Nginx deployment notes might lead to security issues?

[tijs]

As noted on Twitter earlier i was wondering if the recommendation for setting up nginx should come with a warning to make sure the root var in the nginx config is pointing to a directory with your static files not the root of your django app.

Your config uses the handy try_files shortcut:

root        /var/www/domain.com/;

# Check if a file exists at /var/www/domain/ for the incoming request.
# If it doesn't proxy to Gunicorn/Django.
try_files $uri @django;

This is fine if domain.com has your static files but if you deploy a standard (instead of your suggestion from another part of the best practices) django app layout on your server it will make any python file, including your settings, available for download.

For instance if this is (part of) your app layout:

/var/www/domain.com/
    |- manage.py
    |- settings.py
    |- static/
        |- style.css

A call to http://domain.com/static/style.css will load fine and make it look like you did a fine job deploying following best practices. While at the same time http://domain.com/settings.py will start a download of your settings.py file.

Obviously this is bad and you should not point the root to your app but i'm betting people will read that tip which they will find when googling and then do exactly this...

[ipmb]

I haven't had a chance to get to this, but you're right. We should explicity tell people to install to a non web-accessible directory like /srv/webapps/project and setup their static files to point back over to /var/www/domain.com.