Postgres public access

Hi, I’ve created a nodeJS project and added a postgresDB during the setup

The problem that I have now is that I want to connect to the DB from outside the machine. I can do it by using the proxy command pointing to the app but the problem is that I need to do that without the proxy command (since I need to connect the DB to an analytics software that doesn’t allow that)

I’ve tried to change the fly.toml file and add another service (since in the documentation says it can be multi service) but it seems that it replaces the node service’s config with the last one it finds and thus makes the app not public

This is the config that I tried:

app = "desky-api"

kill_signal = "SIGINT"
kill_timeout = 5
processes = []

[build]
  builder = "heroku/buildpacks:20"

[env]
  PORT = "8080"

[experimental]
  allowed_public_ports = []
  auto_rollback = true

[[services]]
  http_checks = []
  internal_port = 8080
  processes = ["app"]
  protocol = "tcp"
  script_checks = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    force_https = true
    handlers = ["http"]
    port = 80

  [[services.ports]]
    handlers = ["tls", "http"]
    port = 443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"
    
[[services]]
  internal_port = 5432
  protocol = "tcp"
  
  # For secure connections
  [[services.ports]]
   handlers = ["tls"]
   port = 443

  # For insecure connections. 
  [[services.ports]]
   handlers = []
   port = 54320

Thanks a lot for the help

I wasn’t quite clear if you were using Fly’s Postgres, or your own.

If it’s Fly’s Postgres (generally better than doing it yourself, with HA etc, but up to you!), yes you can use a proxy but if can’t, you could attach an IP to it and then expose that to allow externals connections. Here’s how to do that: Multi-region PostgreSQL · Fly Docs

If it’s your own Postgres and can’t use the proxy, you could go about it another way by installing Wireguard. Your machine could then resolve Fly’s private pg-app-name.internal hostnames which of course otherwise it couldn’t. It’s then as if your machine was another Fly app within your private network. Here’s a guide for that approach depending on your OS: Private Networking · Fly Docs

Hi Greg!

I’m using fly’s postgres. I have added already an IPv4 and also IPv6 with a domain certificate too but no luck on connecting to it

But I’ve followed the guide and the key was to export the configuration, remove the line where it says

services = []

and add the following:

[[services]]
  internal_port = 5432 # Postgres instance
  protocol = "tcp"

[[services.ports]]
  handlers = ["tls"]
  port = 443

[[services.ports]]
  handlers = []
  port = 5432

Thanks a lot!

2 Likes

Postgres SSL is non standard and won’t work with our proxy. You’d need to install certificates and enable your own SSL in the app to make postgres + tls work.

@josephxanderson Hearing my name mentioned :slight_smile:

I think what Kurt means is the Fly proxy that sits in front of all their apps. So by assigning an IP and exposing a port, you are using the proxy. As the connection to your app would go through it, to get to your database app. In which case you couldn’t use their tls handler (in their proxy) for the reason Kurt says.

1 Like