I have an app that’s already running on Fly with a certificate that is managed by Fly.
I would like to add an existing self-signed certificate to the same app (but on another subdomain).
I have existing clients in the wild that have pinned that exact certificate and will not connect using any other cert.
Can I solve this directly in Fly config or do I need to set up a proxy app myself?
It is bit of an involved setup.
You’ll have to terminate your own TLS (your’e not doing is called mTLS, yeah?), as Fly doesn’t yet support Bring-Your-Own-Certs.
The app config would look something like this:
# svc on public-ip:3443 forwarding tcp reqs to your-app:10443
[[services]]
internal_port = 10443 # or, where ever the app's listenting for tcp mtls reqs
protocol = "tcp"
[services.concurrency] # set as approp
hard_limit = 96
soft_limit = 84
type = "connections"
[[services.ports]]
# use proxy_proto iff info such as client-ip, server-name-id etc is required
# handlers = ["proxy_proto"]
# use either v1 (the default) or v2
# proxy_proto_options = { version = "v2" }
port = "3443" # public port, exposed to clients
You can distribute your TLS (key, cert) pair(s) to the VMs running your Fly app via flyctl secrets
, ref this discussion How are you managing cert files with Fly?
Then, use the language / library / framework / reverse-proxy of your choice to do TLS termination using (key, cert) pair(s) from secrets
. In golang
, it is particularly straight-forward to terminate TLS (as it is in HAProxy, Nginx, Node, Deno et al): ref.