Fly.io Proxy
Public reverse proxy on Fly.io that exposes selected BlumeOps services to the internet via a Tailscale tunnel back to the homelab.
Quick Reference
| Property | Value |
|---|---|
| App | blumeops-proxy |
| Region | sjc (San Jose) |
| Fly.io URL | blumeops-proxy.fly.dev |
| Config | fly/ directory in repo |
| IaC | fly/fly.toml (app), Pulumi (DNS + auth key) |
Exposed Services
| Public domain | Backend | Service |
|---|---|---|
docs.eblu.me | docs.tail8d86e.ts.net | docs |
Architecture
Internet traffic hits Fly.io’s Anycast edge, terminates TLS with a Let’s Encrypt certificate, and is proxied by nginx to the backend service over a Tailscale WireGuard tunnel. See expose-service-publicly for the full architecture diagram.
Key Files
| File | Purpose |
|---|---|
fly/fly.toml | App configuration |
fly/Dockerfile | nginx + Tailscale + Alloy container |
fly/nginx.conf | Reverse proxy, caching, rate limiting, JSON logging |
fly/alloy.river | Alloy config: log tailing, metric extraction, remote_write |
fly/start.sh | Entrypoint: start Tailscale, Alloy, then nginx |
pulumi/tailscale/__main__.py | Auth key (tag:flyio-proxy) |
pulumi/tailscale/policy.hujson | ACL grants for proxy |
pulumi/gandi/__main__.py | DNS CNAMEs |
Networking
Fly.io runs Firecracker microVMs which support TUN devices natively. Tailscale runs with a real TUN interface (not userspace networking), so MagicDNS and direct Tailscale IP routing work normally.
The Tailscale auth key is preauthorized=True to avoid device approval hangs on container restarts.
Observability
Alloy runs inside the container alongside nginx and Tailscale, providing:
- Logs: nginx JSON access logs tailed and pushed to Loki (
{instance="flyio-proxy", job="flyio-nginx"}) - Metrics: Derived from access logs, pushed to Prometheus via
remote_writeflyio_nginx_http_requests_total— request rate by status/method/hostflyio_nginx_http_request_duration_seconds— latency histogramflyio_nginx_http_response_bytes_total— response bandwidthflyio_nginx_cache_requests_total— cache HIT/MISS/EXPIRED counts
Dashboards
| Dashboard | Purpose |
|---|---|
| Docs APM | Per-service view for docs.eblu.me: request rate, latency percentiles, cache hit ratio, error rate, bandwidth, access logs |
| Fly.io Proxy Health | Aggregate proxy health: connections, total request rate by host, cache performance, upstream latency, Alloy health |
Alloy listens on 127.0.0.1:12345 for self-scraping its /metrics endpoint. All metrics carry instance="flyio-proxy".
Security Considerations
The tag:flyio-proxy ACL grants access only to tag:flyio-target:443. Services must explicitly opt in by adding a tailscale.com/tags: "tag:k8s,tag:flyio-target" annotation to their Tailscale Ingress. This means the proxy can only reach endpoints that have been individually tagged — a compromised nginx config cannot route to arbitrary services on the tailnet.
Currently tagged as tag:flyio-target: docs, loki, prometheus. Loki and Prometheus are tagged so that Alloy (running inside the container) can push logs and metrics directly via their Tailscale Ingress endpoints — the restricted ACL means Caddy on indri (tag:homelab) is not reachable from the proxy.
To expose an additional service through the proxy, add the tag:flyio-target annotation to its Tailscale Ingress. See expose-service-publicly for the full workflow.
Spider Trap Mitigation
The SPA fallback (try_files ... /index.html) serves index.html with a 200 for any URI, including non-existent paths. Quartz’s relative links (../path) compound when resolved from phantom URLs, creating an infinite tree of unique URIs that crawlers follow indefinitely. In March 2026, Meta’s crawler (meta-externalagent/1.1) hit ~49,000 unique URIs over 7 hours this way.
Two nginx location guards in containers/quartz/default.conf mitigate the trap:
/tags/depth limit —/tags/<name>is always flat; anything deeper returns 404.- Global depth-5 cutoff — real content never exceeds depth 4; paths with 5+ segments return 404.
These are applied in the Quartz container’s nginx config, not the Fly.io proxy. The proper fix is switching Quartz to root-absolute links (planned for the fork).
Secrets
| Secret | Source | Description |
|---|---|---|
TS_AUTHKEY | Pulumi state → fly secrets | Tailscale auth key for joining tailnet |
FLY_DEPLOY_TOKEN | Fly.io → 1Password | Deploy token for CI |
Related
- expose-service-publicly - Setup guide for adding new public services
- manage-flyio-proxy - Operational tasks (deploy, shutoff, troubleshoot)
- caddy - Private reverse proxy for
*.ops.eblu.me(separate system) - tailscale - WireGuard mesh network
- gandi - DNS hosting