I’m using Caddy for reverse proxying to external apps, and to terminate SSL. I’m not using the tls or http handlers because I couldn’t find a way to let Caddy handle the TLS termination with them active.
So I’m wondering if there’s a way to still have requests go to another node if this one is down or something. Seems like I lose fly-prefer-region functionality if I’m not using those service handlers as well, so I’m not sure if I can handle re-routing requests in the node itself either if for instance it wasn’t down completely but was having issues.
If you turn off the
http handler you get TCP level load balancing. This isn’t as reliable as HTTP load balancing in our infra (we do a lot of clever stuff with retries that hide issues with the apps), but it should work decently well.
Out of curiosity, what do you gain by doing your own TLS termination?
Thanks for the reply!
If you turn off the http handler you get TCP level load balancing.
Are there any configurations I can do for this? Or is there anything I could tell caddy to do that would start rerouting requests to other nodes at the TCP level when needed?
what do you gain by doing your own TLS termination?
I ask myself that often as I consider just using Fly. Ostensibly:
- Cert issuance on-demand (first request) - users just need to set an A or CNAME record, no checking back or extra steps. Not sure how fly does this but it seems like it would add steps.
- Control in the event of issues
- The ability to handle L4 pass-through types of setups where I let the upstream terminate tls, (I don’t actually do this yet though)
- Variable vs fixed costs - I know the fly certs are cheap but my business model is based around pricing being as flat as possible. Priced for resources and regions instead of per domain like competitors. 10 cents per cert is borderline for still being able to use that business model, and $2/wildcard would likely make the numbers not work anymore.
Wait, sorry I know I’ve asked this in various ways but I’m still confused - can I use the http service handler without terminating TLS with fly? The docs make it sound like I can but every time I’ve tried that setup things seem to break.
You can’t use the http handler unless we terminate TLS. Since the TLS stream is encrypted, we need to terminate to “see” inside it and detect HTTP requests.
You’re right that we don’t do on demand certs. We actually used to, but it creates big security problems. It’s safer to have people “register” a hostname before we provision the certificate.
We have plans coming soon that might help you worry less about certificate pricing. Part of the problem with certificates is that the support and management load increases linearly when you add them. Charging a flat rate for an unbounded number of certs frightens me.
Charging a flat rate for an unbounded number of certs frightens me.
Must point out to OP that wildcard certs are essentially “unbounded” in the subdomain (
*.subdomain.mydomain.tld) for which Fly.io charges $2/mo (as of writing). On Cloudflare, you’d need to pony up $200/mo (!) to merely gain the ability to vend wildcard certs.
Part of the problem with certificates is that the support and management load increases linearly when you add them.
Btw, does Fly vend multiple SANs in a single certificate? We vend SANs + wildcards from ZeroSSL today, all in a single cert for use on our test Fly.io VMs.
We don’t do multiple SANs. We looked at it, but it was more complicated to troubleshoot than a single name per cert.