0

In order to have less issues with CORS and be able to use one SSL cert, I would like to run all flynn applications with one domain:

my "external" services

internal services

  • redis
  • postgres

$ flynn route (example)

http:api.service.example.com        api
http:frontend.service.example.com   frontend
http:docs.service.example.com       docs
...

To keep things simple, my idea was to use the NGINX as a reverse proxy to take care of the routing and the SSL handling - but where should I put it?

I could add an NGINX as a flynn application that listens to example.com and then make use of location and proxy_pass features. But when the NGINX reverses from https://example.com to http://frontend.service.example.com I have no SSL here - is that right?

How to make sure, the NGINX routes only "internally"? Are there even better approaches with flynn - or just use dokku.

wiesson
  • 6,544
  • 5
  • 40
  • 68

1 Answers1

2

You can do this with Flynn using built-in features, there is no need to use an external reverse proxy.

First, add example.com with a valid TLS certificate:

flynn -a frontend route add http example.com --tls-cert cert_chain.pem --tls-key cert_key.pem

The cert_chain.pem file should contain the PEM-encoded certificate followed by one or more intermediate certificates necessary to build the chain to a trusted root.

The cert_key.pem file should contain a PEM-encoded private key (with no encryption applied).

Then add a path-based route for each of your other apps. The path will be treated as a prefix, so all subpaths will match as well for the route and the TLS certificate you just added will be used for all of them because they have the same domain:

flynn -a api route add http example.com/api
flynn -a admin route add http example.com/admin
flynn -a docs route add http example.com/docs
flynn -a static route add http example.com/static

The first route with just the base domain will be used for all other paths.

titanous
  • 3,668
  • 3
  • 27
  • 26