Full Web Apps with FastAPI Transcripts
Chapter: Deploying FastAPI on Linux with gunicorn and nginx
Lecture: Preparing to run FastAPI on Ubuntu
0:00 I've copied what we built over in chapter seven into chapter eight and made a few minor changes. And I did this without recording it,
0:07 because you'll see they're just a bunch of config files we're gonna have to set. Like, for example, here's our nginx config file.
0:13 We never type that from scratch, we find some example, and we adapt it. So that's what I did, we'll talk about that in a minute.
0:19 But we also, I also put in here, there's a script that sort of takes us through these steps to set up our servers So we've done our upgrade and patch.
0:27 We've installed Z shell. Now we're gonna need a few other things in order to further
0:31 secure our server and to make it ready, to get it ready to run Python. For example, make sure we have the Python3-dev tools so we can install
0:39 things and so on. So let's go over here and put the build-essential, git, zip, and some other things. Not all of them are required,
0:47 but they're all useful. Now we have things like git set up. That's cool. Let's set up Python, on Linux when we install Python3,
0:57 it doesn't necessarily come with pip or with virtual environments. So we're gonna install all three of those now, and just talking about z shell.
1:04 If I type apt for stuff that I could have done, because I typed sudo, didn't I? So if I type sudo,
1:11 you can just see it'll only cycle through the sudo stuff as you arrow whereas bash, it just goes through the history and things like that.
1:17 So there's a bunch of little nice touches. All right, so now we should be able to run Python -V, Python3 -V. There we go,
1:26 3.8.5. Now we're gonna do a couple of things here to make the system a little more secure. We're gonna do three things in particular.
1:33 We're going to set up what's called fail2ban and to do fail2ban, what this is is if somebody tries to log in over ssh and they fail
1:42 either through user name password, which we don't have set up or through ssh keys, if they do that too many times,
1:48 then they're going to be banned from attempting to log in. So this is a nice little service to
1:54 avoid sort of dictionary attacks or brute force attacks against logging in. We also want to turn on a firewall.
2:00 Linux, Ubuntu comes with a firewall, uncomplicated firewall, uwf. And what we wanna do is we wanna say, allow ssh traffic and allow web traffic.
2:09 So port 80 to start things off on HTTP and 443 to allow SSL HTTPS traffic. Other than that, we won't allow nothing. And when we turn it on, it says,
2:19 if you have not allowed ssh and you say turn on the firewall, you're never coming back.
2:25 But luckily, we have. So let's close this and just reconnect to make sure it's fine, it is. An then the other thing is, what is our user? I'm root.
2:35 Do you think running as root is a good idea? No, not a good idea at all. So we're gonna install, create a new
2:42 user. A user that doesn't have log in permissions, apiuser and we're going to run our web application that, that way,
2:50 in case somebody happens to break through and take over our system, they're only gonna be able to do what a apiuser can do, not what
2:58 root can do, so that's good. We also want to create some log files, locations here and then give that user permissions
3:04 I think I probably, they must have to exist first. So let's do that. And then we can say give them modify access to where
3:11 the web app needs to keep its logs. All right, so we're not, we don't have our code on here yet.
3:16 We don't have the libraries needed to run set up, like Uvicorn or FastAPI But our server is much closer.
3:24 We've got fail2ban, we've got the firewall running for only the ports
3:28 we want to explicitly expose, the three. And then we've got our user that is a less privileged user to run our web app as.