Setting up Qdrant on Fly.io

, , ,
1

I want to setup a Qdrant vector database on fly so that

  • there is a SERVICE_API_KEY
  • I can access it in my browser https://<app-name>.fly.dev
  • A JS/TS client can connnect to it at https://<app-name>.fly.dev:6333
  • There are health checks on the machine

So far I have the following toml


app = ''
primary_region = ''
kill_signal = 'SIGTERM'
kill_timeout = '5m0s'

[env]
QDRANT__CLUSTER__ENABLED = 'true'
QDRANT__SERVICE__HOST = '::'
QDRANT__STORAGE__SNAPSHOTS_PATH = '/data/qdrant/snapshots'
QDRANT__STORAGE__STORAGE_PATH = '/data/qdrant/storage'

[[mounts]]
source = 'qdrant_data'
destination = '/data'

[[services]]
protocol = 'tcp'
internal_port = 6333
auto_stop_machines = false
auto_start_machines = true
min_machines_running = 0

[[services.ports]]
port = 6333
handlers = ['http']

[[services.http_checks]]
interval = 10000
grace_period = "5s"
method = "get"
path = "/healthz"
protocol = "http"
timeout = 2000
tls_skip_verify = false

[[services]]
protocol = 'tcp'
internal_port = 6334

[[services.ports]]
port = 6334

[services.ports.tls_options]
alpn = ['h2']

[[services.tcp_checks]]
interval = '15s'
grace_period = '10s'

[[vm]]
memory = '1gb'
cpu_kind = 'shared'
cpus = 1

[[metrics]]
port = 6333
path = '/metrics'

which is borrowed from this github repo

This is my Dockerfile

ARG QDRANT_VERSION=v1.13.0

FROM qdrant/qdrant:${QDRANT_VERSION}

WORKDIR /qdrant
COPY . /qdrant

RUN apt-get update && apt-get install ca-certificates iptables dnsutils --no-install-recommends -y

RUN chmod +x /qdrant/start.sh

CMD ["/qdrant/start.sh"]

The problem is that I can only connect via http to the server and not through https. Furthermore I cannot access the db at https://<app-name>.fly.dev.

How do I fix this and what did I do wrong ? Any help would be greatly appreciated.

2

Hi… I admittedly don’t know anything about Qdrant itself, but this aspect is straightforward, :eyes:…

The SSL/TLS step for HTTPS requires a corresponding extra handler in fly.toml. @kylemclaren’s repository, which you’re copying, is oriented mainly toward Flycast—a private network where the encryption side is already taken care of for you.

(Indeed, that’s one of my favorite features of the Fly.io platform.)

More broadly, are you sure you can’t instead use the fly proxy 6333 technique from “Connecting to Qdrant from Your Local Machine”? This gives local access on demand, for development, etc., without having lingering misgivings about what obscure security problems you might be overlooking.

Personally, I would avoid exposing any database to the public Internet, in general, even with the API key being enforced, :dragon:…

1 Like
4

Hello there,

Thanks for the tip on adding the extra handler. Is this sufficient

 [[services.ports]]
 port = 6333
-handlers = ['http']
+handlers = ['tls', 'http']

The reason is that I want to have a publicly facing API and a SERVICE_API_KEY for Qdrant. I don’t think I can use fly proxy 6333 since I need to connect to this vector db from a Nextjs server running on Vercel. That server has the url for this vector database as an environment variable.

I understand its not ideal to expose to the public internet but since my server is not in the Flycast network, do I have any other options ?