Fix fly-deploy WARNING by starting nginx before Tailscale

The deploy WARNING ("app is not listening on the expected address") was caused by a race: start.sh ran Tailscale setup (~5-10s) before starting nginx, so Fly's post-start socket check found nothing on port 8080. Fix by starting nginx first and deferring upstream DNS resolution to request time via resolver + variable in proxy_pass. DNS results are cached for 30s per worker to avoid per-request lookups. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 07:00:19 -08:00 · 2026-02-09 07:00:19 -08:00 · 0e23adcc71
commit 0e23adcc71
parent a0b076172f
3 changed files with 18 additions and 3 deletions
--- a/docs/changelog.d/fix-fly-deploy-warnings.bugfix.md
+++ b/docs/changelog.d/fix-fly-deploy-warnings.bugfix.md
@ -0,0 +1 @@
+Fix fly-deploy WARNING by starting nginx before Tailscale, deferring upstream DNS resolution to request time.
--- a/fly/nginx.conf
+++ b/fly/nginx.conf
@ -32,6 +32,12 @@ http {
    proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
                     max_size=200m inactive=24h;

+    # MagicDNS resolver — using a variable in proxy_pass defers upstream DNS
+    # resolution to request time, letting nginx start before Tailscale connects.
+    # Results are cached for 30s per worker to avoid per-request DNS lookups.
+    resolver 100.100.100.100 valid=30s;
+    resolver_timeout 5s;
+
    # --- docs.eblu.me (static site) ---
    server {
        listen 8080;
@ -40,7 +46,8 @@ http {
        limit_req zone=general burst=20 nodelay;

        location / {
-            proxy_pass https://docs.tail8d86e.ts.net;
+            set $upstream_docs https://docs.tail8d86e.ts.net;
+            proxy_pass $upstream_docs$request_uri;
            proxy_ssl_verify off;
            proxy_ssl_server_name on;

--- a/fly/start.sh
+++ b/fly/start.sh
@ -1,6 +1,13 @@
 #!/bin/sh
 set -e

+# Start nginx immediately so port 8080 is bound before Fly's deploy checks.
+# Upstream DNS resolution is deferred via resolver + variable in nginx.conf,
+# so nginx starts cleanly even before Tailscale connects.
+nginx -g "daemon off;" &
+NGINX_PID=$!
+echo "Nginx started (waiting for Tailscale before proxying)"
+
 # Start tailscale daemon. Fly.io runs Firecracker microVMs which support
 # TUN devices natively — no need for --tun=userspace-networking.
 tailscaled --statedir=/var/lib/tailscale &
@ -19,5 +26,5 @@ alloy run /etc/alloy/config.alloy \
    --storage.path=/tmp/alloy-data &
 echo "Alloy started"

-# Start nginx — MagicDNS resolves *.tail8d86e.ts.net hostnames
-nginx -g "daemon off;"
+# Block on nginx — container exits if nginx stops
+wait $NGINX_PID
				`@ -0,0 +1 @@`
				`Fix fly-deploy WARNING by starting nginx before Tailscale, deferring upstream DNS resolution to request time.`