New Feature: Every public port now allowed for TCP services (this means HTTP too)

We are now allowing any and every public (exposed) ports for Fly services :tada:

A public port is the port you set in your services like:

[[services.ports]]
port = "12345" # <- this guy
handlers = ["http"]

Previously, the list of allowed public ports was limited to:

[25, 53, 80, 443, 853, 5000, 8080, 8443, (10000..10100), 25565, 26257]

This limit is no more.

For example: you can now accept connections on port 22 if you’d like to run a SSH server and not have to specify the port each time you connect!

We don’t yet support port ranges or a list of ports for the same [[services.port]] entry, but we’re working on it.

internal_port is unaffected and it’s always been possible to set it to any port between 1 and 65536.

UDP ports are also unaffected, can still be any and every port between 1 and 65536.

Updating our docs will happen shortly :slight_smile:

We’re still working on this, but it should be stable enough to use.

15 Likes

Nice, thanks. Was just looking into running FTP servers worldwide, this comes at an excellent time.

Will probably have to enumerate a couple thousand port numbers in the absence of a way to specify ranges, but good to know it’s possible :+1:t5:

1 Like

Woohoo! Works great!

Hey @jerome thank you for this update! I have a quick question. I have set up Wireguard and can successfully run ssh root@xxx.internal from my CLI to SSH in to my container, however when I try and do the equivalent with Cyberduck for SFTP, I receive a network error. Does this have to do something with port 22? Or does connecting via SFTP require something different?

image

I’m trying to connect to a redis container that was created using this tutorial: Upstash for Redis®* · Fly Docs

I’d just like to inspect the data in my /data directory using Cyberduck

I don’t know nearly enough about SFTP and Cyberduck.

This isn’t related to the feature we launched. This is for external services, not internal ones :slight_smile:

Does sftp root@xxx.internal work for you?

@jerome apologies - I thought it might be similar, searching for ssh/sftp topics were slim hah! Ok so I just tried sftp from the command line and I receive the following output:

sftp root@encore-bull-redis.internal
Connection to encore-bull-redis.internal closed by remote host.
Connection closed

So I take it that the request is being denied by Fly (aka remote host)?

UPDATE:

Part of the problem was that I had reached my connection limit on my VM, I updated my toml and I see the following error when I view the VM logs now:

  • unexpected error: parsing SSH protocol: unhandled type subsystem for Cyberduck
  • unexpected error: parsing SSH protocol: unhandled type simple@putty.projects.tartarus.org using Filezilla

Neat!

I imagine some kind of Linux wizardry is involved to listen on all 65K ports on multiple IPs in all edge nodes? Sounds worthy of a blog post.

Definitely worth a post. The google search you’re looking for is TPROXY, if you want to learn more before we write it. :slight_smile:

2 Likes

Just stumbled upon a Cloudflare blog post on why they switched from TPROXY to a BPF based solution for Magic Transit (L3) and Specturm (L4).

Btw: Is there a way for fly apps to listen on all 2^16 ports (for both tcp and udp) without having to create 2^16 entries in fly.toml?

That aside, does fly ever intend to support raw IP conns (L3)? I can’t imagine the setup being all too different than proxying UDP…

Updating our docs will happen shortly :slight_smile:

Noting it here that the docs are outdated.

3 Likes

Hi, Can I do something like

  [[services.ports]]
    port = "*"

and do I need to have something like dedicated vm ?

1 Like

How can I open port ranges in fly.toml config?

1 Like

We don’t support port ranges yet. We’ll get to it!