I haven’t deployed Django under Apache in more than 8 years now, and to be honest, I don’t specifically remember everything. However, I think the analogy is close enough when running Django under nginx / uwsgi that you may find this informative.
Yes, we specifically create non-root, non-system users to run our Django apps, frequently one per project. (I have one server running 5 different projects, each uses their own id.)
We have uwsgi set up to be started as that user.
The virtual environment is created in, and the project is deployed to /home/user.
All static files are deployed to /var/www/html/<project name>/ using collectstatic. The media directories are maintained under /var/media/<project_name>/.
The <project_name> directories are owned by the project, with the group www-data. Only the project can write to those directories. The www-data account can only read them.
Generally, this works for us regardless of whether we’re deploying to bare metal or within Docker containers.
Yeah, Graham Dumpleton also further replied/clarified about this topic, so I think its a safe direction so far. I am also testing this further, step-by-step… whether I will run into any issues.
I have left SELinux (the topic of my other discussion) for now until the end.
As I mentioned I am doing the tutorial series/walkthrough so that all this research into configuration helps someone down the line. Thanks man, it really helps.