In order to have less issues with CORS and be able to use one SSL cert, I would like to run all flynn applications with one domain:
my "external" services
- https://example.com/ - Frontend SPA (static, HTML/javascript)
- https://example.com/api/v1/* - API (Python/Django)
- https://example.com/admin/ - Django Admin
- https://example.com/docs/ - SwaggerUI (static, HTML/Javascript)
- https://example.com/static/ - All static files from user uploads
internal services
- redis
- postgres
$ flynn route (example)
http:api.service.example.com api
http:frontend.service.example.com frontend
http:docs.service.example.com docs
...
To keep things simple, my idea was to use the NGINX as a reverse proxy to take care of the routing and the SSL handling - but where should I put it?
I could add an NGINX as a flynn application that listens to example.com and then make use of location and proxy_pass features. But when the NGINX reverses from https://example.com to http://frontend.service.example.com I have no SSL here - is that right?
How to make sure, the NGINX routes only "internally"? Are there even better approaches with flynn - or just use dokku.
You can do this with Flynn using built-in features, there is no need to use an external reverse proxy.
First, add
example.comwith a valid TLS certificate:The
cert_chain.pemfile should contain the PEM-encoded certificate followed by one or more intermediate certificates necessary to build the chain to a trusted root.The
cert_key.pemfile should contain a PEM-encoded private key (with no encryption applied).Then add a path-based route for each of your other apps. The path will be treated as a prefix, so all subpaths will match as well for the route and the TLS certificate you just added will be used for all of them because they have the same domain:
The first route with just the base domain will be used for all other paths.