Flycast, private networks, and fly-replay

raycmorgan · May 20, 2025, 1:28am

I’m trying to setup an environment where I deploy customer apps inside of my org and have a router in front to route to the customer apps.

My ideal setup would be using a router app in the default network, and each customer app being deployed into a private custom network and no public IPs for their app. I’d wire up a custom flycast IP to allow traffic from default to reach the customer apps and I’d have great isolation, and auto start/stop.

However, it appears as though that configuring the customer apps with a service (even if private) enables it to be reached via the fly-replay header regardless of IP controls (eg —network)

This creates a security issue as it means that customer A can reach customer B’s app via this fly-replay header (the apps are untrusted code).

Not using services seems less ideal as then I don’t get the auto start/stop benefits, etc.

Thoughts? Ideas?

raycmorgan · May 20, 2025, 4:31pm

I figured out how to do this. fly-replay appears to only work with http services. So instead, I’m exposing tcp services along with private networks and cross private network flycast ips.

My load balancers will be in a typical reverse proxy mode (instead of returning a fly-replay header), authing requests and proxying to the customer apps.

Topic		Replies	Views
Replay headers with private networks	4	565	November 4, 2022
New Feature: Application Private IPs	11	1960	December 22, 2023
Machine auto start/stop on private network Questions / Help	4	216	April 27, 2024
Proxy to apps on different custom private networks proxy	8	60	October 11, 2024
Run private applications with Flycast Fresh Produce	14	1416	December 30, 2024

Flycast, private networks, and fly-replay

Related topics