I'm running code-server on a Fly.io VM using a custom Docker image. The image includes all necessary setup to launch code-server, and it works as expected on a direct root route.

To enable per-port preview for services (e.g., 3000, 5173), I initially tried using code-server’s built-in proxy forwarding via /proxy/:port. While this works locally to some extent, it fails on remote environments (Fly.io), particularly with module resolution and static asset loading in some frameworks (like older CRA apps). I explored workarounds (such as rewriting paths in nginx or using absproxy), but these were unreliable or framework-specific.

As an alternative, I attempted to follow the code-server documentation for subdomain-based proxying. Here's what I did:

• Created wildcard DNS records via Cloudflare (e.g., *.myapp.domain.com)
• Programmatically issued certificates via Fly.io GraphQL API for these subdomains
• Passed the --proxy-domain flag to code-server inside the VM
• Confirmed that CNAME records point to the correct Fly app hostname

However, I’m encountering persistent SSL handshake failures (ERR_SSL_VERSION_OR_CIPHER_MISMATCH) and DNS resolution errors (e.g., CNAME not resolving or TLS alerts during curl). The certificate verification step on Fly’s end also seems stuck due to failed domain ownership validation.

I'd appreciate any guidance or clarification on:

• Correct usage of --proxy-domain with Fly.io and code-server
• Best practices for wildcard certificate setup with Fly.io and Cloudflare
• Required configuration on Fly.io for HTTPS subdomain routing per port

Thanks in advance for your support!