We use Fly.io for providing our users with custom domains and we also run an NGINX reverse proxy.
Basically, our customers can point their domains at Fly, then the reverse proxy forwards that request to our servers.
Recently one of our customers got in touch to say they were in the process of setting up some digital insurance, and that the insurance company has noticed that on the domain they point at Fly, all ports are open.
I’m unsure if this is something specific to our setup or just how Fly works. Here is what our fly.toml looks like.
Yeah, that’s how Fly works. fly-proxy listens on all anycasted IPs and all ports, but it will only forward connections to your app if their destination matches what’s configured in fly.toml.
I don’t suppose you have any documentation on this that we can forward to those who need it? It’ll sound a fair bit more legit, if it was explained by some docs rather than a slack message from myself!
We had a (unrelated) blog post at some point that mentioned the way it works: https://fly.io/blog/rust-memory-leak/
The underlying implementation has changed since then, but the idea remains the same - only connections to ports configured in fly.toml are forwarded to your app.
…
What that means for you is that nothing on your app is exposed unless you ask
us to expose it. No security group rules or network ACLs required! You’re locked down by default.