It is bit of an involved setup.
You’ll have to terminate your own TLS (your’e not doing is called mTLS, yeah?), as Fly doesn’t yet support Bring-Your-Own-Certs.
The app config would look something like this:
# svc on public-ip:3443 forwarding tcp reqs to your-app:10443
[[services]]
internal_port = 10443 # or, where ever the app's listenting for tcp mtls reqs
protocol = "tcp"
[services.concurrency] # set as approp
hard_limit = 96
soft_limit = 84
type = "connections"
[[services.ports]]
# use proxy_proto iff info such as client-ip, server-name-id etc is required
# handlers = ["proxy_proto"]
# use either v1 (the default) or v2
# proxy_proto_options = { version = "v2" }
port = "3443" # public port, exposed to clients
You can distribute your TLS (key, cert) pair(s) to the VMs running your Fly app via flyctl secrets, ref this discussion How are you managing cert files with Fly?
Then, use the language / library / framework / reverse-proxy of your choice to do TLS termination using (key, cert) pair(s) from secrets. In golang, it is particularly straight-forward to terminate TLS (as it is in HAProxy, Nginx, Node, Deno et al): ref.