SNI-based routing on shared IPs without managed certificates

There are applications that need to implement their own TLS server because they require access to TLS fields.

In these cases, TLS needs to be used over raw TCP instead of Fly.io’s TLS termination.

For testing, I implemented my own TLS server on the default app-name.fly.dev domain without using a custom domain, and it worked well because routing is handled via SNI.

However, currently there does not seem to be any way to configure a custom domain without creating a Fly-managed certificate.

It would be great if this could be improved.

Thank you.

Same Issue: How To Use Custom Domain While Terminating TLS by App?

Hey, what end goal are you after?

If you’re wanting to just use a custom cert, this can be uploaded through the CLI or the dashboard for your app, after which it will be used over a fly-managed certificate.

If you’re wanting to terminate raw TCP and handle TLS yourself this is also totally fine, but you’ll need to use a dedicated IPv4 address and omit the handlers for your route. Then you don’t interact with the SNI routing at all and you can do whatever you want with the TCP connection.

This is needed to calculate the TLS fingerprint.

I’m currently working around this by using a dedicated IP, but since that incurs additional cost, I’d like to be able to use a shared IP instead.

Gotcha. As you’ve found, this isn’t something we make possible on shared IPs, which are strictly limited to SNI routing under our control. Using a dedicated IP address is the expected solution here.

Routing via SNI is still possible even when using self-managed TLS termination.

This post was not a question about how to solve the issue.
I was hoping that someday shared IPs could also be supported for use cases like this.

it’s unlikely we will add this in the short term, but I’ve moved the post into the appropriate wishlist category.