{"id":31805521,"url":"https://github.com/forge-42/fly-sidecar-poc","last_synced_at":"2025-10-11T02:52:29.339Z","repository":{"id":316433400,"uuid":"1062629306","full_name":"forge-42/fly-sidecar-poc","owner":"forge-42","description":"Prototype showcasing Multi-Container \"Sidecar\" deploys for fly.io with Cloudflare origin check, Rate limiting, and sharing host directories between containers","archived":false,"fork":false,"pushed_at":"2025-10-01T14:16:16.000Z","size":65,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-02T07:33:31.281Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/forge-42.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-23T14:05:16.000Z","updated_at":"2025-10-01T14:16:19.000Z","dependencies_parsed_at":"2025-09-24T16:23:12.734Z","dependency_job_id":null,"html_url":"https://github.com/forge-42/fly-sidecar-poc","commit_stats":null,"previous_names":["forge-42/fly-sidecar-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/forge-42/fly-sidecar-poc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forge-42%2Ffly-sidecar-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forge-42%2Ffly-sidecar-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forge-42%2Ffly-sidecar-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forge-42%2Ffly-sidecar-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/forge-42","download_url":"https://codeload.github.com/forge-42/fly-sidecar-poc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forge-42%2Ffly-sidecar-poc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279005915,"owners_count":26084004,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-11T02:52:26.273Z","updated_at":"2025-10-11T02:52:29.327Z","avatar_url":"https://github.com/forge-42.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# fly-sidecar-poc\n\nThis repository demonstrates how to deploy a multi-container app on [fly.io](https://fly.io/) with Cloudflare protection and rate limiting. Key files: `cli-config.json`, `fly.toml`, and `nginx.conf`.\n\n## What Does This PoC Show?\n\n- **Requests are routed through Cloudflare**\n- **Requests are rate limited**\n- Read and Write to a file on a shared directory on the host machine. This could also be a persistent volume. In this example its just a mount on the host machine.\n\n## Cloudflare Origin Protection\n\n**Goal:** Prevent direct access to your fly.io app, ensuring all traffic goes through Cloudflare for security, caching, and optimizations.\n\n- **Custom Domain (via Cloudflare):** [fly-sidecar-poc.forge42.dev](https://fly-sidecar-poc.forge42.dev/)\n- **Direct Fly.io Domain:** [fly-sidecar-poc.fly.dev](https://fly-sidecar-poc.fly.dev/)\n\n**Expected Behavior:**\n\n- Access via the custom domain (Cloudflare) works.\n- Direct access to the fly.io domain returns a 403 error.\n\n**How the Origin Check Works:**\n\n1. Requests must come through `fly-proxy` (private IP range `172.16.0.0/16`).\n2. Nginx sets the client IP from the [`Cf-Connecting-Ip`](https://developers.cloudflare.com/fundamentals/reference/http-headers/#cf-connecting-ip) header.\n3. The [`Fly-Client-Ip`](https://www.fly.io/docs/networking/request-headers/#fly-client-ip) header must match Cloudflare’s [IPv4](https://www.cloudflare.com/ips-v4) or [IPv6](https://cloudflare.com/ips-v6) ranges.\n4. If both checks pass, the request is proxied to the app on `localhost:80`.\n\n**Trying to spoof the headers to get access and bypass Cloudflare:**\n\nI am using the [`xh`](https://github.com/ducaale/xh) cli tool to make requests in this example:\n\n```sh\n## Lets try to manually send the Cf-Connecting-Ip header Cloudflare is adding and/or setting X-Forwarded-For header:\n➜ xh --headers GET https://fly-sidecar-poc.fly.dev/ \"Cf-Connecting-Ip: 1.2.3.4\" \"X-Forwarded-For: 2.3.4.5\"\nHTTP/2.0 403 Forbidden\ncontent-encoding: zstd\ncontent-type: text/html\ndate: Wed, 24 Sep 2025 14:19:22 GMT\nfly-request-id: 01K5Y1FQBBQ90R0K7GESSHG15P-fra\nserver: Fly/90a8089aa (2025-09-23)\nvia: 2 fly.io\nx-fly-cip: cip:abcd:1234:5678:ef00:abcd:1234:5678:abcd\nx-is-cf-client: is_cloudflare_client:0\nx-is-fly-proxy: is_fly_proxy:1\nx-ra: 1.2.3.4\nx-realip-ra: 172.16.22.162\nx-sidecar-response: true\nx-valid-origins: V:0\n```\n\n## Rate Limiting\n\nIf you send requests too quickly, you'll receive a `503 Service Temporarily Unavailable` error.\n\nThe current setup is minimal: nginx realip modules uses the `Cf-Connecting-Ip` header to set `$remote_addr`, so rate limiting applies to the real client IP as seen by Cloudflare - not just to fly-proxy or Cloudflare as a whole. You can easily enhance this configuration by adding connection limits, burst and delay controls, or other traffic shaping options for more advanced rate limiting.\n\n## Shared Host Directory\n\nOn both containers, the `/my-shared-dir` directory is mounted to a shared directory on the host machine. This allows both containers to read and write files in this directory. Even though its necessary to specify a `\"volume\"` configuration object with just the `\"name\"` property in the `cli-config.json`, its not an actual persistent fly volume. It seems this behavior is currently not documented in the fly.io docs.\n\n## Quick Start\n\n### 1. Create a Fly.io App\n\nUpdate the `app` value in `fly.toml` to match your app name.\n\n```sh\nexport MY_FLY_APP_NAME=\"fly-sidecar-poc\"\nfly apps create $MY_FLY_APP_NAME --org YOUR-ORG\nfly deploy --app $MY_FLY_APP_NAME\n```\n\n### 2. Add a Custom Domain (Cloudflare)\n\nReplace `MY-FLY-APP.YOUR-DOMAIN.TLD` with your actual domain (must be managed in Cloudflare).\n\n```sh\nfly certs add 'MY-FLY-APP.YOUR-DOMAIN.TLD' --app $MY_FLY_APP_NAME\n```\n\nFollow the instructions to add the DNS entry in Cloudflare. For details on enabling the \"orange cloud\" (proxy), see [Fly.io Cloudflare setup guide](https://fly.io/docs/networking/understanding-cloudflare/#cdn-proxy-setup-quot-orange-cloud-quot).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforge-42%2Ffly-sidecar-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fforge-42%2Ffly-sidecar-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforge-42%2Ffly-sidecar-poc/lists"}