For users that want to bring their own domain for their CVM.
nginx
application where the dstack-ingress
container that will forward traffic the TARGET_ENDPOINT
that points to the app
service (running the nginx image) with an exposed port 80
. It is important to know that this can change based on how your docker app’s compose file is configured.
Now on to the deployment. Go to you Phala Cloud Dashboard and deploy a new CVM. Select docker-compose.yml option for deployment then take the past the docker compose file below into the Advanced tab of the CVM configuration page.
DOMAIN
: Your custom domain (i.e. your-domain.com
).TARGET_ENDPOINT
: Where the ingress should forward all incoming traffic — i.e. the upstream application service:port
. In this case, we point to the nginx service app
on port 80
. CLOUDFLARE_API_TOKEN
: Your Cloudflare API tokenCERTBOT_EMAIL
: Your email address used for Let’s Encrypt email notificationsSET_CAA
: Leave it to true
to enable CAA record setup. Necessary for a secure zt-https setup.GATEWAY_DOMAIN
: Leave it unchanged. It points to the dstack gateway domain automatically populated by Phala Cloud.dstack-ingress
is a sidecar in your docker compose file. When adding it, you should make sure:
cert-data
volume in your docker compose file as it’s used by dstack-ingress
dstack-ingress
service is connected to the same network as the service specified in TARGET_ENDPOINT
. e.g. If you set networks: [net1]
for your app, you should also have it in dstack-ingress
.dstack-ingress
container logs. It should print logs like below:
dstack-ingress
container logs like below:
https://your-domain.com/evidences/
acme-account.json
, cert.pem
, sha256sum.txt
, and quote.json
quote.json
contains a TDX quote with the SHA-256 digest of sha256sum.txt
embedded in the report_data fieldsha256sum.txt
contains cryptographic checksums of both acme-account.json
and cert.pem
acme-account.json
contains the ACME account credentials used to request certificatescert.pem
is the Let’s Encrypt certificate currently serving your custom domainSET_CAA=true
), you can verify that only authorized Certificate Authorities can issue certificates for your domain: