Public Network Services

Fly has public and private network services available. The public network services connect applications to the wider public internet, while the private network services allow application instances to communicate with other application instances within the Fly private network.

IP Addresses

Fly applications have dedicated IP addresses. Each application starts with two addresses — one IPv6 and one IPv4. IPv6 addresses are free, global IPv4 addresses are billed monthly.


We announce global IP blocks from all of our datacenters over BGP, otherwise known as anycast. Anycast is a core internet routing mechanism that connects clients to the "nearest" server advertising a block of IPs. You can read all about it on Wikipedia.

Connection Handlers

Set the handlers config setting in the services.ports section of fly.toml to specify which middleware applies to incoming TCP connections for each port you accept external connections on. Use these to convert TCP connections into something your application can handle.

Valid handler strings:

  • "tls": Convert TLS connection to unencrypted TCP
  • "pg_tls": Handle TLS for PostgreSQL connections
  • "http": Convert TCP connection to HTTP
  • "edge_http": Convert TCP connection to HTTP (at the edge)
  • "proxy_proto": Wrap TCP connection in PROXY protocol


The TLS middleware terminates TLS using Fly managed application certificates, then forwards a plaintext connection to the application process. This is useful for running TCP services and offloading TLS to the Fly proxy.

For performance purposes, the Fly proxy will terminate TLS on the host a client connects to, and then forward the connection to the nearest available application instance.

Note: the TLS handler includes ALPN negotiation for HTTP/2. When possible, applications will connect to these kinds of Fly services using HTTP/2, and we will forward an unencrypted HTTP/2 connection (h2c) to the application process.


Many applications have limited HTTP support, the HTTP middleware normalizes HTTP connections and sends HTTP 1.1 requests to the application process. This is roughly how nginx and other reverse proxies work, and allows your application to globally accept modern HTTP protocols (like HTTP/2) without extra complexity.

If your application stack has good HTTP/2 support (like Go), you will get better performance accepting TCP connections directly, and using the TLS handler to terminate SSL. Your application does need to understand h2c for this to work, however.

The HTTP handler adds a number of standard HTTP headers to requests, and a few Fly specific headers for convenience:

Header Description
Fly-Client-IP The IP address Fly accepted a connection from
X-Forwarded-For A comma separated list of proxy servers the request passed through. MDN has full documentation for this header
X-Forwarded-Proto Original client protocol, either http or https
X-Forwarded-SSL Indicates if client connected over SSL, either on or off
X-Forwarded-Port Original connection port, header may be set by client
Fly-Forwarded-Port Original connection port, always set by Fly
Fly-Region Original incoming connection region

You can set a preference on HTTP requests for which region you would like to connect to:

Fly-Prefer-Region: region-code

TCP Pass Through

If you don't specify handlers, we just forward TCP to your application as is. This is useful if you want to handle TLS termination yourself, for example.

Proxy Protocol

The proxy_proto handler adds information about the original connection, including client IP + port and server IP + port (from the client's perspective). Most applications need additional logic to accept the proxy protocol, either using a prebuilt library or implementing the proxy protocol directly.

Postgres Connections

The pg_tls handler manages Postgres connections, so that you can expose your Postgres databases over the proxy securely. Some interesting notes by @glebarez on why standard TLS termination won't work for Postgres:

HTTP to HTTPS Redirects

The force_https configuration option automatically redirects HTTP to HTTPS. When enabled, all HTTP requests return a redirect response with a 301 status code. This option can only be set on HTTP handlers - deployments will fail if set on other handlers.