I want to expose some API routes from an existing Phoenix app that are only accessible from the app’s fly.io private network.
I want to create some API routes that are only accessible via .internal domain? How can I accomplish this and not expose those routes to via the public endpoint/router?
I’m thinking that I may need to have a separate “private” Endpoint/Router with check_origin for the .internal domains and different port would be the simplest approach. Another would be scoped routes with a plug to check the origin.
Has anyone done this for integrating internal services? If so, what is the recommended way to do this?
You can not rely on the origin header, it is set by the client. A better approach would be to create a seperate endpoint that is bound on a different port that can only be accessed by internal applications. However, I’m not sure if this is the best way to do it.
It seems like fly.ioassigns a private IPv6 address to your app, so the only thing you need to do is create a separate endpoint and configure it to bind to that address:
I’d say it’s best to do the filtering on a reverse proxy and not on the Elixir web server itself. It’s very easy to allow requests from specific subnets in Nginx. Something like the following.
server { listen 80; server_name whatever.com; location /priv { allow 172.16.0.0/24; deny all; # Actual config } }