Deploy a Secure FastAPI App on Ubuntu 20.04 using Python3.10 / CertBot / Nginx and Gunicorn.
The overall objective is to deploy a Secure and Optimised FastAPI Performance Application. We are required to launch a Compute instance with a cloud platform of your choice or any deployment running Ubuntu 20.04. This post will assume that you know and have developed your fastapi app and will only focus on deploying the actual application.
Step 1 — Update and Patching the Linux Server (Ubuntu 20.04)
Run the below commands separately and do a reboot before continuing.
sudo apt update
sudo apt upgrade -y
sudo reboot
Install some OS dependencies:
sudo apt-get install -y -q build-essential git unzip zip nload tree
sudo apt-get install -y -q python3-pip python3-dev python3-venv
How to Install Python 3.10 on Ubuntu 20.04
sudo apt install software-properties-common -y
sudo add-apt-repository ppa:deadsnakes/ppa -y
sudo apt install python3.10
To verify the installation and Python 3.10 build version, perform the following:
python3.10 --version
If installation exist,
sudo apt install python3.10-dev python3.10-venv python3.10-distutils -y
Step 2 — Preparing to Run your FastAPI App
Navigate to your App Directory and Create a virtual env for the app on using dot
cd /apps
python3.10 -m venv .
Activate and install python packages for your FastAPI app
source /apps/bin/activate
pip3 install --upgrade pip setuptools wheel
pip3 install --upgrade httpie glances
pip3 install --upgrade gunicorn uvloop httptools
Setup your web app using your requirements files
pip3 install -r requirements.txt
Step 3 — Verify that Uvicorn is Running FastAPI App
Verify that your FastAPI app is running normally
cd /apps
Run the below command depending on your setup
EITHER
python3.10 app.py
OR
uvicorn app:app –reload –port=8004
TEST: Open another terminal and run the below
curl http://127.0.0.1:8004
Or use a cool library we installed earlier httpie is nicer for this purpose.
httpie http://127.0.0.1:8004
You will notice that the server is running from the first terminal and indicates that it has process the GET request either by the curl or the httpie
Step 4 — Creating System Service and Web Server to always run FastAPI Web App
Create and enable the daemon
your_app_name.service SAMPLE
(https://github.com/tconyemaobi/Secure-FastAPI-App-CertBot-Nginx-and-Gunicorn)
sudo systemctl start your_app_name
sudo systemctl status your_app_name
sudo systemctl enable your_app_name
Setup the public facing server (NGINX)
sudo apt install nginx
NGINX SAMPLE CONFIG
https://github.com/tconyemaobi/Secure-FastAPI-App-CertBot-Nginx-and-Gunicorn
CAREFUL HERE. If you are using default, maybe skip this
sudo mv /etc/nginx/sites-enabled/default ./default_backup
ELSE:
cp YOUR_APP_NAME.nginx /etc/nginx/sites-enabled/
update-rc.d nginx enable
service nginx restart
Step 5 — Security with Firewall and SSL Support
Configure Firewall exception for SSH, HTTP and HTTPS Ports and enable firewall, as recommended by the prerequisite guides.
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
add SSL support via Let's Encrypt:
apt install python3-certbot-nginx
certbot --nginx -d yourapp.example.com
To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
sudo ufw status
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Conclusion
You learned how to use virtual environments to isolate dependencies, create a FastAPI application, use Gunicorn as an application server, Nginx as a reverse proxy server, and protect Nginx with an SSL certificate in this tutorial.
clean tutorial