Setting Up Custom Domain
For users that want to bring their own domain for their CVM.
If you prefer video content, check the YouTube tutorial here.
Prerequisites
Host the DNS of your domain on Cloudflare (other providers will be supported soon)
Have access to the Cloudflare account with API token
Create Cloudflare API Token
If you have not generated an API Token for your custom domain management then follow these steps:
Deployment
For this deployment example, we will be an nginx
application where the dstack-ingress
container that will forward traffic the TARGET_ENDPOINT
that points to the app
service (running the nginx image) with an exposed port 80
. It is important to know that this can change based on how your docker app's compose file is configured.
Now on to the deployment. Go to you Phala Cloud Dashboard and deploy a new CVM. Select docker-compose.yml option for deployment then take the past the docker compose file below into the Advanced tab of the CVM configuration page.
services:
dstack-ingress:
image: kvin/dstack-ingress@sha256:2cc3bc50d71faa4d313084237b0f5d1d25963024f2484c7a6414aed075883cdd
ports:
- "443:443"
environment:
- DOMAIN=example.com
- TARGET_ENDPOINT=http://app:80
- CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
- GATEWAY_DOMAIN=_.${DSTACK_GATEWAY_DOMAIN}
- CERTBOT_EMAIL=${CERTBOT_EMAIL}
- SET_CAA=true
volumes:
- /var/run/tappd.sock:/var/run/tappd.sock
- cert-data:/etc/letsencrypt
restart: unless-stopped
app:
image: nginx # Replace with your application image
restart: unless-stopped
volumes:
cert-data: # Persistent volume for certificates
Here's an explanation of the configs:
DOMAIN
: Your custom domain (i.e.your-domain.com
).TARGET_ENDPOINT
: Where the ingress should forward all incoming traffic — i.e. the upstream applicationservice:port
. In this case, we point to the nginx serviceapp
on port80
.Other variables
CLOUDFLARE_API_TOKEN
: Your Cloudflare API tokenCERTBOT_EMAIL
: Your email address used for Let's Encrypt email notificationsSET_CAA
: Leave it totrue
to enable CAA record setup. Necessary for a secure zt-https setup.GATEWAY_DOMAIN
: Leave it unchanged. It points to the dstack gateway domain automatically populated by Phala Cloud.
Now copy and paste the docker-compose.yaml code above into the compose.yml section similar to the screenshot below.

Next you need to grab your Cloudflare API Token for your domain, and fill in your encrypted secrets.

Click Deploy button and your CVM will deploy in a couple minutes with the custom domain. Here is an example of a custom domain deployed to phala.incipient.ltd.

Congratulations! You've successfully deployed your CVM with a custom domain. Your application is now secured with Zero Trust HTTPS, thanks to the seamless integration of Cloudflare DNS and Let's Encrypt. If you are interested in the verification of this process check the Domain Attestation and Verification.
Troubleshooting
First, make sure you have configured it properly. dstack-ingress
is a sidecar in your docker compose file. When adding it, you should make sure:
You have configured the necessary environmental variables and encrypted secrets according as described above
Declare the
cert-data
volume in your docker compose file as it's used bydstack-ingress
dstack-ingress
service is connected to the same network as the service specified inTARGET_ENDPOINT
. e.g. If you setnetworks: [net1]
for your app, you should also have it indstack-ingress
.
After deploying your app, you can find the dstack-ingress
container logs. It should print logs like below:
2025-07-17T23:12:12.758817184Z Account registered.
2025-07-17T23:12:12.760403962Z Requesting a certificate for custom-test.phala.systems
2025-07-17T23:12:16.184509409Z Waiting 120 seconds for DNS changes to propagate
2025-07-17T23:14:22.000463333Z
2025-07-17T23:14:22.000488847Z Successfully received certificate.
# ...
2025-07-17T23:14:22.085351978Z Generated evidences successfully
# ...
2025-07-17T23:14:29.396160169Z [Thu Jul 17 23:14:29 UTC 2025] Next renewal check in 12 hours
Finally, access the custom domain. You should see nginx access logs in the dstack-ingress
container logs like below:
2025-07-17T23:16:15.748373090Z 10.0.3.1 - - [17/Jul/2025:23:16:15 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" "-"
Knowledge
Now you have the knowledge base on the custom domain deployment with a basic nginx dstack application. The features you have used to enable your custom domain are defined below:
Automatic SSL certificate provisioning and renewal via Let's Encrypt
Cloudflare DNS configuration for CNAME, TXT, and CAA records
Nginx reverse proxy to route traffic to your application
Certificate evidence generation for verification
Domain Attestation and Verification
The dstack-ingress system provides mechanisms to verify and attest that your custom domain endpoint is secure and properly configured. This comprehensive verification approach ensures the integrity and authenticity of your application.
Evidence Collection
When certificates are issued or renewed, the system automatically generates a set of cryptographically linked evidence files:
Access Evidence Files:
Evidence files are accessible at
https://your-domain.com/evidences/
Key files include
acme-account.json
,cert.pem
,sha256sum.txt
, andquote.json
Verification Chain:
quote.json
contains a TDX quote with the SHA-256 digest ofsha256sum.txt
embedded in the report_data fieldsha256sum.txt
contains cryptographic checksums of bothacme-account.json
andcert.pem
When the TDX quote is verified, it cryptographically proves the integrity of the entire evidence chain
Certificate Authentication:
acme-account.json
contains the ACME account credentials used to request certificatesWhen combined with the CAA DNS record, this provides evidence that certificates can only be requested from within this specific TEE application
cert.pem
is the Let's Encrypt certificate currently serving your custom domain
You can check the example of the deployment at phala.incipient.ltd/evidences/.

CAA Record Verification
If you've enabled CAA records (SET_CAA=true
), you can verify that only authorized Certificate Authorities can issue certificates for your domain:
dig CAA your-domain.com
The output will display CAA records that restrict certificate issuance exclusively to Let's Encrypt with your specific account URI, providing an additional layer of security.
TLS Certificate Transparency
All Let's Encrypt certificates are logged in public Certificate Transparency (CT) logs, enabling independent verification:
CT Log Verification:
Visit crt.sh and search for your domain
Confirm that the certificates match those issued by the dstack-ingress system
This public logging ensures that all certificates are visible and can be monitored for unauthorized issuance
Last updated
Was this helpful?