Docker application on fly.io behaving differently than locally

I have a docker container running tinyproxy with Dockerfile contents:

# Copyright (c) 2018 kalaksi@users.noreply.github.com.
# This work is licensed under the terms of the MIT license. For a copy, see <https://opensource.org/licenses/MIT>.

FROM alpine:3.14.3
LABEL maintainer="kalaksi@users.noreply.github.com"

# See tinyproxy.conf for better explanation of these values.
# Insert any value (preferably "yes") to disable the Via-header:
ENV DISABLE_VIA_HEADER ""
# Set this to e.g. tinyproxy.stats to enable stats-page on that address:
ENV STAT_HOST "tinyproxy.stats"
ENV MAX_CLIENTS "1024"
ENV MIN_SPARE_SERVERS "1"
ENV MAX_SPARE_SERVERS "1"
# A space separated list:
ENV ALLOWED_NETWORKS "0.0.0.0/0"

# Use a custom UID/GID instead of the default system UID which has a greater possibility
# for collisions with the host and other containers.
ENV TINYPROXY_UID 57981
ENV TINYPROXY_GID 57981

# Default tinyproxy.conf just with port set to 8888
ADD *.conf /etc/tinyproxy/

RUN apk add --no-cache \
      tinyproxy

RUN mv /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.default.conf && \
    chown -R ${TINYPROXY_UID}:${TINYPROXY_GID} /etc/tinyproxy /var/log/tinyproxy

# Tinyproxy seems to be OK for getting privileges dropped beforehand
USER ${TINYPROXY_UID}:${TINYPROXY_GID}
CMD set -eu; \
    CONFIG='/etc/tinyproxy/tinyproxy.conf'; \
    if [ ! -f "$CONFIG"  ]; then \
        cp /etc/tinyproxy/tinyproxy.default.conf "$CONFIG"; \
        ([ -z "$DISABLE_VIA_HEADER" ] || sed -i "s|^#DisableViaHeader .*|DisableViaHeader Yes|" "$CONFIG"); \
        ([ -z "$STAT_HOST" ]          || sed -i "s|^#StatHost .*|StatHost \"${STAT_HOST}\"|" "$CONFIG"); \
        ([ -z "$MIN_SPARE_SERVERS" ]  || sed -i "s|^MinSpareServers .*|MinSpareServers $MIN_SPARE_SERVERS|" "$CONFIG"); \
        ([ -z "$MIN_SPARE_SERVERS" ]  || sed -i "s|^StartServers .*|StartServers $MIN_SPARE_SERVERS|" "$CONFIG"); \
        ([ -z "$MAX_SPARE_SERVERS" ]  || sed -i "s|^MaxSpareServers .*|MaxSpareServers $MAX_SPARE_SERVERS|" "$CONFIG"); \
        ([ -z "$ALLOWED_NETWORKS" ]   || for network in $ALLOWED_NETWORKS; do echo "Allow $network" >> "$CONFIG"; done); \
        sed -i 's|^LogFile |# LogFile |' "$CONFIG"; \
    fi; \
    exec /usr/bin/tinyproxy -d;

Which works fine when running locally with docker run -p 8888:8888 -it .

curl http://localhost:8888 https://cloudflare.com/cdn-cgi/trace returns HTTP 200 with the page loading correctly, however on fly.io the same command (with localhost replaced with my application’s public ipv4) returns an error curl: (56) Recv failure: Connection was reset

my fly.toml contents are as follows:

app = "tinyproxy"

[[services]]
  internal_port = 8888
  protocol = "tcp"
  handlers = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
	
  [[services.tcp_checks]]
    interval = 10000
    timeout = 3333

The application’s logs are filled with Errors like read_request_line: Client (file descriptor: 5) closed socket before read. but I believe this is because of the TCP health checks

Any ideas?

The [[services]] need to define both internal and external ports. If you add this right above concurrency, I believe it’ll work:

  [services.port]
    [services.port.8888]
      handlers = []