Modern APIs with FastAPI and Python Transcripts
Chapter: Deploying FastAPI on Linux with gunicorn and nginx
Lecture: Preparing to run FastAPI on Ubuntu
0:00 I've copied what we built over in Chapter seven in to Chapter eight and made a
0:03 few minor changes. And I did this without recording it,
0:06 because you'll see they're just a bunch of config files we're gonna have to set.
0:09 Like, for example, here's NGINX config file.
0:12 We never type that from scratch.
0:14 We find some example, and we adapt it.
0:16 so that's what I did. We'll talk about that in a minute.
0:18 But we also, I also put in here,
0:20 there's a script that sort of takes us through these steps to set up our server.
0:23 So we've done our upgrade and patch.
0:26 We've installed z shell. Now we're gonna need a few other things in order to further
0:30 secure our server and to make it ready, to get it ready to run Python.
0:34 For example, make sure we have the Python 3 Dev tools so we can install
0:38 things and so on. Let's go over here and put the build essentials, Git, Zip,
0:44 and some other things. Not all of them are required,
0:46 but they're all useful. Now
0:49 we have things like Git setup,
0:51 That's cool. Let's set up python. On Linux, when we install Python 3,
0:56 it doesn't necessarily come with Pip or with virtual environment, so
0:59 we're going to install all three of those now. And just talking about z shell,
1:03 if I type "apt" for stuff that I could have done, because I typed
1:08 sudo, didn't I? So if I type sudo,
1:10 you can just see it will only cycle through the sudo stuff as you arrow,
1:13 whereas bash, it just goes through the history and things like that.
1:16 So there's a bunch of little nice touches.
1:18 Alright, so now we should be able to run Python dash v,
1:23 Python 3 dash v. There we go.
1:25 3.8.5. Now we're gonna do a couple of things here to make the system a little
1:30 more secure. We're gonna do three things in particular.
1:32 We're going to set up what's called "fail to ban" and to do fail to ban,
1:36 what this is, is if somebody tries to log in over ssh and they fail,
1:41 either through username password, which we don't have set up or through ssh keys,
1:45 if they do that too many times,
1:47 then they're going to be banned from attempting to log in.
1:50 So this is a nice little service to
1:53 avoid sort of dictionary attacks or brute force attacks against logging in.
1:56 We also want to turn on a firewall.
1:59 Linux Ubuntu comes with a firewall, uncomplicated firewall
2:02 UWF, and what we want to do is we want to say,
2:05 "allow ssh traffic and allow web traffic".
2:08 So port 80 to start things off on http and 443 to allow SSL https
2:14 traffic. Other than that, we want to allow nothing,
2:16 and we turn it on it says
2:18 if you have not allowed SSH and you say "turn on the
2:22 firewall", you're never coming back.
2:24 But luckily we have. So let's close this and just reconnect to make sure it's
2:28 fine, it is. Then. The other thing is,
2:31 what is our user? I'm root.
2:34 Do you think running as root is a good idea?
2:36 No. So not a good idea at all. So we're gonna install, create a new
2:41 user, a user that doesn't have log in permissions, it's a
2:46 wimpier user, and we're going to run our web application in that. That way,
2:49 in case somebody happens to break through and take over our system,
2:54 they're only gonna be able to do what API user can do, not what
2:57 root can do. So that's good.
2:58 We also want to create some log files, locations here, and then give that user permissions.
3:03 I think I probably, they must have to exist first.
3:06 So let's do that. And then we can say give them modify access to where
3:10 the Web app needs to keep its logs.
3:12 Alright, so we're not, we don't have our code on here yet.
3:15 We don't have the libraries needed to run, set up like uvicorn, or
3:20 FastAPI, but our server is much closer.
3:23 We've got fail to ban, we've got the firewall running for only the ports
3:27 we want to explicitly expose, the three, and then we've got our user that is a
3:33 less privileged user to run our Web app as.