nrepl

Coby Tamayo 2026-01-18T22:47:41.100149Z

Hi, has anyone had experience setting up an nREPL server for an app deployed to http://fly.io? Specifically, they have a default https://fly.io/docs/reference/configuration/#services-ports-tls_options for an http_service, but if I'm using nREPL with a generated cert, do I want Fly to just let nREPL https://nrepl.org/nrepl/usage/tls.html TLS termination? I could maybe find out if there's a well-known path to pass with :tls-keys-file but I think if such a file exists that probably means Fly is doing the termination and therefore HTTP traffic to the app host is unencrypted once inside Fly's network, which seems less secure. Appreciate any guidance, thanks in advance!

Ivar Refsdal 2026-01-19T08:27:06.650749Z

nREPL TLS is two way thing: the client needs a client private key to connect to the nREPL server. I don't see how http://fly.io could support that. The keys for the nREPL client also contains the root certificate (and in this way it can trust the nREPL server). I think the short answer is: the http://fly.io app should expose a (dedicated) port for the nREPL server, and nREPL should handle all TLS things itself

👍 1
Ivar Refsdal 2026-01-19T08:29:58.486329Z

If you want to run nREPL over http(s), that is a different case. I don't think there is anything well documented and supported out of the box for that. I know there was an earlier thread about doing that nREPL over json. That seems like a reasonable path to do. I did some stuff for TCP over http(s) with TLS termination ala nREPL, but never quite finished it and neither documented it well

Coby Tamayo 2026-01-19T22:31:34.923629Z

Makes sense, thank you!

🙏 1
viesti 2026-01-21T19:06:21.470179Z

fly runs containers and you can tunnel into a container via

fly proxy <local-port>:<port-in-container> -a app-name
should be enough to connect to nrepl

🤘 2