Modern APIs with FastAPI and Python Transcripts
Chapter: Deploying FastAPI on Linux with gunicorn and nginx
Lecture: Preparing to run FastAPI on Ubuntu
0:00 I've copied what we built over in Chapter seven in to Chapter eight and made a few minor changes. And I did this without recording it,
0:07 because you'll see they're just a bunch of config files we're gonna have to set. Like, for example, here's NGINX config file.
0:13 We never type that from scratch. We find some example, and we adapt it. so that's what I did. We'll talk about that in a minute.
0:19 But we also, I also put in here, there's a script that sort of takes us through these steps to set up our server. So we've done our upgrade and patch.
0:27 We've installed z shell. Now we're gonna need a few other things in order to further
0:31 secure our server and to make it ready, to get it ready to run Python. For example, make sure we have the Python 3 Dev tools so we can install
0:39 things and so on. Let's go over here and put the build essentials, Git, Zip, and some other things. Not all of them are required,
0:47 but they're all useful. Now we have things like Git setup, That's cool. Let's set up Python. On Linux, when we install Python 3,
0:57 it doesn't necessarily come with Pip or with virtual environment, so we're going to install all three of those now. And just talking about z shell,
1:04 if I type "apt" for stuff that I could have done, because I typed sudo, didn't I? So if I type sudo,
1:11 you can just see it will only cycle through the sudo stuff as you arrow, whereas bash, it just goes through the history and things like that.
1:17 So there's a bunch of little nice touches. Alright, so now we should be able to run Python dash v, Python 3 dash v. There we go.
1:26 3.8.5. Now we're gonna do a couple of things here to make the system a little more secure. We're gonna do three things in particular.
1:33 We're going to set up what's called "fail to ban" and to do fail to ban, what this is, is if somebody tries to log in over ssh and they fail,
1:42 either through username password, which we don't have set up or through ssh keys, if they do that too many times,
1:48 then they're going to be banned from attempting to log in. So this is a nice little service to
1:54 avoid sort of dictionary attacks or brute force attacks against logging in. We also want to turn on a firewall.
2:00 Linux Ubuntu comes with a firewall, uncomplicated firewall UWF, and what we want to do is we want to say, "allow ssh traffic and allow web traffic".
2:09 So port 80 to start things off on http and 443 to allow SSL https traffic. Other than that, we want to allow nothing, and we turn it on it says
2:19 if you have not allowed SSH and you say "turn on the firewall", you're never coming back.
2:25 But luckily we have. So let's close this and just reconnect to make sure it's fine, it is. Then. The other thing is, what is our user? I'm root.
2:35 Do you think running as root is a good idea? No. So not a good idea at all. So we're gonna install, create a new
2:42 user, a user that doesn't have log in permissions, it's a wimpier user, and we're going to run our web application in that. That way,
2:50 in case somebody happens to break through and take over our system, they're only gonna be able to do what API user can do, not what
2:58 root can do. So that's good. We also want to create some log files, locations here, and then give that user permissions.
3:04 I think I probably, they must have to exist first. So let's do that. And then we can say give them modify access to where
3:11 the Web app needs to keep its logs. Alright, so we're not, we don't have our code on here yet.
3:16 We don't have the libraries needed to run, set up like uvicorn, or FastAPI, but our server is much closer.
3:24 We've got fail to ban, we've got the firewall running for only the ports we want to explicitly expose, the three, and then we've got our user that is a
3:34 less privileged user to run our Web app as.