0.0.0.0 or localhost

[k33g]

Hello,
I'm trying to deploy an Atmo application to fly.io (a CaaS service)

• The domain name of the application is https://helloatmo-manual.fly.dev/
  • According to the documentation of Atmo (https://atmo.suborbital.dev/usage/deploying-atmo#https), I used ATMO_DOMAIN=helloatmo-manual.fly.dev (to run with HTTPS) when deploying on fly.io

I get this in the logs:

{"log_message":"(I) configured for HTTPS using domain helloatmo-manual.fly.dev","timestamp":"2021-11-06T05:34:00.075867912Z","level":3,"app":{"atmo_version":"0.3.2"}}
{"log_message":"(I) serving TLS challenges on :8080","timestamp":"2021-11-06T05:34:00.076123702Z","level":3,"app":{"atmo_version":"0.3.2"}}
{"log_message":"(I) loaded bundle from ./runnables.wasm.zip","timestamp":"2021-11-06T05:34:00.11194338Z","level":3,"app":{"atmo_version":"0.3.2"}}
{"log_message":"(I) loaded bundle from ./runnables.wasm.zip","timestamp":"2021-11-06T05:34:00.14019717Z","level":3,"app":{"atmo_version":"0.3.2"}}
{"log_message":"(I) starting Atmo ...","timestamp":"2021-11-06T05:34:00.140434765Z","level":3,"app":{"atmo_version":"0.3.2"}}
{"log_message":"(I) serving on :443","timestamp":"2021-11-06T05:34:00.140474189Z","level":3,"app":{"atmo_version":"0.3.2"}}
Error: failed to server.Start: listen tcp :443: bind: permission denied

Reading the fly.io documentation https://fly.io/docs/getting-started/troubleshooting/#host-checking about the host checking, I wondered if you use 0.0.0.0 or localhost?

Remark: I already deployed the same application on Civo with success but without HTTPS

[cohix]

Good question, it binds to :443 which is probably localhost? You can try setting ATMO_TLS_PORT=0.0.0.0:443 and ATMO_HTTP_PORT=0.0.0.0:80 to see if that works

[k33g]

It fails: Error: failed to server.Start: listen tcp :443: bind: permission denied

But I get this one too: (E) domain and HTTP port options are both unset, server will start up but fail to acquire a certificate. reconfigure and restart

I guess thatATMO_DOMAIN is "deactivated" when I use ATMO_TLS_PORT and ATMO_HTTP_PORT

I will do (soon) other tests on other hosting providers and check if I get the same problem

[cohix]

@k33g hmm interesting.

I think we need to add an ATMO_BIND_ADDRESS option separate from the port settings to solve this properly. Is that something you'd be interested in taking on?

If not, no worries :)

[flaki]

Good question, it binds to :443 which is probably localhost?

So I briefly looked into this, and according to the Go documentation, the behavior of Listen the underlying function used by Vektor's listenAndServe() call is:

For TCP networks, if the host in the address parameter is empty or a literal unspecified IP address, Listen listens on all available unicast and anycast IP addresses of the local system.

I believe this is exactly what the Fly.io host accepts (and the "literal unspecified IP address" I think actually refers to 0.0.0.0).
Rather, I believe the issue here seems to be simply that the application on Fly.io's setup is not expected to bind to privileged ports (<1024):

It fails: Error: failed to server.Start: listen tcp :443: bind: permission denied

What seems to be the case is that Fly.io expects an "internal port" to be configured in the fly.toml (a high port, or unprivileged port, a port number between 1024 - 65535) and will manage its own HTTPS-termination, that is, reaching the service on HTTP and HTTPS is possible without having to run Vektor in TLS mode.

[cohix]

@flaki I believe you're correct! Good eye. I think setting the ATMO_HTTP_PORT=8080 environment variable and then specifying 8080 in the fly.toml is the likely solution here. @k33g could you give that a try and let us know how it goes?

[k33g]

@flaki @cohix 👍 well down, thanks, it work

tag="0.0.1"
app_name="helloatmo99"

flyctl apps create ${app_name} --json
FLY_APP_NAME="${app_name}" envsubst < ./fly.template.toml > ./fly.toml

flyctl deploy \
  --image registry.gitlab.com/k33g_org/discovering-atmo/deploy-atmo-services-on-fly.io:${tag} \
  --env ATMO_HTTP_PORT=8080 \
  --verbose --json

[cohix]

Amazing! I’ll close this.