon got hacked, and probably others as well. Why even risk it?
Instead, it would be far better to deploy your application using one of the officially recommended WSGI servers such as gunicorn or uWSGI.
For this purpose I use the the third-party app django-extensions, which offers some nice additional functionalities.
One of those extras is RunServerPlus.
You can then start the server like this:
python manage.py runserver_plus --cert-file /path/to/your/certificate
and open https://localhost:8000 in your browser.

Should you deploy django with wsgi?

Do you need to deploy django with wsgi? I am running Django on a Docker instance and it seems like often the recommended solution is just to use Django's development server, i.e. the command python manage.py runserver. When exactly is a web server such as wsgi needed -- and in this instance, in a containerized application, is the django development server enough for production applications?
You answer your own question:
is the django development server enough for production applications ?
In the django documentation, you can read the following:
Now’s a good time to note: don’t use this server in anything resembling a production environment. It’s intended only for use while developing. (We’re in the business of making Web frameworks, not Web servers.)
And also this part:
DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that’s how it’s gonna stay. We’re in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)
So no. Don't use the Django development server in production. Security risks, poor performances, etc.
The development server is never recommended as an option for production server. It has a number of security and performance issues.
The solution which is working well for us is Gunicorn behind an Nginx reverse proxy (so that multiple people can connect smoothly.)
The method mentioned in this tutorial is a good beginners guide to a Ubuntu setup with nginx and gunicorn. When bringing docker into the mix use this tutorial.
You can use Django Channels to deploy in production without using WSGI.
You can set things up in one of two ways; either route all traffic through a HTTP/WebSocket interface server, removing the need to run a WSGI server at all; or, just route WebSockets and long-poll HTTP connections to the interface server, and leave other pages served by a standard WSGI server.

What is the correct way to leave a Django server running on an EC2 instance?

I'm currently using screen and doing
sudo python manage.py runserver 0.0.0.0:80
Then closing the terminal. Seems like a bit of a hack. What is the correct way to do it?
runserver is a development server. You shouldn't use it in production, as explained at https://docs.djangoproject.com/en/1.4/ref/django-admin/#runserver-port-or-address-port where it says:
DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that's how it's gonna stay. We're in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)
You should use one of the methods given in https://docs.djangoproject.com/en/1.4/howto/deployment/ for deploying a Django project in production. I have used mod_wsgi with Apache, gunicorn with nginx - the precise solution is up to you and the requirements of your project, but the deployment section of the Django manual goes through various options.
This really isn't a good idea; the built in development server shouldn't be used outside of your local development machine. Look at the docs:
DO NOT USE THIS SERVER IN A PRODUCTION SETTING. It has not gone through security audits or performance tests. (And that's how it's gonna stay. We're in the business of making Web frameworks, not Web servers, so improving this server to be able to handle a production environment is outside the scope of Django.)
Instead you should set up nginx+gunicorn/uwsgi or just apache+mod_wsgi.
If you ec2 instance is totally blocked from all possible communication from the outside world (which is unlikely) you can use the screen command

How do I initialise my Satchmo website?

As an experienced PHP programmer I tend to avoid things like Python. However we all must play with the cards we have been dealt with and I now have to work with a Satchmo website.
I have very little python, django and satchmo so I need some help. I'm ok with setting up a development server but I cannot get my website to work on a production server.
I've seen the use of "python manage.py runserver", this solution is even on Stack Overflow. However, when I see this solution there is usually someone saying "I hope you're not using that on production" so I assume this is a very incorrect way to do it. To my frustration the people that seem to know that this command line is insecure, also have no desire to share with the rest of us, just how excatly does one initiate their Satchmo Production server?
Many thanks.
To deploy a Django website on a production server, you have to serve it either with Apache+mod_wsgi, nginx+gunicorn, nginx+uwsgi, or any other server supporting WSGI. The Django documentation has a page on deploying Django on Apache with mod_wsgi, for the other solutions, there are plenty of useful documentation around the web.
runserver is just for development/testing. It won't handle high load, security, etc.
Python.org has docs on how to set up a proper webserver to serve Python code:
http://docs.python.org/howto/webservers.html
Satchmo seems like a django derivative. Setting up django on production is quite easy if your deployment environment is linux with apache then use mod_wsgi which is well documented here if its windows then you can use the pyisapie module and follow the documentation here
Hope that helps

Categories