원클릭으로 Manus에서 모든 스킬 실행

fly-secure-webapp-deploy

Secure Fly.io web application deployment workflow. Use when configuring, reviewing, or debugging Fly apps with private internal services, public frontends, custom domains, Cloudflare Access, OIDC origin protection, Fly secrets, volumes, Docker images, or smoke checks.

Manus에서 실행

스타10

포크0

업데이트2026년 5월 20일 23:30

출처

mattppal

mattppal/hermes-agent-template

GitHub 저장소 열기 Creator 저장소 보기

설치 명령

다운로드

Manus에서 실행

유용한 대상SOC

소프트웨어 개발자컴퓨터 및 수학직15-1252L4

파일 탐색기

2 개 파일

SKILL.md

readonly

name	fly-secure-webapp-deploy
description	Secure Fly.io web application deployment workflow. Use when configuring, reviewing, or debugging Fly apps with private internal services, public frontends, custom domains, Cloudflare Access, OIDC origin protection, Fly secrets, volumes, Docker images, or smoke checks.

Fly Secure Webapp Deploy

Workflow

Start by mapping the network boundary:

Keep backend/API/agent services private unless they explicitly need public ingress.
For private services, omit http_service/public services from fly.toml and verify fly ips list --app <app> has no public IPs.
Use Fly private DNS for app-to-app calls: http://<app>.internal:<port>.
Still require application-layer auth for private APIs that expose privileged actions.

Treat the public app as a separately hardened edge:

Set force_https = true in http_service.
Remember Fly's default https://<app>.fly.dev hostname remains reachable when public ingress exists.
If only a custom domain should work, add an in-container host gate or reverse proxy that forwards only the configured public host and returns 404 for everything else.
Do not assume Cloudflare Access protects the direct Fly origin. A caller can reach Fly ingress directly with the custom Host/SNI if they know the origin IP.

Cloudflare And Origin Auth

Use two layers for sensitive web UIs:

Cloudflare Access on the custom hostname as the front-door policy.
App-level SSO/OIDC using Cloudflare Access as the identity provider, so direct-origin requests still hit an identity gate.

For Open WebUI-style apps:

Prefer OIDC-only production login: disable local password/login form after bootstrap.
Keep a temporary bootstrap target that enables both OIDC and local password login only long enough to migrate/promote the OIDC admin.
Keep user default role restrictive, such as pending, when OAuth signup is enabled.
Store OIDC client secrets as Fly secrets. Client IDs, provider URLs, redirect URIs, and admin emails can be normal deployment env unless local policy says otherwise.

Secrets And Config

Keep .env ignored; commit .env.example with placeholders and safe defaults.
Import secrets with fly secrets import or fly secrets set; avoid putting secrets in fly.toml, Dockerfiles, or docs.
Preflight required secrets before importing so partial secret syncs do not happen after a missing value is detected.
Use deployment env (fly deploy --env) for non-secret runtime defaults that should be reproducible from the repo.
Pin Docker base images by digest for production-like deployments; update digests intentionally.

Validation

Run these checks before calling the deployment secure:

fly config validate -c <fly.toml>
fly ips list --app <private-app>
fly secrets list --app <app>
curl -sSI https://<custom-domain>/
curl -sSI https://<public-app>.fly.dev/
curl -sSI --resolve <custom-domain>:443:<fly-ingress-ip> https://<custom-domain>/

Expected results:

Private services have no public IPs and do not respond on *.fly.dev.
The raw public Fly hostname is blocked or intentionally documented.
The custom domain routes through Cloudflare Access when reached normally.
Direct-origin requests do not expose authenticated app content without app-level auth.

이 저장소의 다른 Skills

같은 저장소

hermes-fly-ops

mattppal/hermes-agent-template

Operate and debug this Hermes Agent Fly.io deployment repo. Use when running or updating Makefile targets, validating .env and Fly config, syncing secrets, deploying Hermes or Open WebUI, smoke testing Cloudflare/OIDC/private networking/Modal, reading logs, or troubleshooting startup, auth, host-gate, model, or sandbox issues in this repository.

