All Ports are Open

We use Fly.io for providing our users with custom domains and we also run an NGINX reverse proxy.

Basically, our customers can point their domains at Fly, then the reverse proxy forwards that request to our servers.

Recently one of our customers got in touch to say they were in the process of setting up some digital insurance, and that the insurance company has noticed that on the domain they point at Fly, all ports are open.

I’m unsure if this is something specific to our setup or just how Fly works. Here is what our fly.toml looks like.

app = "niice-proxy"
primary_region = "lhr"
kill_signal = "SIGINT"
kill_timeout = "5s"

[[services]]
protocol = "tcp"
internal_port = 8080

[[services.ports]]
port = 80
handlers = ["http"]

[[services.ports]]
port = 443
handlers = ["tls", "http"]
[services.concurrency]
type = "connections"
hard_limit = 200
soft_limit = 180

[[services.tcp_checks]]
interval = "10s"
timeout = "2s"
grace_period = "1s"
restart_limit = 0

I’m not going to copy the full contents of the nginx config here unless it might be the problem.

Any advice here would be very useful!

Hey @ThePaulMcBride

Yeah, that’s how Fly works. fly-proxy listens on all anycasted IPs and all ports, but it will only forward connections to your app if their destination matches what’s configured in fly.toml.

1 Like

Good to know!

I don’t suppose you have any documentation on this that we can forward to those who need it? It’ll sound a fair bit more legit, if it was explained by some docs rather than a slack message from myself!

I don’t think the exact process is documented.

We had a (unrelated) blog post at some point that mentioned the way it works: https://fly.io/blog/rust-memory-leak/
The underlying implementation has changed since then, but the idea remains the same - only connections to ports configured in fly.toml are forwarded to your app.

1 Like

We do have this section Healthcare apps on Fly:

Default-Deny Public Networking


What that means for you is that nothing on your app is exposed unless you ask
us to expose it. No security group rules or network ACLs required! You’re locked down by default.

We should probably mention it in Public Network Services.

2 Likes

I added a section here: Public Network Services · Fly Docs

2 Likes

This is perfect! Thanks Joshua!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.