Deploying a Phoenix app on Fly.io with DNS on Cloudflare

Hey,

I have deployed a Phoenix app on Fly.io and my DNS settings are on Cloudflare. For this, I created A and AAAA records on my domain for the IP addresses from flyctl ips list. Those records are proxied by Cloudflare. The Phoenix app is running perfectly fine when accessed at the URL provided by Fly.io. However when accessed from my custom domain, it results in a 520 HTTP error. Do I need to change something in the Phoenix app configuration for this to work?

I have found what was wrong. I had to put the SSL/TLS encryption mode to Full in the SSL/TLS settings for my domain. Hopefully this helps someone else in the future.

Glad it works. But you can use ssl full on cloudflare with fly.io (should be a bit more secure but im no networking expert so dont know how big risk it is in practice). All you need to do is set up custom domains in fly too (you might wanna do the cname verification). That is how I run my apps (cloudflare for security and some caching and fly for the app)

I ran into the same issue today and just wanted to share my steps to set this up successfully:

1. Add domain to Cloudflare.
2. Run fly certs add mydomain.com
3. Set the A and AAAA records shown in Cloudflare DNS.
4. (Optional) Check that the CNAME www mydomain.com record exists in Cloudflare DNS. Create it otherwise.
5. Disable the proxied (orange cloud) option for all these records.
6. (Maybe, not sure whether necessary) Disable Universal SSL in Cloudflare because it might otherwise block the certificate acme verification challenge.
7. Wait until fly certs show mydomain.com shows that your certificate was created successfully.
8. Check that you can reach your website at mydomain.com
9. Enable the proxied (orange cloud) option for your three DNS records again (A, AAAA, and CNAME).
10. Set the SSL/TLS encryption mode to Full (strict)
11. Enable Universal SSL again.
12. Wait maybe 30s and check your website again. Hopefully it works now!

If not, these are possible troubleshooting steps:

1. Disable the proxied/orange cloud, wait 30s and see whether it works now.
   • If yes, then at least your Fly.io certificates were issued correctly.
2. Disable Universal SSL in Cloudflare. This option likes to interfere with the Fly.io certificate creation.
   • Enable this option again once your certificate was issued and populated through the network. You can check this at e.g. https://dnschecker.org/
3. Set the SSL/TLS Encryption to flexible.
   • I’ve no clue what this does but sometimes it fixes the issue. So, try this and see whether it helps, but eventually, you should set this to Full (strict).

Tools and Threads that helped (in no particular order)

• SSL Checker
• Morgan Kartchner - Blog - Using Fly.io for Hosting and Cloudflare for DNS
• Can I use CloudFlare proxying with Fly certificates ? - #5 by jsierles - Questions / Help - Fly.io
• https://community.cloudflare.com/t/getting-520-error-with-cloudflare-active-on-fly-io-server/558732

I’ve run into similar issues before, and one of the biggest stresser points for me was figuring out why Cloudflare’s proxy was interfering with Flyio’s certificate validation. Turning off the proxy temporarily helped isolate the issue.

Once everything was working, I re-enabled it, making sure DNS settings matched Flyio’s recommendations. Also, if you’re using a custom domain, double-check CNAME flattening and TLS settings in Cloudflare’s dashboard.