New Feature: Every public port now allowed for TCP services (this means HTTP too)

1

We are now allowing any and every public (exposed) ports for Fly services :tada:

A public port is the port you set in your services like:

[[services.ports]]
port = "12345" # <- this guy
handlers = ["http"]

Previously, the list of allowed public ports was limited to:

[25, 53, 80, 443, 853, 5000, 8080, 8443, (10000..10100), 25565, 26257]

This limit is no more.

For example: you can now accept connections on port 22 if you’d like to run a SSH server and not have to specify the port each time you connect!

We don’t yet support port ranges or a list of ports for the same [[services.port]] entry, but we’re working on it.

internal_port is unaffected and it’s always been possible to set it to any port between 1 and 65536.

UDP ports are also unaffected, can still be any and every port between 1 and 65536.

Updating our docs will happen shortly :slight_smile:

We’re still working on this, but it should be stable enough to use.

15 Likes
2

Nice, thanks. Was just looking into running FTP servers worldwide, this comes at an excellent time.

Will probably have to enumerate a couple thousand port numbers in the absence of a way to specify ranges, but good to know it’s possible :+1:t5:

1 Like
3

Woohoo! Works great!

4

Hey @jerome thank you for this update! I have a quick question. I have set up Wireguard and can successfully run ssh root@xxx.internal from my CLI to SSH in to my container, however when I try and do the equivalent with Cyberduck for SFTP, I receive a network error. Does this have to do something with port 22? Or does connecting via SFTP require something different?

image
image1090×588 65.1 KB

image

I’m trying to connect to a redis container that was created using this tutorial: Upstash for Redis®* · Fly Docs

I’d just like to inspect the data in my /data directory using Cyberduck

5

I don’t know nearly enough about SFTP and Cyberduck.

This isn’t related to the feature we launched. This is for external services, not internal ones :slight_smile:

Does sftp root@xxx.internal work for you?

6

@jerome apologies - I thought it might be similar, searching for ssh/sftp topics were slim hah! Ok so I just tried sftp from the command line and I receive the following output:

sftp root@encore-bull-redis.internal
Connection to encore-bull-redis.internal closed by remote host.
Connection closed

So I take it that the request is being denied by Fly (aka remote host)?

UPDATE:

Part of the problem was that I had reached my connection limit on my VM, I updated my toml and I see the following error when I view the VM logs now:

  • unexpected error: parsing SSH protocol: unhandled type subsystem for Cyberduck
  • unexpected error: parsing SSH protocol: unhandled type simple@putty.projects.tartarus.org using Filezilla
7

Neat!

I imagine some kind of Linux wizardry is involved to listen on all 65K ports on multiple IPs in all edge nodes? Sounds worthy of a blog post.

8

Definitely worth a post. The google search you’re looking for is TPROXY, if you want to learn more before we write it. :slight_smile:

2 Likes
9

Just stumbled upon a Cloudflare blog post on why they switched from TPROXY to a BPF based solution for Magic Transit (L3) and Specturm (L4).

Btw: Is there a way for fly apps to listen on all 2^16 ports (for both tcp and udp) without having to create 2^16 entries in fly.toml?

That aside, does fly ever intend to support raw IP conns (L3)? I can’t imagine the setup being all too different than proxying UDP…

Updating our docs will happen shortly :slight_smile:

Noting it here that the docs are outdated.

3 Likes
10

Hi, Can I do something like

  [[services.ports]]
    port = "*"

and do I need to have something like dedicated vm ?

1 Like
11

How can I open port ranges in fly.toml config?

1 Like
12

We don’t support port ranges yet. We’ll get to it!