Best way to allow NATS websocket connections

Hello! I have a nats super cluster running based on

More details are below about my fork. What would be the best way to allow only wss traffic over the public IP? All other traffic will be on the internal vpn like the NATS based chat app.

Would there be any benefit putting haproxy or nginx in front as a websocket only proxy?

To get the cluster running and to use accounts, I updated dependencies and have a preloaded SYS account for authentication.

fly.example.toml showing how I am exposing NATS to the internet.

Nice to see you picking up NATS!

I’m not totally clear on the problem. With your current config, it looks like you have port 14222 open with TCP TLS termination, and port 443 with http/tls for websockets. Are you saying that you don’t want port 14222 to be exposed?

Thanks @joshua yes there is some experimentation here. Learning as I go both for fly.toml services block and NATS. I might want to keep 14222 open for connections outside fly.io.

Will using 443 in this way suffice for wss traffic since fly.io terminates tls for me?