Document deployment

DEPLOYMENT.md

@@ -0,0 +1,129 @@
+For production deployment, it is recommended to use a reverse proxy
+setup, for instance using gunicorn.
+
+This is because the access to invoices (PDF) is a bit special: they
+are served by the web server for efficiency, but django itself handles
+authorisation.  This needs special support from the web server
+(mod_xsendfile for Apache, etc).
+
+The following assumes Debian wheezy, with either Apache or Nginx as
+frontend.
+
+
+## Gunicorn configuration
+
+Gunicorn on Debian wheezy is very nice, because it can launch automatically
+at boot.  Of course, you can also use supervisord.
+
+Install the package:
+
+    $ sudo apt-get install gunicorn
+
+
+Gunicorn is supposed to handle Django out-of-the-box, but unfortunately,
+it does not work anymore with Django 1.7.  Anyway, this method is deprecated
+upstream.  We will simply use WSGI.  See also
+
+  https://docs.djangoproject.com/en/1.7/howto/deployment/wsgi/gunicorn/
+
+
+The Gunicorn config is the following:
+
+    # cat /etc/gunicorn.d/coin 
+    CONFIG = {
+        'working_dir': '/home/myuser/coin',
+        'python': '/home/myuser/virtualenv/bin/python',
+        'user': 'www-data',
+        'group': 'www-data',
+        'args': (
+            '--bind=127.0.0.1:8484',
+            '--workers=5',
+            'coin.wsgi',
+        ),
+    }
+
+Launching it is as simple as
+
+    # service gunicorn start
+
+
+## Nginx configuration
+
+    server {
+            listen [::]:80;
+            server_name coin.plop;
+            rewrite ^(.*) https://$server_name$1 permanent;
+    }
+    
+    server {
+            listen [::]:443 ssl;
+            server_name coin.plop;
+
+            ssl on;
+            ssl_certificate /etc/ssl/coin-plop.crt;
+            ssl_certificate_key /etc/ssl/coin-plop.pem;
+            root /var/www/;
+            access_log /var/log/nginx/coin.plop_ssl_access_log main;
+            error_log /var/log/nginx/coin.plop_ssl_error_log info;
+    
+            proxy_redirect off;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+    
+            location / {
+                    proxy_pass http://localhost:8484;
+            }
+    }
+
+
+TODO: sendfile support for invoices
+
+
+## Apache configuration
+
+    <VirtualHost *:80>
+            ServerName      coin.plop
+            Redirect permanent / https://coin.plop/
+    </VirtualHost>
+    
+    <VirtualHost *:443>
+        ServerName coin.plop
+    
+        DocumentRoot /home/myuser/coin/coin
+    
+        <Proxy *>
+            Order deny,allow
+            Allow from all
+        </Proxy>
+    
+        ProxyPass /robots.txt !
+        ProxyPass /favicon.ico !
+        ProxyPass /static/ !
+    
+        ProxyPass / http://localhost:8484/
+        ProxyPreserveHost On
+    
+        Alias /robots.txt /home/myuser/coin/coin/static/robots.txt
+        Alias /favicon.ico /home/myuser/coin/coin/static/img/favicon.ico
+    
+        <Directory /home/illysedev/coin/coin/static>
+            Order deny,allow
+            Allow from all
+            Options -Indexes
+        </Directory>
+    
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+    
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+    
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+    
+    	SSLEngine On
+            SSLCertificateFile    /etc/ssl/certs/illyse-coin-cert.pem
+            SSLCertificateKeyFile /etc/ssl/private/illyse-coin-privkey.pem
+    
+    </VirtualHost>
+
+TODO: sendfile support for invoices