fly.toml reference gaps

What is processes = [“app”] in the default config? What does allowed_public_ports do exactly?

What’s the right way to have a regular app on :80, but squid on :3128? Two services? It would be nice to have some examples of “Multiple services sections: Mapping multiple internal ports to multiple external ports.”

Hey! Indeed we’re a bit behind on these topics. See answers at the end of this post.

If you’re running Squid in front of your app as an HTTP cache, I’d recommend two separate Fly apps. They can communicate over your private network. If you have webapp as your app name, and it listens on port 80, Squid can send traffic to http://webapp.internal. Simple as that.

The squid fly.toml might look like:

app = "mysquid"

[[services]]
    internal_port = 3128
    [[services.ports]]
      handlers = ["tls", "http"]
        port = 443

This will terminate TLS for you on port 443 (making for a simpler squid config). Then traffic is passed with normal HTTP to your squid instances on port 3128.

fly.toml for your app can simply contain the following if you don’t want it exposed to the internet (only to squid):

app = "mywebapp"
[[services]]

The blank services block is required to ensure the default internet-facing ports are closed off.

Now to answer your question about the fly.toml entries:

processes refers to an experimental feature allowing more than one service to be logically
grouped within a single app. Check out this post for more info.

allowed_public_ports is deprecated - we just haven’t removed it from the default config yet.

Great, thank you. I would +1 removing allowed_public_ports from the config sooner rather than later.

I’m using squid to solve captchas from the main app’s IP. I settled on this for now:

processes = []
...
[[services]]
  internal_port = 8080
  processes = ["app"]
  [[services.ports]]
    handlers = ["http"]
    port = 80
  ...
[[services]]
  internal_port = 3128
  [[services.ports]]
    port = 3128 # squid

For this setup I’m sshing in to run squid manually when needed (it’s only needed after the app gets a captcha challenge).

To do this properly, is this what would I do?

[processes]
app = "python3.9 /app/main.py"
squid = "squid -d 30 -N"
[[services]]
  processes = ["app"]
  internal_port = 8080
  [[services.ports]]
    handlers = ["http"]
    port = 80
[[services]]
  processes = ["squid"]
  internal_port = 3128
  [[services.ports]]
    port = 3128

What would I put as the dockerfile ENTRYPOINT?

@joshua How does this interacts with mounts? With two processes I get “Error not enough volumes named (1) to run 2 processes”. I only want the mount for the app process

1 Like

Also, processes don’t seem to get secrets. The secrets are still set in fly secrets list, and reverting to not using processes fixes this.

You’d need to add processes to the [[mounts]] section as well.

processes = ["app"]

We’ll have to look into the secrets issue. This multiple process feature is experimental so I would not recommend using it here. Running Squid as a separate app would be best.

Cool, thank you. Is there a way to have a seperate app get the same outgoing IP as another app?

Do you mean for connections initiated from within your VM?

Yes