Have you had the need to end TLS on your end instead of Fly’s proxy?
If that is the case, you may have wanted to add service’s checks over HTTPS (not plain http).
[[services]]
internal_port = 443
protocol = "tcp"
[[services.ports]]
port = 443
# Notice there are no handlers for this port, usually it is: handlers = ["tls", "http"]
[[services.http_checks]]
interval = "1s"
protocol = "https"
path = "/status"
Until today, FLY supported https checks but it couldn’t verify the TLS certificates served by your web app.
As it run requests using the machine IP address like in https://172.17.33.18/status, the returned certificate can’t be validated unless we provide the SNI.
The usual workaround was to add tls_skip_verify = true to the check definition.
Starting with flyctl v0.1.65 you can set your tls cert hostname with tls_server_name service keyword.
for our example to work, all its need is tls_server_name as:
[[services.http_checks]]
interval = "1s"
protocol = "https"
path = "/status"
tls_server_name = "my-cert-domain.com"
Behind the scenes we use Hashicorp’s Consul to run health checks, tls_server_name and its cousin tls_skip_verify are one-to-one mappings of Consul’s:
HTTP checks expect a valid TLS certificate by default. You can disable certificate verification by setting the
tls_skip_verifyfield totrue. When using TLS and a host name is specified in thehttpfield, the check automatically determines the SNI from the URL. If thehttpfield is configured with an IP address or if you want to explicitly set the SNI, specify the name in thetls_server_namefield.
happy certificate verifications!