Postgres public access

Hi, I’ve created a nodeJS project and added a postgresDB during the setup

The problem that I have now is that I want to connect to the DB from outside the machine. I can do it by using the proxy command pointing to the app but the problem is that I need to do that without the proxy command (since I need to connect the DB to an analytics software that doesn’t allow that)

I’ve tried to change the fly.toml file and add another service (since in the documentation says it can be multi service) but it seems that it replaces the node service’s config with the last one it finds and thus makes the app not public

This is the config that I tried:

app = "desky-api"

kill_signal = "SIGINT"
kill_timeout = 5
processes = []

[build]
  builder = "heroku/buildpacks:20"

[env]
  PORT = "8080"

[experimental]
  allowed_public_ports = []
  auto_rollback = true

[[services]]
  http_checks = []
  internal_port = 8080
  processes = ["app"]
  protocol = "tcp"
  script_checks = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    force_https = true
    handlers = ["http"]
    port = 80

  [[services.ports]]
    handlers = ["tls", "http"]
    port = 443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"
    
[[services]]
  internal_port = 5432
  protocol = "tcp"
  
  # For secure connections
  [[services.ports]]
   handlers = ["tls"]
   port = 443

  # For insecure connections. 
  [[services.ports]]
   handlers = []
   port = 54320

Thanks a lot for the help

I wasn’t quite clear if you were using Fly’s Postgres, or your own.

If it’s Fly’s Postgres (generally better than doing it yourself, with HA etc, but up to you!), yes you can use a proxy but if can’t, you could attach an IP to it and then expose that to allow externals connections. Here’s how to do that: Multi-region PostgreSQL · Fly Docs

If it’s your own Postgres and can’t use the proxy, you could go about it another way by installing Wireguard. Your machine could then resolve Fly’s private pg-app-name.internal hostnames which of course otherwise it couldn’t. It’s then as if your machine was another Fly app within your private network. Here’s a guide for that approach depending on your OS: Private Networking · Fly Docs

Hi Greg!

I’m using fly’s postgres. I have added already an IPv4 and also IPv6 with a domain certificate too but no luck on connecting to it

But I’ve followed the guide and the key was to export the configuration, remove the line where it says

services = []

and add the following:

[[services]]
  internal_port = 5432 # Postgres instance
  protocol = "tcp"

[[services.ports]]
  handlers = ["tls"]
  port = 443

[[services.ports]]
  handlers = []
  port = 5432

Thanks a lot!

2 Likes

@greg @factorialhr

I followed this as well, but I cannot access the database securely.

Using port 443 returns the error:

Server closed the connection unexpectedly. This probably means the server terminated abnormally before or while processing the request.

Using port 5432 works OK, but this is unencrypted.

Any ideas?

Postgres SSL is non standard and won’t work with our proxy. You’d need to install certificates and enable your own SSL in the app to make postgres + tls work.

Hi @kurt,

I’m not using the proxy. I’m following this information from @greg:

Following this is not working, it is not allowing connections.

@josephxanderson Hearing my name mentioned :slight_smile:

I think what Kurt means is the Fly proxy that sits in front of all their apps. So by assigning an IP and exposing a port, you are using the proxy. As the connection to your app would go through it, to get to your database app. In which case you couldn’t use their tls handler (in their proxy) for the reason Kurt says.

1 Like