Prepping Your Project for Production

Prepping Your Project for Production

Django makes it easy to run a project locally in development where you are the only user and manage.py runserver “just works”. When you start thinking about moving that project to production and running it on the internet; it’s a bit more difficult. You’ll need to consider the following:

* How should I host my site (PaaS, FaaS, unmanaged hosting)?
* Should I be using Docker and/or Kubernetes?
* How do I serve my static/media assets?
* How should I handle my settings?
* Which database should I use and what are the performance considerations?
* How should I handle other supporting services (email, search, cache, etc.)
* Which web server should I use and how should I configure it?
* How do I serve my site via HTTPS?
* How do I protect my site from evil bots and blackhat hackers?

Unfortunately, the answers to these questions aren’t one-size-fits-all. In this talk, I’ll discuss the pros and cons of common approaches and recommend the best option for different scenarios. I’ll also call out various security and performance considerations along the way.

A464f1f39d9d840f9ca156e9abcfd4a9?s=128

Peter Baumgartner

September 23, 2019
Tweet

Transcript

  1. None
  2. None
  3. IT’S DANGEROUS TO GO ALONE! TAKE THIS.

  4. PHILOSOPHY Keep things as simple as possible While maintaining: Performance

    Observability Stability Security
  5. Hosting Configuration Web Server Assets (static and media) OVERVIEW Additional

    Considerations: Performance Security Observability
  6. HOSTING

  7. PLATFORM AS A SERVICE (PAAS) Heroku PythonAnywhere Platform.sh Google App

    Engine Google Cloud Run
  8. PROS CONS PLATFORM AS A SERVICE (PAAS) Managed Monitored Secured

    Supported Backing services may be included Performance Less flexibility Cost*
  9. FUNCTIONS AS A SERVICE (FAAS OR SERVERLESS) AWS Lambda (with

    Zappa) Google Cloud Functions Azure Functions ZEIT
  10. PROS CONS FUNCTIONS AS A SERVICE (FAAS OR SERVERLESS) Managed

    Monitored Secured Less expensive* New = rough edges Performance and cold starts Management commands
  11. KUBERNETES (MANAGED) Google Kubernetes Engine (GKE) DigitalOcean Kubernetes Amazon Elastic

    Kubernetes Service (EKS) Azure Kubernetes Service (AKS)
  12. None
  13. PROS KUBERNETES (MANAGED) Managed Monitored Secured Requires k8s knowledge Probably

    overkill CONS
  14. UNMANAGED/SELF-HOST Flexible Cost* Security Monitoring Management Documentation/training TLS Certificates PROS

    CONS
  15. HOSTING (CONT) BACKING SERVICES AND APPLICATION STATE

  16. USE MANAGED SERVICES

  17. MANAGED SERVICES Database (Amazon RDS, Cloud SQL, Heroku Postgres, etc.)

    Object Storage (Amazon S3, Google Cloud Storage, etc.) SMTP (Amazon SES, Sendgrid, Mailgun, etc.) Elasticsearch Redis
  18. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  19. CONFIGURATION

  20. 12 FACTOR Deployment Application Config

  21. CONFIGURATION Environment Variables Configuration File Django settings (prod.py, staging.py, etc.)

  22. CONFIGURATION Environment Variables Configuration File Django settings (prod.py, staging.py, etc.)

  23. SECRETS API KEYS, SECRET_KEY, SERVICE CREDENTIALS, ETC. Never in your

    code repository
 (unencrypted)
  24. CONFIGURATION PaaS Configuration Amazon SSM and Chamber Kubernetes Secrets Encrypted

    in configuration mangagement Hashicorp Vault
  25. GOODCONF

  26. GOODCONF Configuration via file or environment variables Type casting for

    environment variables Auto-generate documentation Auto-generate commented sample configs
  27. None
  28. None
  29. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  30. WEB SERVER

  31. WEB SERVER

  32. GUNICORN

  33. UWSGI

  34. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  35. SERVING ASSETS

  36. WHITENOISE pip install whitenoise

  37. UWSGI

  38. NODE.JS Source files in version control Webpack/Parcel to generate static

    files during build Add build destination to STATICFILES_DIRS django-webpack-loader if bundle-splitting
  39. MEDIA Use django-storages with your preferred backend (Amazon, Google, Azure,

    etc.) Be careful of public vs. private AWS_DEFAULT_ACL AWS_QUERYSTRING_AUTH AWS_QUERYSTRING_EXPIRE
  40. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  41. GO LIVE!

  42. PERFORMANCE

  43. USE AN APM Third-party: NewRelic, Scout, Datadog Provider: AWS X-Ray,

    Google Stackdriver Trace Self-hosted: Elastic
  44. DATABASE Don't be surprised if your laptop performs better Network

    latency Size of dataset
  45. DATABASE Use Postgres (unless you have a good reason not

    to) CONN_MAX_AGE Reduce queries select_related prefetch_related Indexes db_index index_together
  46. TEMPLATE FRAGMENT CACHING

  47. TEMPLATE FRAGMENT CACHING

  48. CDN

  49. CDN Third Party: Cloudflare, Fastly Provider: Amazon Cloudfront, Google Cloud

    CDN
  50. CDN Cache static files forever (far-future expires) Cache Django responses

    if possible
  51. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  52. SECURITY

  53. CODE Monitor dependencies for vulnerabilities
 (GitHub Security Alerts) Use a

    lockfile (pipenv, poetry, pip-compile) Consider an external audit
  54. ENVIRONMENT DEBUG = False ... ALWAYS! manage.py check --deploy https://observatory.mozilla.org

  55. AUTHENTICATION (ESPECIALLY THE ADMIN) MFA django-two- factor-auth External provider (G-

    Suite, AWS Cognito, etc.) Rate limiting (Cloudflare, Nginx, AWS WAF, Django) Firewall/VPN
  56. ADDITIONAL ATTACK VECTORS SSH Platform web console (use MFA!) Domain

    registrar Email Backing services APIs
  57. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  58. OBSERVABILITY

  59. ERROR REPORTING Emails don't scale Use Sentry or Rollbar

  60. LOGGING Third-party: Datadog, LogDNA, Splunk, Sumo Logic Provider: AWS Cloudwatch,

    Google Stackdriver Self-hosted: ELK, Graylog
  61. MONITORING & ALERTING Third-party: Internal: Datadog External: Pingdom, StatusCake, Datadog

    Alerts: PagerDuty, OpsGenie, Slack Provider: Cloudwatch, Stackdriver Self-hosted: Prometheus, Grafana
  62. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)
  63. IT’S DANGEROUS TO GO ALONE! TAKE THIS. GAME OVER

  64. PETER BAUMGARTNER PETE@LINCOLNLOOP.COM SAVE SLIDE DESIGN BY YUPGUP