2026-05-2010

modal-agent-sandboxing

mattppal/hermes-agent-template

Configure agent command execution through Modal Sandboxes. Use when deploying or reviewing an agent that runs terminal/tool commands in Modal instead of the app host, including Modal token setup, sandbox resource limits, filesystem sync, environment passthrough, and smoke tests.

2026-05-2010

skill-creator

mattppal/hermes-agent-template

Create or update agent skills with proper SKILL.md structure, frontmatter, and best practices. Use when building new private skills for this repository and the vercel-labs/skills CLI.

2026-05-2010

technical-writing-revision

mattppal/hermes-agent-template

Rewrite technical writing in this repo so readers understand it on the first pass. Use when improving docs, MDX pages, changelog entries, blog posts, UI copy, onboarding text, help text, headings, lists, or formatting without changing the underlying meaning or product behavior.

2026-05-2010

name	fly-secure-webapp-deploy
description	Secure Fly.io web application deployment workflow. Use when configuring, reviewing, or debugging Fly apps with private internal services, public frontends, custom domains, Cloudflare Access, OIDC origin protection, Fly secrets, volumes, Docker images, or smoke checks.

Fly Secure Webapp Deploy

Workflow

Start by mapping the network boundary:

Keep backend/API/agent services private unless they explicitly need public ingress.
For private services, omit http_service/public services from fly.toml and verify fly ips list --app <app> has no public IPs.
Use Fly private DNS for app-to-app calls: http://<app>.internal:<port>.
Still require application-layer auth for private APIs that expose privileged actions.

Treat the public app as a separately hardened edge:

Set force_https = true in http_service.
Remember Fly's default https://<app>.fly.dev hostname remains reachable when public ingress exists.
If only a custom domain should work, add an in-container host gate or reverse proxy that forwards only the configured public host and returns 404 for everything else.
Do not assume Cloudflare Access protects the direct Fly origin. A caller can reach Fly ingress directly with the custom Host/SNI if they know the origin IP.

Cloudflare And Origin Auth

Use two layers for sensitive web UIs:

Cloudflare Access on the custom hostname as the front-door policy.
App-level SSO/OIDC using Cloudflare Access as the identity provider, so direct-origin requests still hit an identity gate.

For Open WebUI-style apps:

Prefer OIDC-only production login: disable local password/login form after bootstrap.
Keep a temporary bootstrap target that enables both OIDC and local password login only long enough to migrate/promote the OIDC admin.
Keep user default role restrictive, such as pending, when OAuth signup is enabled.
Store OIDC client secrets as Fly secrets. Client IDs, provider URLs, redirect URIs, and admin emails can be normal deployment env unless local policy says otherwise.

Secrets And Config

Keep .env ignored; commit .env.example with placeholders and safe defaults.
Import secrets with fly secrets import or fly secrets set; avoid putting secrets in fly.toml, Dockerfiles, or docs.
Preflight required secrets before importing so partial secret syncs do not happen after a missing value is detected.
Use deployment env (fly deploy --env) for non-secret runtime defaults that should be reproducible from the repo.
Pin Docker base images by digest for production-like deployments; update digests intentionally.

Validation

Run these checks before calling the deployment secure:

fly config validate -c <fly.toml>
fly ips list --app <private-app>
fly secrets list --app <app>
curl -sSI https://<custom-domain>/
curl -sSI https://<public-app>.fly.dev/
curl -sSI --resolve <custom-domain>:443:<fly-ingress-ip> https://<custom-domain>/

Expected results:

Private services have no public IPs and do not respond on *.fly.dev.
The raw public Fly hostname is blocked or intentionally documented.
The custom domain routes through Cloudflare Access when reached normally.
Direct-origin requests do not expose authenticated app content without app-level auth.