Nginx reverse proxy configuration for FastAPI with SSL

<p>I am deploying FastAPI with Nginx as a reverse proxy. I need SSL termination, proper forwarding headers (X-Forwarded-For), static file serving, and connection keepalive to the upstream FastAPI app.</p>

<p>Nginx reverse proxy config:</p> <div class="highlight"><pre><span></span><code><span class="k">upstream</span><span class="w"> </span><span class="s">fastapi</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kn">server</span><span class="w"> </span><span class="n">127.0.0.1</span><span class="p">:</span><span class="mi">8000</span><span class="p">;</span> <span class="w"> </span><span class="kn">keepalive</span><span class="w"> </span><span class="mi">32</span><span class="p">;</span> <span class="p">}</span> <span class="k">server</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kn">listen</span><span class="w"> </span><span class="mi">443</span><span class="w"> </span><span class="s">ssl</span><span class="w"> </span><span class="s">http2</span><span class="p">;</span> <span class="w"> </span><span class="kn">server_name</span><span class="w"> </span><span class="s">myapp.com</span><span class="p">;</span> <span class="w"> </span><span class="kn">ssl_certificate</span><span class="w"> </span><span class="s">/etc/letsencrypt/live/myapp.com/fullchain.pem</span><span class="p">;</span> <span class="w"> </span><span class="kn">ssl_certificate_key</span><span class="w"> </span><span class="s">/etc/letsencrypt/live/myapp.com/privkey.pem</span><span class="p">;</span> <span class="w"> </span><span class="kn">client_max_body_size</span><span class="w"> </span><span class="mi">10m</span><span class="p">;</span> <span class="w"> </span><span class="kn">location</span><span class="w"> </span><span class="s">/static/</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kn">alias</span><span class="w"> </span><span class="s">/app/static/</span><span class="p">;</span> <span class="w"> </span><span class="kn">expires</span><span class="w"> </span><span class="s">30d</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="kn">location</span><span class="w"> </span><span class="s">/</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kn">proxy_pass</span><span class="w"> </span><span class="s">http://fastapi</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_http_version</span><span class="w"> </span><span class="mi">1</span><span class="s">.1</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_set_header</span><span class="w"> </span><span class="s">Connection</span><span class="w"> </span><span class="s">""</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_set_header</span><span class="w"> </span><span class="s">Host</span><span class="w"> </span><span class="nv">$host</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_set_header</span><span class="w"> </span><span class="s">X-Real-IP</span><span class="w"> </span><span class="nv">$remote_addr</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_set_header</span><span class="w"> </span><span class="s">X-Forwarded-For</span><span class="w"> </span><span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_set_header</span><span class="w"> </span><span class="s">X-Forwarded-Proto</span><span class="w"> </span><span class="nv">$scheme</span><span class="p">;</span> <span class="w"> </span><span class="kn">proxy_read_timeout</span><span class="w"> </span><span class="s">60s</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>In FastAPI:</p> <div class="highlight"><pre><span></span><code><span class="kn">from</span><span class="w"> </span><span class="nn">uvicorn.middleware.proxy_headers</span><span class="w"> </span><span class="kn">import</span> <span class="n">ProxyHeadersMiddleware</span> <span class="n">app</span><span class="o">.</span><span class="n">add_middleware</span><span class="p">(</span><span class="n">ProxyHeadersMiddleware</span><span class="p">,</span> <span class="n">trusted_hosts</span><span class="o">=</span><span class="s2">"*"</span><span class="p">)</span> </code></pre></div> <p>Key points: - proxy_http_version 1.1 + empty Connection enables HTTP keepalive upstream - X-Forwarded-Proto tells FastAPI the request came via HTTPS - client_max_body_size must be set in Nginx before FastAPI sees the request</p>