Everywhere in all the textbooks it is written: in production use nginch, and not the server provided by the framework.

What are the main pitfalls that primarily affect safety?

wild multithreading, scaling and performance in my case are not interested, because for a specific application, the scheme "one user - one server"

  • "wild multithreading, scaling and performance" - well, that's why they write this in textbooks :) - andreymal
  • Most importantly - IN NO CASE, do not use the built-in runserver, because it is made only for development and no one really cares about security. And the below-mentioned gunicorn and uwsgi, maybe, can be installed without nginx - andreymal

3 answers 3

Well, firstly - the server provided by freymovik is intended for development. And for work on the Internet on production there is Apache or Nginx. By and large - without a difference. Multithreading - gunicorn.
You can send incoming requests on tcp port 80 to tcp 8000 on the server. Well, it's hard to call it production. Of course it will - on some internal office project, for the accounting department. But the lack of multithreading is 1 request at a time. If this is enough for your purposes, then you are free to use.

  • Built-in server implements parallel query execution. In order to make sure of this, it’s enough in the view to make sleep and execute another request. - user268178

  1. The servers provided by Django / Flask work in a single thread. I'm afraid that with this approach, page loading will be very slow, or even connections will break.

  2. Before Django / Flask usually put "application server" - gunicorn or uwsgi. They themselves can be set out. In general, they are able to do a lot of things, including doing the ssl termination.

  3. Nginx has been developed for a long time, it is used by many large companies, and you can be sure that it has been reviewed and viewed from all sides, and much more closely than the built-in django / flask servers.

UPD

  1. devj servers django and flask can be multi-threaded. But you need to understand that these are threads in python, in which gil. If you make mostly system calls (requests to the database, reading files, requests for third-party resources) in the stream, then everything will work more or less normally for a small number of requests. With regards to aiohttp / sanic / another asynchronous web server - as long as you make requests to database / third-party resources as part of the request, everything will be ok.
  • A built in aiohttp, as in the first paragraph? - Lecron
  • one
    @Lecron aiohttp.web is a full-fledged server, before which it is not necessary to put anything else. In addition, it is asynchronous, so it can handle ten thousand connections simultaneously by one instance. But nevertheless it is better to distribute the static by Nginx. - Sergey Gornostaev

To get started, check out the nginx home page .

You can not use nginx and let's use gunicorn. If you look at the documentation for gunicorn, then it says that without nginx, it is subject to denial of service attacks.

Although there are many HTTP proxies available, we strongly advise that you use Nginx. If you choose another Gunicorn workers. Without this buffering, gunicorn will be easily susceptible to denial-of-service attacks. You can use slowloris to check if your proxy is behaving properly.

But, returning static should also be using django and this will add load to the server.

Besides, it is difficult to call your “product” a product if it is used by 1 client. And if there are several clients, you can save on servers using nginx.