⚠️ PROJECT STATUS: MAINTENANCE MODE
uWSGI is in maintenance mode (announced 2024). Security patches may be slower than active projects. For new projects, consider Gunicorn, Uvicorn, or Granian.
| Aspect | Status | Notes |
|---|---|---|
| Project Maintenance | ⚠️ Maintenance mode | Bugfixes only |
| Security Response | ⚠️ Slow | Maintainer response times increased |
| Recent Releases | ✅ Active | 2.0.31 (Oct 2025), 2.0.30 (Jun 2025) |
| Known CVEs | ✅ Low | No major recent CVEs |
| Package Availability | ✅ Available | Debian/Ubuntu, EPEL 9 |
[uwsgi]
uid = www-data
gid = www-data
# TCP socket (localhost only)
socket = 127.0.0.1:8000
# Or Unix socket (recommended)
socket = /var/run/uwsgi/myapp.sock
chmod-socket = 660
Never expose uWSGI directly to the internet. Use Nginx or Apache:
server {
listen 80;
location / {
include uwsgi_params;
uwsgi_pass 127.0.0.1:8000;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
location / {
include uwsgi_params;
uwsgi_pass 127.0.0.1:8000;
}
}
# Timeout settings
harakiri = 30
harakiri-verbose = true
# Buffer sizes
buffer-size = 65535
post-buffering = 4096
# Max request size
limit-post = 10485760
# Configuration files
sudo chown root:root /etc/uwsgi/*.ini
sudo chmod 644 /etc/uwsgi/*.ini
# Socket directory
sudo chown www-data:www-data /var/run/uwsgi
sudo chmod 755 /var/run/uwsgi
# Log directory
sudo chown www-data:adm /var/log/uwsgi
sudo chmod 755 /var/log/uwsgi
# Application directory
sudo chown www-data:www-data /var/www/myapp
sudo chmod 755 /var/www/myapp
# /etc/systemd/system/uwsgi.service
[Service]
User=www-data
Group=www-data
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/var/run/uwsgi /var/log/uwsgi
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
# Resource limits
LimitNOFILE=65535
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
server {
location / {
limit_req zone=one burst=20 nodelay;
include uwsgi_params;
uwsgi_pass 127.0.0.1:8000;
}
}
logto = /var/log/uwsgi/myapp.log
log-4xx = true
log-5xx = true
log-date = true
# Disable stats server if not needed
# stats = 127.0.0.1:9191
# Disable admin endpoints
# enable-threads = false
| Risk | Mitigation |
|---|---|
| Slower security patches | Monitor security advisories |
| Limited new features | Consider migration to alternatives |
| Slow maintainer response | Self-assess and patch if needed |
See uWSGI Hardening for server-specific hardening details.