fly.toml reference gaps

technillogue · April 28, 2022, 7:39am

What is processes = [“app”] in the default config? What does allowed_public_ports do exactly?

What’s the right way to have a regular app on :80, but squid on :3128? Two services? It would be nice to have some examples of “Multiple services sections: Mapping multiple internal ports to multiple external ports.”

joshua · April 28, 2022, 8:47am

Hey! Indeed we’re a bit behind on these topics. See answers at the end of this post.

If you’re running Squid in front of your app as an HTTP cache, I’d recommend two separate Fly apps. They can communicate over your private network. If you have webapp as your app name, and it listens on port 80, Squid can send traffic to http://webapp.internal. Simple as that.

The squid fly.toml might look like:

app = "mysquid"

[[services]]
    internal_port = 3128
    [[services.ports]]
      handlers = ["tls", "http"]
        port = 443

This will terminate TLS for you on port 443 (making for a simpler squid config). Then traffic is passed with normal HTTP to your squid instances on port 3128.

fly.toml for your app can simply contain the following if you don’t want it exposed to the internet (only to squid):

app = "mywebapp"
[[services]]

The blank services block is required to ensure the default internet-facing ports are closed off.

Now to answer your question about the fly.toml entries:

processes refers to an experimental feature allowing more than one service to be logically
grouped within a single app. Check out this post for more info.

allowed_public_ports is deprecated - we just haven’t removed it from the default config yet.

technillogue · April 28, 2022, 7:48pm

Great, thank you. I would +1 removing allowed_public_ports from the config sooner rather than later.

I’m using squid to solve captchas from the main app’s IP. I settled on this for now:

processes = []
...
[[services]]
  internal_port = 8080
  processes = ["app"]
  [[services.ports]]
    handlers = ["http"]
    port = 80
  ...
[[services]]
  internal_port = 3128
  [[services.ports]]
    port = 3128 # squid

For this setup I’m sshing in to run squid manually when needed (it’s only needed after the app gets a captcha challenge).

To do this properly, is this what would I do?

[processes]
app = "python3.9 /app/main.py"
squid = "squid -d 30 -N"
[[services]]
  processes = ["app"]
  internal_port = 8080
  [[services.ports]]
    handlers = ["http"]
    port = 80
[[services]]
  processes = ["squid"]
  internal_port = 3128
  [[services.ports]]
    port = 3128

What would I put as the dockerfile ENTRYPOINT?

technillogue · April 29, 2022, 9:30pm

@joshua How does this interacts with mounts? With two processes I get “Error not enough volumes named (1) to run 2 processes”. I only want the mount for the app process

technillogue · April 29, 2022, 9:38pm

Also, processes don’t seem to get secrets. The secrets are still set in fly secrets list, and reverting to not using processes fixes this.

joshua · April 29, 2022, 9:57pm

You’d need to add processes to the [[mounts]] section as well.

processes = ["app"]

We’ll have to look into the secrets issue. This multiple process feature is experimental so I would not recommend using it here. Running Squid as a separate app would be best.

technillogue · April 29, 2022, 10:39pm

Cool, thank you. Is there a way to have a seperate app get the same outgoing IP as another app?

joshua · April 29, 2022, 10:40pm

Do you mean for connections initiated from within your VM?

technillogue · April 30, 2022, 7:35pm

Yes