Confused about how to make an app only accessible through a private network

I’m a little confused about how to make a python server app only accessible through a proxy. I tried the following, but I am not sure which one is correct. First, I use fly ips release released all the ips, but the server was still accessible. Then, I deleted the http_service section from the fly.toml file, and the server was no longer accessible. This means that releasing the ips did not have the expected effect. I am really confused.

here’s my dockerfile and fly.toml

FROM python:3.11.6-slim-bookworm as base


RUN pip install flask
COPY /app/
RUN mkdir /data/ 
RUN touch /data/file.txt

ENTRYPOINT ["flask"]
CMD ["--app","main","run","--host","::","--port","8080"]
app = "name"
primary_region = "sin"


  source = "other_data"
  destination = "/data"
  auto_extend_size_threshold = 0

  cpu_kind = "shared"
  cpus = 1
  memory_mb = 10

It’s because http_service automatically opens the port for :80 and :443, see: Fly Launch configuration (fly.toml) · Fly Docs

So to make your app accessible through a private network, don’t use http_service, use [[services]] instead. EG:

 protocol = "tcp"
 internal_port = 8080

 # this sets up an internal HTTP connection (on the same port) so that 
 # you can use the proxy to load balance via <app-name>.flycast:8080
    handlers = ["http"]
    port = "8080"

As far as I’ve been able to determine public vs private access is what type of IP addresses are assigned to the app.

As mentioned in the note in their docs: Private Networking · Fly Docs

Note: If you have a public IP address assigned to your app, services in fly.toml will be exposed to the public internet. Verify this with fly ips list.

I still use the http_service config for my apps, but I manually release the public IP addresses and then add a private ipv6 address so that it can still be load balanced via the .flycast address.

It’s strange that you still had access when all ips were released, I haven’t encountered that issue before.

Thanks,this setup is really straightforward and works well; I also gave tailscale a shot later but didn’t manage to get it working. :joy:

Yeah it’s weird, I haven’t confirmed that, but I suspect that even after releasing all ips, if the fly.toml still has http_service, it still accessible even after I removed the http_service, the situation stayed the same

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.