I want to make sure my app is only reachable through Cloudflare’s proxy, so that direct requests to my-app.fly.dev are blocked. The goal is to prevent bypassing Cloudflare’s WAF and Access rules.
I’ve looked into a few options:
- Cloudflare Tunnel (
cloudflared): This seems like the cleanest solution since the origin has no public IP. However, if I runcloudflaredas a sidecar process on each machine, traffic bypasses Fly Proxy entirely — which means autostop/autostart no longer works. - IP allowlist: Validating the
Fly-Client-IPheader against Cloudflare’s published IP ranges from within the app. But I’m not sure if this header can be spoofed by a client sending it directly. - Cloudflare Authenticated Origin Pulls (mTLS): Requires running a reverse proxy (Caddy/Nginx) to validate the client certificate, which adds complexity.
The ideal setup would be something like:
Internet → Cloudflare → Fly Proxy → my app (with autoscaling)
where direct requests to the Fly hostname are rejected at some point before reaching my machines while requests cominng from Cloudflare are accepted.