Production Deployment Guide

🚀 Linux Server Setup

FastAPI · Gunicorn · PM2 · NGINX · SSL · UFW · Fail2Ban · SSH Hardening · AWS Lightsail

Ubuntu 22.04

App

FastAPI

Proxy

NGINX

Port

127.0.0.1:4980

With all 17 steps completed

Security coverage: Firewall → Fail2Ban → SSH Keys → NGINX → Rate Limit → FastAPI

9/10

Production Ready

📋 Setup Checklist

0/180%

Traffic flows through multiple security layers before reaching your FastAPI app:

Internet
   ↓
AWS Lightsail Cloud Firewall  (ports 22, 80, 443)
   ↓
UFW Firewall                  (OS-level, Ubuntu)
   ↓
Fail2Ban                      (Brute-force / IDS)
   ↓
NGINX Reverse Proxy           (public-facing, 80/443)
   ↓
Gunicorn + Uvicorn Workers    (ASGI app server)
   ↓
FastAPI Application           (127.0.0.1:4980 — localhost only)

✅Key rule: Backend only binds to 127.0.0.1:4980 — never 0.0.0.0. NGINX is the only public entry point.

✅ Security Coverage

✓ UFW OS-level firewall

✓ AWS Lightsail cloud firewall

✓ Fail2Ban brute-force protection

✓ HTTPS via Let's Encrypt

✓ HTTP → HTTPS redirect

✓ API rate limiting (10 req/s)

✓ Per-IP connection limiting

✓ PHP / WordPress exploit blocking

✓ Bad bot detection & blocking

✓ Backend isolated to 127.0.0.1

✓ Security headers (HSTS, etc.)

✓ server_tokens off

✓ SSH key-only login

✓ Root SSH login disabled

✓ Automatic security updates

✓ Fail2Ban SSH + NGINX jails

Estimated Security Score

Firewall → Fail2Ban → SSH Keys → NGINX → Rate Limit → FastAPI

9 / 10

Production Ready

Guide v2.0 · Ubuntu 22.04 · NGINX 1.18+ · Certbot · UFW · Fail2Ban · SSH Ed25519