For an actual lookup of hostnames for allow/deny, this seems neat: https://www.nginx.com/resources/wiki/modules/rdns/ … but it seems to have been abandoned for a while and so may not even install or work.
As for someone being able to bypass your proxy and access the name.fly.dev directly, that would remain the case. I don’t know of an option to turn off that. All I can think is you would need to not expose the backend app to the public internet at all (for example don’t assign it an IP). And so (in theory) as long as your proxy was hosted by Fly, you could use app-name.internal as the host to proxy in your nginx. Since if the proxy was a Fly app and the backend app was also a Fly app (in the same organisation), they can talk to each other over the encrypted, private network. Without needing to go over the public internet. Nobody outside of your Fly network could resolve that app-name.internal and thus that backend would not be available to them.
You probably need to append the port so e.g http://app-name.internal:1234 (assuming your backend is listening on port 1234). You can use http since the connection is encrypted.
I would now like my backend.fly.dev to only be accessible to my frontend.fly.dev. Greg mentioned using a .internal but I can find anything on them. Does someone have some insight/docs.