Using Nginx To Proxy Requests

Questions / Help
1

I’m trying to get my head around how I can route traffic on Fly. Slow progress at the moment.

I have a few apps running that are NOT available over the internet.

App 1: 12345-app.internal
App 2: 23456-app.internal
App 3: 34567-app.internal

I would like some sort of proxy that is available over the internet that can then route the requests to the apps using the subdomain of the url.

Example url: 12345-app.domain.com

I have added the certificates for domain.com and got the green ticks there.

Experimenting with a simple nginx app that I also host on fly:

server {
  listen 443 ssl;
  
  server_name ~^(?<container>[\w-]+)\.domain\.com$;

  # These lines cause an issue!!!
  ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

  location / {
    proxy_pass http://$container.internal/;
    proxy_set_header X-Forwarded-Host $http_host;
  }
}

The logs show that the certificates can’t be found but I can’t remove because nginx will complain about missing certificates.

I’m also seeing this error but not sure how I can bind it to 0.0.0.0:

WARNING The app is not listening on the expected address and will not be reachable by fly-proxy. You can fix this by configuring your app to listen on the following addresses: 0.0.0.0:443

Where do the certification live after being created? Should I be copying them over using the Dockerfile somehow? Here is my very basic Dockerfile:

FROM nginx
COPY nginx.conf /etc/nginx/conf.d/nginx.conf
# Should I be copying the certs over here too?

Sorry, quite a lot to unpack but grateful for any suggestions.

2

You wouldn’t want to redirect from your nginx proxy back out to your public domain. Instead, you configure your DNS provider to proxy from 12345-app.domain.com to your nginx server, where it listens to the matching server_name and routes that request to one of your internal apps.

Also, use .flycast instead of .internal.

    map $http_host $your_app {
        default http://<your-app>.flycast:8080;
    }

    server {
        listen 8080;
        listen [::]:8080;
        
        server_name <subdomain>.your.app;

        location / {
            proxy_ssl_server_name on;
            proxy_pass $your_app;
            ...
      
        }
    }
3

Hi

I don’t think I am proxying back out to the public domain???

Unfortunately, your approach wouldn’t be suitable for me as the number of subdomains could be in the 1000s so I need a flexible way to pass the request on.

Your approach would involve creating new dns records for each subdomain and a new map in the nginx block.

4

Don’t proxy to https, proxy to http. You don’t have certificates for .internal (or .flycast) addresses.

5

That’s just a typo - it is http. (will edit it now)

6

How are you starting your server? Usually that’s where you define the hostname/port.

7

Fair enough.

I don’t know about the rest of your setup, but the normal approach is to run nginx on port 80 without ssl or certificates, and let fly proxy handle that: Custom domains · Fly Docs

8

Sorry I misread a redirect header.

9

So finally managed to resolve this issue. I didn’t realise that Fly terminates the SSL connection before reaching the service so Nginx only needed to listen on port 80.

I did end up using flycast too so thanks for that @khuezy

10

I’m now also experimenting this flow. It works perfectly, BUT sometimes I’m seeing this error intermittently:

2024-08-07709:40:23.419 app[7844d3f23dd58] sin [info] 2024/08/07 09:40:23 [error] 380#380: *501 connect() failed (113: Host is unreachable) while connecting to upstream, client: 172.16.36.74, server: _, request: "GET /sample-page HTTP/1.1", upstream: "http://[<ip6>]:80/sample-page", host: "some.host.example", referrer: "https://some.referrer.example/"
2024-08-07709:40:23.420 app[7844d3f23dd58] sin [info] 172.16.36.74 - - [07/Aug/2024:09:40:23 +0000] "GET /sample-page HTTP/1.1" 502 1390 "https://some.referrer.example/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" "<ip_visitor>, <nginx_public_ip>"

Do you happen to experience the same issue?

11

are you using flycast? If so, then there might be some underlying proxy issue

12

Yes, my Nginx app is pointing to the .flycast domain of the actual app. I also tried to use the private ip6 address but still the same issue, working fine 99% of the time but sometimes that error shows up.

13

What is the ratio of request:error? I haven’t seen the unreachable error for my admin app but that rarely gets hit.

14

You might need to show some code

15

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.