TLS on custom http port

Hi!

We have app which has two HTTP-services, listening on ports TCP/8000 and TCP/3000.

What we want would be that:

This worked last week fine, but on Friday last week that https://our-service.example.com:8443/ began to say “Connection reset by peer” / “SSL connect error”.

Excerpt from our fly.toml:

[[services]]
  http_checks = []
  internal_port = 8000
  processes = ["app"]
  protocol = "tcp"
  script_checks = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    handlers = ["http"]
    port = 80

  [[services.ports]]
    handlers = ["tls", "http"]
    port = 443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"

[[services]]
  http_checks = []
  internal_port = 3000
  processes = ["app"]
  protocol = "tcp"
  script_checks = []

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    handlers = ["http"]
    port = 8080

  [[services.ports]]
    handlers = ["tls", "http"]
    port = 8443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"

Connection to 443 works, connection to 80 works, connection to 8080 works, but connection with https to 8443 does not work.

Is there something we have missed from the documentation?

Hello!

I just looked at your apps for your account and it seems like you removed the 8443 service port about 45 minutes ago?

If you add the service back, I can try and debug this further.

Now the setup has been reverted back to non-working state: port 8443 from external url leads to SSL error (this happens also on app-name.fly.dev:8443).

We should have this fixed shortly. Some hosts have a slightly different configuration which may not be in sync with our global state of allowed ip:port.

1 Like

We changed a few things that should have fixed this. Can you confirm?

Yep, can confirm. Now works!

In the meantime we actually changed our app to proxy those custom port requests, but still I think this is great to have fixed.