Introduction to Production Deployment#

This guide will walk you through the steps necessary to deploy Arches in a production environment. This guide assumes that you have already installed Arches and have a working Arches installation. If you have not yet installed Arches, please see the Installing Core Arches. We recommend review of Django’s recommended checklist for production deployments in order to better understand how to deploy your Arches instances in production environments.

Set DEBUG = False#

Most importantly, you should never run Arches in production with DEBUG = True. Open your settings.py file (or settings_local.py) and set DEBUG = False (just add that line if necessary).

Turning off the Django debug mode will:

  1. Suppress the verbose Django error messages in favor of a standard 404 or 500 error page.

    You will now find Django error messages printed in your arches.log file.

    Important

    Make sure you have 500.htm and 404.htm files in your project’s templates directory!

  2. Cause Django to stop serving static files.

    You must set up a real webserver, like Apache or Nginx, to serve your app. See Serving Arches with Apache.

More HTTPS Security Settings#

The CSRF_TRUSTED_ORIGINS setting permits one to allow CSRF requests from specific origins. One can permit (encryption free) HTTP requests, but this should be discouraged because HTTP requests are not secure. In many deployment scenarios (when you deploy Arches behind a proxy or a cloud load balancer), one should also set the SECURE_PROXY_SSL_HEADER setting to ensure that Django is aware of the proxy’s HTTPS status. In settings.py (sometimes set via settings_local.py) you add this setting with the following code:

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTOCOL", "https")

The SECURE_PROXY_SSL_HEADER setting is used to determine the actual request is secure. This setting is described in more detail in the Django documentation.

Check Security Settings#

The Django component of Arches has a number of security settings, and these settings can change as you upgrade Arches (including dependency Django libraries). You can find a list of these settings in the Django documentation. You can check the settings of your production Arches instance by running the following command:

python manage.py check --deploy --tag=security

This command provides a current list of security-related settings that you should be aware of. You can then adjust these settings in your settings.py file (or settings_local.py) as needed. An example of the output of this command is shown below:

System check identified some issues:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.
Arches: (arches.W001) Cache backend does not support rate-limiting
        HINT: Your cache: django.core.cache.backends.locmem.LocMemCache
        Supported caches: ('django.core.cache.backends.memcached.PyLibMCCache', 'django.core.cache.backends.memcached.PyMemcacheCache', 'django.core.cache.backends.redis.RedisCache')

Build Production Frontend Assets#

In deploying Arches in production, have a choice in how you bundle frontend assets (CSS, Javascript, etc).

You can use npm run build_development followed by manage.py collectstatic to provide unminified frontend bundles. These will be larger files, so there will be a hit with respect to network performance.

Alternatively, you can build production assets for the frontend, which will be minified and therefore faster for clients to download. To make production frontend assets, use the manage.py build_production management command (this combines both npm run build_production and manage.py collectstatic). Please note however, you will need at least 8GB of RAM for the production frontend asset build itself (and much more if you’re also running the database and backend Arches server on the same host), and you will need lots of time. Depending on your system specifics, this can take multiple hours to complete.