Skip to content

Run a custom internet-facing service

Want to run a websocket server, an MQTT broker, a custom API, or any other long-running process you wrote yourself — and have visitors reach it directly from the internet?

This article describes the pattern:

  1. Always — run the process under a UNIX user.
  2. Then pick one of two routes to make it reachable:
    • Option A — plain TCP. You add a firewall rule yourself.
    • Option B — SSL/TLS (HTTPS, WSS). Cyberfusion support sets up HAProxy in front of the daemon to terminate SSL. Paid work.

Option A and Option B are alternatives — do one, not both. Option B handles the exposure itself, so no separate firewall rule is needed.

1. Run the process under a UNIX user

Whatever the process is — a Node.js websocket server, a Python MQTT broker, a Go binary — it runs as a daemon under a UNIX user. The cluster starts the daemon, keeps it running, and restarts it if it dies or hits its memory limit.

Open the UNIX user's page in Core:

Directly

  1. Navigate to 'Advanced' > 'UNIX Users'.
  2. Select the UNIX user.

Via the project

  1. Navigate to 'Projects'.
  2. Select the project.
  3. Navigate to 'Advanced'.
  4. Under the 'UNIX User' tile, click 'Manage'.

Then scroll to the 'Daemons' section and click '+'. Enter the command to run (for example node /home/user/websocket-server.js) and the nodes the daemon should run on.

For the full field reference — 'Memory Limit (MiB)', 'CPU Limit (cores)', the restart trigger file you can use from a deploy script — see Daemons.

At this point the process is running, but only reachable from the node itself. The next step opens it up to the internet — pick one of the two options below.

2. Make it reachable from the internet — pick one

Option A — Plain TCP via a firewall rule

Pick this if your service doesn't need SSL/TLS — plain TCP is fine for your protocol, or your clients handle encryption themselves.

By default, the cluster's firewall blocks every port that isn't a standard service (SSH, HTTP, HTTPS, mail, etc.). To let visitors reach your service over plain TCP, add a firewall rule for the port your daemon listens on.

Use a node with the 'Admin' group

A firewall rule for a custom port only works on a node that has the 'Admin' group. Other nodes aren't directly connected to the internet — opening a port on them doesn't make it reachable from outside the cluster.

To add the rule, open the node with the 'Admin' group in Core, scroll to 'Firewall Rules', and click '+'. Pick:

  • 'Source' — 'All' if anyone on the internet should reach the service, or a firewall group to limit it to specific IP networks.
  • 'Target' — 'Port', and enter the port number your daemon listens on.

Save the rule. The port is now reachable from whichever source you picked.

For the full firewall-rule reference, see All about firewall rules.

Option B — SSL/TLS via HAProxy (paid)

Pick this if your service needs HTTPS or WSS — for example, a websocket server that browsers connect to from an https:// page. Don't also do Option A; this route handles the exposure itself.

The recommended pattern is to terminate SSL in front of the daemon, not inside it. Cyberfusion runs HAProxy in front of the daemon: HAProxy holds the certificate, accepts the encrypted connection from the visitor, and forwards plain traffic to your daemon on the node. Your daemon stays simple and doesn't need to know about certificates at all.

This isn't a self-service feature in Core. Adding an HAProxy listen that terminates SSL and proxies to a custom daemon is configured by Cyberfusion support.

Contact support to set this up. This is paid work — a one-off configuration fee. Let support know the domain, and the port your daemon listens on.