The TLS middleware terminates TLS using Fly.io-managed application certificates, then forwards a plaintext connection to the application process. This is useful for running TCP services and offloading TLS to the Fly Proxy.
For performance purposes, the Fly Proxy will terminate TLS on the host a client connects to, and then forward the connection to the nearest available application instance.
While I do like that approach, I am wondering how in-flight data is kept secure between the proxy and the actual fly machine. I assume that you would use the privat network connection and that the traffic is only visible for all the machines part of the same app. Can you confirm that?
Hello Ralph, You’ll be happy to know that all our servers are bound together with a WireGuard mesh which means everything is encrypted in transit. Furthermore, each organization has its private network, which we call a 6PN. For this, we use some eBPF rules to make sure things from different 6PN private networks can’t talk to each other. If you want some of your apps to be even more isolated you can pull them off the default org’s network and into a custom one by specifying the --network flag while creating the app fly apps create.