Deploy a Secure FastAPI App on Ubuntu 20.04 using Python3.10 / CertBot / Nginx and Gunicorn.

The overall objective is to deploy a Secure and Optimised FastAPI Performance Application. We are required to launch a Compute instance with a cloud platform of your choice or any deployment running Ubuntu 20.04. This post will assume that you know and have developed your fastapi app and will only focus on deploying the actual application.

Step 1 — Update and Patching the Linux Server (Ubuntu 20.04)

Run the below commands separately and do a reboot before continuing.

sudo apt update
sudo apt upgrade -y
sudo reboot

Install some OS dependencies:

sudo apt-get install -y -q build-essential git unzip zip nload tree
sudo apt-get install -y -q python3-pip python3-dev python3-venv

How to Install Python 3.10 on Ubuntu 20.04

sudo apt install software-properties-common -y
sudo add-apt-repository ppa:deadsnakes/ppa -y
sudo apt install python3.10

To verify the installation and Python 3.10 build version, perform the following:

python3.10 --version

If installation exist,

sudo apt install python3.10-dev python3.10-venv python3.10-distutils -y

Step 2 — Preparing to Run your FastAPI App

Navigate to your App Directory and Create a virtual env for the app on using dot

cd /apps
python3.10 -m venv .

Activate and install python packages for your FastAPI app

source /apps/bin/activate
pip3 install --upgrade pip setuptools wheel
pip3 install --upgrade httpie glances
pip3 install --upgrade gunicorn uvloop httptools

Setup your web app using your requirements files

pip3 install -r requirements.txt

Step 3 — Verify that Uvicorn is Running FastAPI App

Verify that your FastAPI app is running normally

cd /apps

Run the below command depending on your setup
EITHER

python3.10 app.py

OR

uvicorn app:app –reload –port=8004

TEST: Open another terminal and run the below

curl http://127.0.0.1:8004

Or use a cool library we installed earlier httpie is nicer for this purpose.

httpie http://127.0.0.1:8004

You will notice that the server is running from the first terminal and indicates that it has process the GET request either by the curl or the httpie

Step 4 — Creating System Service and Web Server to always run FastAPI Web App

Create and enable the daemon
your_app_name.service SAMPLE

(https://github.com/tconyemaobi/Secure-FastAPI-App-CertBot-Nginx-and-Gunicorn)

sudo systemctl start your_app_name
sudo systemctl status your_app_name
sudo systemctl enable your_app_name

Setup the public facing server (NGINX)

sudo apt install nginx

NGINX SAMPLE CONFIG

https://github.com/tconyemaobi/Secure-FastAPI-App-CertBot-Nginx-and-Gunicorn

CAREFUL HERE. If you are using default, maybe skip this

sudo mv /etc/nginx/sites-enabled/default ./default_backup

ELSE:

cp YOUR_APP_NAME.nginx /etc/nginx/sites-enabled/
update-rc.d nginx enable
service nginx restart

Step 5 — Security with Firewall and SSL Support

Configure Firewall exception for SSH, HTTP and HTTPS Ports and enable firewall, as recommended by the prerequisite guides.

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

add SSL support via Let's Encrypt:

apt install python3-certbot-nginx
certbot --nginx -d yourapp.example.com

To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

sudo ufw status
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Conclusion

You learned how to use virtual environments to isolate dependencies, create a FastAPI application, use Gunicorn as an application server, Nginx as a reverse proxy server, and protect Nginx with an SSL certificate in this tutorial.