Full Web Apps with FastAPI Transcripts
Chapter: Deploying FastAPI on Linux with gunicorn and nginx
Lecture: Preparing to run FastAPI on Ubuntu
0:00 I've copied what we built over in chapter seven into chapter eight and made a
0:03 few minor changes. And I did this without recording it,
0:06 because you'll see they're just a bunch of config files we're gonna have to set.
0:09 Like, for example, here's our nginx config file.
0:12 We never type that from scratch,
0:14 we find some example, and we adapt it.
0:16 So that's what I did, we'll talk about that in a minute.
0:18 But we also, I also put in here,
0:20 there's a script that sort of takes us through these steps to set up our servers
0:23 So we've done our upgrade and patch.
0:26 We've installed Z shell. Now we're gonna need a few other things in order to further
0:30 secure our server and to make it ready, to get it ready to run Python.
0:34 For example, make sure we have the python3-dev tools so we can install
0:38 things and so on. So let's go over here and put the build-essential, git, zip,
0:44 and some other things. Not all of them are required,
0:46 but they're all useful. Now
0:49 we have things like git set up.
0:51 That's cool. Let's set up Python, on Linux when we install python3,
0:56 it doesn't necessarily come with pip or with virtual environments.
0:59 So we're gonna install all three of those now, and just talking about z shell.
1:03 If I type apt for stuff that I could have done, because I typed
1:08 sudo, didn't I? So if I type sudo,
1:10 you can just see it'll only cycle through the sudo stuff as you arrow
1:13 whereas bash, it just goes through the history and things like that.
1:16 So there's a bunch of little nice touches.
1:18 All right, so now we should be able to run python -V,
1:23 python3 -V. There we go,
1:25 3.8.5. Now we're gonna do a couple of things here to make the system a little
1:30 more secure. We're gonna do three things in particular.
1:32 We're going to set up what's called fail2ban and to do fail2ban,
1:36 what this is is if somebody tries to log in over ssh and they fail
1:41 either through user name password, which we don't have set up or through ssh keys,
1:45 if they do that too many times,
1:47 then they're going to be banned from attempting to log in.
1:50 So this is a nice little service to
1:53 avoid sort of dictionary attacks or brute force attacks against logging in.
1:56 We also want to turn on a firewall.
1:59 Linux, Ubuntu comes with a firewall, uncomplicated firewall,
2:02 uwf. And what we wanna do is we wanna say,
2:05 allow ssh traffic and allow web traffic.
2:08 So port 80 to start things off on HTTP and 443 to allow SSL HTTPS
2:14 traffic. Other than that, we won't allow nothing.
2:16 And when we turn it on, it says,
2:18 if you have not allowed ssh and you say turn on the
2:22 firewall, you're never coming back.
2:24 But luckily, we have. So let's close this and just reconnect to make sure it's
2:28 fine, it is. An then the other thing is,
2:31 what is our user? I'm root.
2:34 Do you think running as root is a good idea?
2:36 No, not a good idea at all. So we're gonna install, create a new
2:41 user. A user that doesn't have log in permissions, apiuser
2:46 and we're going to run our web application that, that way,
2:49 in case somebody happens to break through and take over our system,
2:54 they're only gonna be able to do what a apiuser can do, not what
2:57 root can do, so that's good.
2:58 We also want to create some log files, locations here and then give that user permissions
3:03 I think I probably, they must have to exist first.
3:06 So let's do that. And then we can say give them modify access to where
3:10 the web app needs to keep its logs.
3:12 All right, so we're not, we don't have our code on here yet.
3:15 We don't have the libraries needed to run set up, like Uvicorn or FastAPI
3:20 But our server is much closer.
3:23 We've got fail2ban, we've got the firewall running for only the ports
3:27 we want to explicitly expose, the three. And then we've got our user that is a less privileged user to run our web app as.