Skip to main content

Deployment

This document details the deployment process for FF-API-External, including deployment options, server configurations, and best practices for production environments.

Table of Contents

Deployment Options

FF-API-External can be deployed in various ways depending on your infrastructure requirements.

Development Server

For development and testing, you can use the built-in Flask development server:

python server.py

This will start the server on port 5060 with debug mode enabled, as specified in server.py:

if __name__ == "__main__":
    # Test or local development config
    app.run(port=5060, debug=True, threaded=True)

Production Deployments

For production environments, use a production-grade WSGI server like Gunicorn or uWSGI.

Gunicorn

The repository includes a gunicorn_config.py file with the following configuration:

from multiprocessing import cpu_count

bind = '0.0.0.0:8080'
workers = (2 * cpu_count()) + 1
worker_class = 'gevent'
worker_connections = 1000
timeout = 1800

To deploy with Gunicorn:

gunicorn --config gunicorn_config.py wsgi:app

uWSGI

The repository includes a server.ini configuration file for uWSGI:

[uwsgi]
module = wsgi:app
master = true
processes = 10
socket = con8r.sock
chmod-socket = 660
vacuum = true
die-on-term = true

To deploy with uWSGI:

uwsgi --ini server.ini

Server Configuration

Nginx as Reverse Proxy

In production, it's recommended to use Nginx as a reverse proxy in front of your WSGI server.

Example Nginx configuration:

server {
    listen 80;
    server_name api.example.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name api.example.com;

    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self'";
    add_header Referrer-Policy strict-origin-when-cross-origin;

    # Proxy settings
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Apache as Reverse Proxy

Alternatively, you can use Apache as a reverse proxy.

Example Apache configuration:

<VirtualHost *:80>
    ServerName api.example.com
    Redirect permanent / https://api.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName api.example.com

    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key

    # Security headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Content-Security-Policy "default-src 'self'"
    Header always set Referrer-Policy strict-origin-when-cross-origin

    # Proxy settings
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

Environment Setup

Python Environment

FF-API-External requires Python 3.11.9, as specified in runtime.txt:

python-3.11.9

Create a virtual environment with the correct Python version:

python3.11 -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate
pip install -r requirements.txt

Environment Variables

Configure environment variables according to the .env file:

# Database configurations
MYSQL_HOST=your-mysql-host
MYSQL_USER=your-mysql-user
MYSQL_PASSWORD=your-mysql-password
MYSQL_DB=your-mysql-db
# ... other environment variables

For production, it's recommended to use a secure method for managing environment variables, such as:

  • Environment variable files loaded by the process manager
  • Secret management services like HashiCorp Vault or AWS Secrets Manager
  • Container orchestration platforms' secret management features

Database Configuration

MySQL Configuration

Ensure that the MySQL database is properly configured with the necessary tables and permissions.

Connection details are configured in db_config.py:

app.config["MYSQL_HOST"] = config('MYSQL_HOST')
app.config["MYSQL_USER"] = config('MYSQL_USER')
app.config["MYSQL_PASSWORD"] = config('MYSQL_PASSWORD')
app.config["MYSQL_DB"] = config('MYSQL_DB')
app.config["MYSQL_CURSORCLASS"] = config('MYSQL_CURSORCLASS')
app.config["MYSQL_PORT"] = int(config('MYSQL_PORT'))

MongoDB Configuration

Ensure that MongoDB is properly configured and accessible.

Connection string is loaded from environment variables:

self.mclient = MongoClient(config('MONGODB_MAIN_PROD'))

SSL/TLS Configuration

For secure communication, enable SSL/TLS for all connections.

Certificate Files

The repository includes certificate files for MongoDB:

  • ca-certificate.crt
  • mongodb-1-cert.crt

Ensure these certificates are placed in the correct location and have the proper permissions.

Database Connections

Ensure that database connections use SSL/TLS:

MONGODB_MAIN_PROD=mongodb+srv://starbright:[email protected]/gateway?authSource=admin&replicaSet=db-mongodb-1&tls=true&tlsCAFile=/workspace/mongodb-1-cert.crt

Containerization

For easier deployment and scalability, you can containerize FF-API-External using Docker.

Example Dockerfile

FROM python:3.11.9-slim

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY . .

