Prepping Your Project for Production

Transcript

1. None
2. None

3. IT’S DANGEROUS TO GO ALONE! TAKE THIS.

4. PHILOSOPHY Keep things as simple as possible While maintaining: Performance

   Observability Stability Security

5. Hosting Configuration Web Server Assets (static and media) OVERVIEW Additional

   Considerations: Performance Security Observability

6. HOSTING

7. PLATFORM AS A SERVICE (PAAS) Heroku PythonAnywhere Platform.sh Google App

   Engine Google Cloud Run

8. PROS CONS PLATFORM AS A SERVICE (PAAS) Managed Monitored Secured

   Supported Backing services may be included Performance Less flexibility Cost*

9. FUNCTIONS AS A SERVICE (FAAS OR SERVERLESS) AWS Lambda (with

   Zappa) Google Cloud Functions Azure Functions ZEIT

10. PROS CONS FUNCTIONS AS A SERVICE (FAAS OR SERVERLESS) Managed

    Monitored Secured Less expensive* New = rough edges Performance and cold starts Management commands

11. KUBERNETES (MANAGED) Google Kubernetes Engine (GKE) DigitalOcean Kubernetes Amazon Elastic

    Kubernetes Service (EKS) Azure Kubernetes Service (AKS)
12. None

13. PROS KUBERNETES (MANAGED) Managed Monitored Secured Requires k8s knowledge Probably

    overkill CONS

14. UNMANAGED/SELF-HOST Flexible Cost* Security Monitoring Management Documentation/training TLS Certificates PROS

    CONS

15. HOSTING (CONT) BACKING SERVICES AND APPLICATION STATE

16. USE MANAGED SERVICES

17. MANAGED SERVICES Database (Amazon RDS, Cloud SQL, Heroku Postgres, etc.)

    Object Storage (Amazon S3, Google Cloud Storage, etc.) SMTP (Amazon SES, Sendgrid, Mailgun, etc.) Elasticsearch Redis

18. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

19. CONFIGURATION

20. 12 FACTOR Deployment Application Config

21. CONFIGURATION Environment Variables Configuration File Django settings (prod.py, staging.py, etc.)

22. CONFIGURATION Environment Variables Configuration File Django settings (prod.py, staging.py, etc.)

23. SECRETS API KEYS, SECRET_KEY, SERVICE CREDENTIALS, ETC. Never in your

    code repository
 (unencrypted)

24. CONFIGURATION PaaS Configuration Amazon SSM and Chamber Kubernetes Secrets Encrypted

    in configuration mangagement Hashicorp Vault

25. GOODCONF

26. GOODCONF Configuration via file or environment variables Type casting for

    environment variables Auto-generate documentation Auto-generate commented sample configs
27. None
28. None

29. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

30. WEB SERVER

31. WEB SERVER

32. GUNICORN

33. UWSGI

34. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

35. SERVING ASSETS

36. WHITENOISE pip install whitenoise

37. UWSGI

38. NODE.JS Source files in version control Webpack/Parcel to generate static

    files during build Add build destination to STATICFILES_DIRS django-webpack-loader if bundle-splitting

39. MEDIA Use django-storages with your preferred backend (Amazon, Google, Azure,

    etc.) Be careful of public vs. private AWS_DEFAULT_ACL AWS_QUERYSTRING_AUTH AWS_QUERYSTRING_EXPIRE

40. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

41. GO LIVE!

42. PERFORMANCE

43. USE AN APM Third-party: NewRelic, Scout, Datadog Provider: AWS X-Ray,

    Google Stackdriver Trace Self-hosted: Elastic

44. DATABASE Don't be surprised if your laptop performs better Network

    latency Size of dataset

45. DATABASE Use Postgres (unless you have a good reason not

    to) CONN_MAX_AGE Reduce queries select_related prefetch_related Indexes db_index index_together

46. TEMPLATE FRAGMENT CACHING

47. TEMPLATE FRAGMENT CACHING

48. CDN

49. CDN Third Party: Cloudflare, Fastly Provider: Amazon Cloudfront, Google Cloud

    CDN

50. CDN Cache static files forever (far-future expires) Cache Django responses

    if possible

51. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

52. SECURITY

53. CODE Monitor dependencies for vulnerabilities
 (GitHub Security Alerts) Use a

    lockfile (pipenv, poetry, pip-compile) Consider an external audit

54. ENVIRONMENT DEBUG = False ... ALWAYS! manage.py check --deploy https://observatory.mozilla.org

55. AUTHENTICATION (ESPECIALLY THE ADMIN) MFA django-two- factor-auth External provider (G-

    Suite, AWS Cognito, etc.) Rate limiting (Cloudflare, Nginx, AWS WAF, Django) Firewall/VPN

56. ADDITIONAL ATTACK VECTORS SSH Platform web console (use MFA!) Domain

    registrar Email Backing services APIs

57. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

58. OBSERVABILITY

59. ERROR REPORTING Emails don't scale Use Sentry or Rollbar

60. LOGGING Third-party: Datadog, LogDNA, Splunk, Sumo Logic Provider: AWS Cloudwatch,

    Google Stackdriver Self-hosted: ELK, Graylog

61. MONITORING & ALERTING Third-party: Internal: Datadog External: Pingdom, StatusCake, Datadog

    Alerts: PagerDuty, OpsGenie, Slack Provider: Cloudwatch, Stackdriver Self-hosted: Prometheus, Grafana

62. Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server

    Assets (static and media)

63. IT’S DANGEROUS TO GO ALONE! TAKE THIS. GAME OVER

64. PETER BAUMGARTNER [email protected] SAVE SLIDE DESIGN BY YUPGUP