(Someone called for a sys-admin?)
The way we deploy for static files is this:
-
We define a directory under /var/www as the target for static files. (There is absolutely no reason for nginx to have access to the Django project directory.) Usually, it’s named for the project.
-
This directory is owned by the uid and gid used by nginx (default: www-data)
-
The account doing the deployment is made a member of that group.
-
That directory has its permissions set to 2775. (e.g.,
chmod 2775 /var/www/project) The “2” in the first position sets the “sticky” bit on the directory. This means that all files in that directory will be owned by that group. -
The Django project has its STATIC_ROOT configured for that directory.
-
We use
collectstaticwith the--clearparameter.
I’ve never liked the idea of any web server having direct access to /home. Call it an over-abundance of caution, but it’s just not necessary.
For clarification - the “x” permission on directories does not mean “execute”. It’s the permission needed to get a listing of that directory, and is required if you’re going to access any file or directory within that directory.