# Set environment variables
ENV PYTHONUNBUFFERED=1
ENV PYTHONDONTWRITEBYTECODE=1

# Expose port
EXPOSE 8080

# Run the application
CMD ["gunicorn", "--config", "gunicorn_config.py", "wsgi:app"]

Example Docker Compose

For local development or simple deployments, use Docker Compose:

version: '3.8'

services:
  api:
    build: .
    ports:
      - "8080:8080"
    env_file:
      - .env
    volumes:
      - ./:/app
    restart: unless-stopped
    depends_on:
      - db
      - mongo

  db:
    image: mysql:8
    ports:
      - "3306:3306"
    environment:
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
      MYSQL_DATABASE: ${MYSQL_DB}
      MYSQL_USER: ${MYSQL_USER}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD}
    volumes:
      - mysql_data:/var/lib/mysql
    restart: unless-stopped

  mongo:
    image: mongo:4
    ports:
      - "27017:27017"
    environment:
      MONGO_INITDB_ROOT_USERNAME: ${MONGO_ROOT_USER}
      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_ROOT_PASSWORD}
    volumes:
      - mongo_data:/data/db
    restart: unless-stopped

volumes:
  mysql_data:
  mongo_data:

Scaling and Load Balancing

For high-availability and performance, implement scaling and load balancing.

Horizontal Scaling

To handle more traffic, you can horizontally scale the API service:

  • Deploy multiple instances of the application
  • Use a load balancer to distribute traffic
  • Ensure sessions are handled properly (stateless design is preferred)

Load Balancing with Nginx

Example Nginx load balancer configuration:

upstream api_backend {
    server api1.example.com:8080;
    server api2.example.com:8080;
    server api3.example.com:8080;
}

server {
    listen 443 ssl;
    server_name api.example.com;

    # SSL configuration
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;

    # Load balancing
    location / {
        proxy_pass http://api_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Monitoring and Logging

Implement monitoring and logging to ensure the health and performance of your deployment.

Logging

The application uses Python's built-in logging module. Configure it appropriately for production:

import logging

logging.basicConfig(
    level=logging.INFO,
    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
    handlers=[
        logging.FileHandler("/var/log/ff-api-external.log"),
        logging.StreamHandler()
    ]
)

Monitoring

Consider implementing monitoring using tools like:

  • Prometheus for metrics collection
  • Grafana for visualization
  • ELK Stack for log analysis
  • New Relic or Datadog for application performance monitoring

Backup and Recovery

Implement regular backups and test recovery procedures for data resilience.

Database Backups

MySQL Backup Script

#!/bin/bash
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
BACKUP_DIR="/backup/mysql"
MYSQL_USER="your_mysql_user"
MYSQL_PASSWORD="your_mysql_password"
MYSQL_HOST="your_mysql_host"
MYSQL_DB="your_mysql_db"

# Create backup directory if it doesn't exist
mkdir -p $BACKUP_DIR

# Create backup
mysqldump -h $MYSQL_HOST -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DB | gzip > $BACKUP_DIR/$MYSQL_DB-$TIMESTAMP.sql.gz

# Clean up old backups (keep last 7 days)
find $BACKUP_DIR -name "*.sql.gz" -type f -mtime +7 -delete

MongoDB Backup Script

#!/bin/bash
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
BACKUP_DIR="/backup/mongodb"
MONGO_URI="mongodb+srv://user:password@host/database"

# Create backup directory if it doesn't exist
mkdir -p $BACKUP_DIR

# Create backup
mongodump --uri="$MONGO_URI" --out=$BACKUP_DIR/$TIMESTAMP

# Clean up old backups (keep last 7 days)
find $BACKUP_DIR -type d -mtime +7 -exec rm -rf {} \;

Deployment Checklist

Use this checklist before deploying to production:

  • Set DEBUG = False in all configuration files
  • Update all sensitive credentials and ensure they're not hardcoded
  • Configure proper logging
  • Set up SSL/TLS for all connections
  • Configure a production-grade web server and WSGI server
  • Set up monitoring and alerting
  • Implement backup procedures
  • Update all dependencies to latest secure versions
  • Review security headers and CORS settings
  • Perform load testing to ensure performance
  • Set up database connection pooling and optimizations
  • Configure rate limiting
  • Implement proper error handling
  • Set up CI/CD pipelines for automated deployment
  • Document deployment procedures
  • Create rollback strategies