Security hardening guide for FastGPT deployments.
FastGPT is an open-source knowledge-based AI Agent platform (Apache-2.0 with additional conditions). While it provides good security features, proper configuration is essential for production deployments.
Default Behavior:
Secure Configuration:
ports:
- "127.0.0.1:3000:3000"
# Allow only specific IPs
sudo ufw allow from 192.168.1.0/24 to any port 3000
sudo ufw deny 3000/tcp
With Nginx:
server {
listen 443 ssl http2;
server_name fastgpt.example.com;
ssl_certificate /etc/ssl/certs/fastgpt.example.com.crt;
ssl_certificate_key /etc/ssl/private/fastgpt.example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Default credentials:
root1234Change immediately:
Generate API Keys:
API Key Best Practices:
# Generate secure keys
openssl rand -hex 32 # ROOT_KEY
openssl rand -hex 32 # TOKEN_KEY
# Use Docker secrets or external secret management
# Don't commit .env files to version control
echo ".env" >> .gitignore
Default configuration is insecure:
Secure MongoDB:
services:
mongodb:
environment:
- MONGO_INITDB_ROOT_USERNAME=admin
- MONGO_INITDB_ROOT_PASSWORD=secure-password
command: --auth
Update connection string:
DB_URL=mongodb://admin:secure-password@mongodb:27017/fastgpt?authSource=admin
Change default password:
services:
postgresql:
environment:
- POSTGRES_PASSWORD=secure-database-password
Restrict network access:
networks:
fastgpt-network:
internal: true # No external access
Access Control:
Data Classification:
Retention Policy:
Privacy:
Configure rate limits:
# In FastGPT settings or reverse proxy
rate_limit:
requests_per_minute: 60
requests_per_hour: 1000
Nginx rate limiting:
limit_req_zone $binary_remote_addr zone=onepersecond:10m rate=1r/s;
location / {
limit_req zone=onepersecond burst=5 nodelay;
proxy_pass http://localhost:3000;
}
Configure allowed origins:
# In FastGPT settings
CORS_ALLOWED_ORIGINS: https://your-domain.com
Nginx CORS:
add_header Access-Control-Allow-Origin https://your-domain.com;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
services:
fastgpt:
read_only: true
tmpfs:
- /tmp
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
user: "1000:1000"
services:
fastgpt:
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 2G
Log configuration:
services:
fastgpt:
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
Monitor for:
# View logs
docker compose logs -f fastgpt
# Find errors
docker compose logs fastgpt | grep ERROR
# Find authentication failures
docker compose logs fastgpt | grep -i "auth.*fail"
Update FastGPT:
# Pull latest image
docker compose pull fastgpt
# Restart with new version
docker compose up -d fastgpt
Monitor for updates:
Allowed:
Restricted:
Contact for commercial license:
GDPR/CCPA:
Healthcare (HIPAA):
Finance (SOC 2):
# Find failed authentications
docker compose logs fastgpt | grep -i "auth.*fail"
# Find unusual API patterns
docker compose logs fastgpt | grep "POST /api"
# Check for errors
docker compose logs fastgpt | grep ERROR
Any questions?
Feel free to contact us. Find all contact information on our contact page.