Securing Django + Nginx With TLS
Feb. 8, 2020, 5:25 p.m. by Avery Uslaner
We first need to install certbot from Let's Encrypt since that will do most of the hard work for us.
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python-certbot-nginx
Now that certbot it installed, we can grab a certificate. We'll have daphne consume it so we don't need certbot to mess with our nginx file.
sudo certbot certonly --nginx
The tool will prompt you for an email address and ask you to agree to a few things before it saves the certificate.
At this point, I need to update my supervisord config file so Daphne can actually make use of it. That config should like something like this:
[fcgi-program:asgi] # Set Django environment variables environment=DJANGO_SETTINGS_MODULE="photo_blog.settings.production",AVE_SECRET_KEY="8923hi3ioe892hufe8943sdfhufsehfwe92" # TCP socket used by Nginx backend upstream socket=tcp://localhost:8000 # Directory where your site's project files are located directory=/home/myusername/averyuslaner.com # Each process needs to have a separate socket file, so we use process_num # Make sure to update "mysite.asgi" to match your project name command=/home/myusername/venv/bin/daphne -e ssl:443:privateKey=/etc/letsencrypt/live/averyuslaner.com/privkey.pem:certKey=/etc/letsencrypt/live/averyuslaner.com/fullchain.pem -u /run/daphne/daphnee%(process_num)d.sock --fd 0 --access-log - --proxy-headers mysite.asgi:application # Number of processes to startup, roughly the number of CPUs you have numprocs=1 # Give each process a unique name so they can be told apart process_name=asgi%(process_num)d # Automatically start and recover processes autostart=true autorestart=true # Choose where you want your log to go stdout_logfile=/var/log/asgi.log redirect_stderr=true
Daphne can't handle TLS unless you have the correct packages installed for Twisted. To meet those requirements, we'll pip install them:
pip install Twisted[tls,http2]
Then we need to update supervisord:
sudo supervisorctl reread sudo supervisorctl update
Boom, website secured.