Nginx Reverse Engine Proxy + Express

Im getting these 502 errors with the dockerfile and fly.toml setup.
For some reason the nodejs server doesnt start properly so Im guessing Im not starting it properly in the dockerfile.

flyctl logs



Looks like I didnt understand how multi stage builds work. I’ll update this with a working config.

Right, CMD from previous stages are not propagated to the final stage.

You’ll probably need a process supervisor to launch multiple processes from the same app. If you’re used to node.js, maybe this is a good one?

The process supervisor should be your CMD in the last stage. The supervisor should itself launch nginx and your node.js server.

Is the way to do things just make an application with the nginx config point to an application running node. Separate docker files for each application. Scale the nginx config separately than the nodejs application? My question is with scaling…If I have two nginx scaled vm application instances pointing to the nodejs application which could have 5 or application instances…what ip address/host do I put in the nginx config to account for the scaling?

Separate apps is more common on Fly, yes.

What does your nginx do? You may not need it if all you need is load balancing. We already do that (as well as TLS termination).

If you do need to use nginx, you could use our private networking to reach each node.js instances. You’d probably have to somehow create a dynamic configuration.

For example, you can query all private IPs for an app by looking up AAAA records for your-app-name.internal. Unfortunately you can’t use that directly as an upstream in nginx because it will probably just use 1 of the instances returned by the DNS query.

For now, I’ll just use to do the load balancing and ssl termination then. When those nodejs application instances are scaling automatically do they dynamically get new ips assigned to them or do they share a single application instance ip? Because they will be communicating with other servers not within the ecosystem and I’ll need to whitelist those ips in advance are user could get an inadvertent http error code

Every instance gets a private IP. The IPs associated with your app are anycast and traffic to them are handled by our proxy which then selects which instance to send it to.

Unfortunately, that means your peer address will be our public IPv4 of whatever server your instance is on. IPv6 will show an IP unique to each instance, but they’re random and on every instance reboot. You can’t really whitelist these in any practical way.

There’s no great solution for this right now. Your best bet is to create a WireGuard “gateway” that has a stable IP that you can whitelist and proxy your outgoing connections from your instances on Fly through it. Something like:

fly instance --wg--> wg gateway --public--> 3rd party

We might have a better solution for this within the next few months, but it’s not a big priority on our roadmap.