outbound https

In porting my app from Heroku, so far the most trouble has come from outbound https. My golang app uses several third-party APIs to which it needs to connect via outbound https on port 443. My app also requires inbound https, originally on port 443, but (for all I care) that could be on a port other than 443.

I’ve now spent a day or two scouring fly.io documentation. Please confirm whether I understand this right:

1. The way that fly.io does TLS termination on 443 precludes my app doing outbound https on 443.

2. My options for outbound https on 443 are:

a. Install a client certificate in my app and use it to connect outbound https on 443
b. Install a client certificate in “smokescreen,” which I run in another VM at fly.io, and use that to connect outbound https on 443
c. Set up a custom domain name and install a server certificate in my app so that I can receive inbound https on a port other than 443, freeing up 443 for outbound requests.

Is this correct?
Must I associate a domain name with my fly.io app in any case, not just option (c)?
Are there additional options?

Thanks!

I did get an SSL certificate from my domain name registrar and I installed it and the private key into my app, which now terminates the TLS connection (omitting the TLS handler from fly.toml). But I am still getting the same error: “x509: certificate signed by unknown authority”

Here’s my fly.toml:

[experimental]
allowed_public_ports =
auto_rollback = true

[[services]]
http_checks =
tcp_checks =
internal_port = 8080
processes = [“app”]
protocol = “tcp”
script_checks =
[services.concurrency]
hard_limit = 25
soft_limit = 20
type = “connections”

[[services.ports]]
#handlers = [“http”]
port = 80

[[services.ports]]
#handlers = [“tls”, “http”]
port = 10443

Hi @liamdgray

Just a heads up that the inbound settings for fly services do not affect your outbound connections. You can have your app running on port 443 and make https requests to 3rd party APIs from your app.

@charleysa, that makes sense to me.

I did think I read somewhere that port forwarding on 443 inbound would interfere with 443 outbound, but I guess I was mistaken.

Any idea why my outbound https would not work from fly, while they work from the same app on Heroku?

I’m not using Docker on Heroku, but the Dockerfile doesn’t appear to be the issue, as the Dockerfile doesn’t control treatment of outbound connections.

Is it all https connections failing or just to a specific service?

It’s all of them, including e.g. Sendgrid. I’m using the http client in Go 1.18. Regardless of site I attempt to open, it returns the same error “x509: certificate signed by unknown authority” when I run on fly.io but not when I run on heroku.

If your ported app is using a minimal container image, it may be missing the ca-certificates package which will cause the certificate error you’re seeing- try making sure that package is installed.

@wjordan, thanks! I was indeed using the most minimal of container images: My Dockerfile used “FROM scratch” and my whole image with app was only about 28MB.) I was able to get it working by installing the certificates and not using “FROM scratch.”

Thanks for your patience. I didn’t understand how https clients work. I should have been asking myself “from where does a client get the root CA certificates?”

Instead of scratch you may consider using Google distroless. Here’s an example for statically complied go: distroless/Dockerfile at main · GoogleContainerTools/distroless · GitHub

Here’s an example project where I use distroless: midway/Dockerfile at 77ede02c21cb78bb7b753bf59a2f2bfae81ab615 · celzero/midway · GitHub

Thank you, @ignoramous ! (You don’t deserve your username; but I do; shall we trade?