Setting Up Custom Domain

For users that want to bring their own domain for their CVM.

If you prefer video content, check the YouTube tutorial here.

Prerequisites

  • Host the DNS of your domain on Cloudflare (other providers will be supported soon)

  • Have access to the Cloudflare account with API token

Create Cloudflare API Token

If you have not generated an API Token for your custom domain management then follow these steps:

Create API Token

1️⃣ Go to your Cloudflare Dashboard

In your dashboard, select the domain you'd like to use and find the option to Get Your API Token

2️⃣ Create API Token

Select the Create Token button as shown below

3️⃣ Select a Template

The next page will have several templates. Select the template to Edit zone DNS as shown below

4️⃣ Finalize API Token Creation

Next select your domain in the Zone Resources section then click Continue to summary button as shown below

Congrats! You've now created your API Token to use for your environment variable.

Deployment

For more details, checkout the github repository for the dstack-ingress dstack examples.

For this deployment example, we will be an nginx application where the dstack-ingress container that will forward traffic the TARGET_ENDPOINT that points to the app service (running the nginx image) with an exposed port 80 . It is important to know that this can change based on how your docker app's compose file is configured.

Now on to the deployment. Go to you Phala Cloud Dashboard and deploy a new CVM. Select docker-compose.yml option for deployment then take the past the docker compose file below into the Advanced tab of the CVM configuration page.

services:
  dstack-ingress:
    image: kvin/dstack-ingress@sha256:2cc3bc50d71faa4d313084237b0f5d1d25963024f2484c7a6414aed075883cdd
    ports:
      - "443:443"
    environment:
      - DOMAIN=example.com
      - TARGET_ENDPOINT=http://app:80
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      - GATEWAY_DOMAIN=_.${DSTACK_GATEWAY_DOMAIN}
      - CERTBOT_EMAIL=${CERTBOT_EMAIL}
      - SET_CAA=true
    volumes:
      - /var/run/tappd.sock:/var/run/tappd.sock
      - cert-data:/etc/letsencrypt
    restart: unless-stopped
  app:
    image: nginx  # Replace with your application image
    restart: unless-stopped
volumes:
  cert-data:  # Persistent volume for certificates

Here's an explanation of the configs:

  • DOMAIN: Your custom domain (i.e. your-domain.com ).

  • TARGET_ENDPOINT: Where the ingress should forward all incoming traffic — i.e. the upstream application service:port. In this case, we point to the nginx service app on port 80.

  • Other variables

    • CLOUDFLARE_API_TOKEN: Your Cloudflare API token

    • CERTBOT_EMAIL: Your email address used for Let's Encrypt email notifications

    • SET_CAA: Leave it to true to enable CAA record setup. Necessary for a secure zt-https setup.

    • GATEWAY_DOMAIN: Leave it unchanged. It points to the dstack gateway domain automatically populated by Phala Cloud.

Understanding TARGET_ENDPOINT

Why is TARGET_ENDPOINT important?

  • Tell the proxy where to send traffic When a request arrives at https://your-custom-domain.com, dstack-ingress decrypts TLS and then forwards the HTTP payload to exactly the URL in TARGET_ENDPOINT.

    https://your-custom-domain.com  →  dstack-ingress  →  http://app:80
  • Decouples host networking from container internals Your app can stay on port 80 (or 3000, or the exposed port of your app), and you never have to re-map host ports. The ingress simply forwards traffic to “app:80” over the Docker internal network.

In the following example, we will show a more complex configuration for an ElizaOS Deployment where the docker app has a Postgresql + pgvector container that serves as a DB for the ElizaOS eliza container. The SERVER_PORT is expected to be port 3000 in this example where the dstack-ingress will forward traffic through the DOMAIN environment variable.

version: '3.8'
services:
  postgres:
    image: ankane/pgvector:latest
    environment:
        - POSTGRES_PASSWORD=postgres
        - POSTGRES_USER=postgres
        - POSTGRES_DB=eliza
        - PGDATA=/var/lib/postgresql/data/pgdata
    volumes:
        - postgres-data:/var/lib/postgresql/data
    ports:
        - "127.0.0.1:5432:5432"
    healthcheck:
        test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
        interval: 5s
        timeout: 5s
        retries: 5
    restart: always
    networks:
      - eliza-network

  eliza:
    image: hashwarlock/elizaos:beta0
    command: sh -c "bun run start"
    volumes:
      - /var/run/tappd.sock:/var/run/tappd.sock
    environment:
      - OPENAI_API_KEY=${OPENAI_API_KEY}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
      - SERVER_PORT=${SERVER_PORT}
      - POSTGRES_URL=postgres://postgres:postgres@postgres:5432/eliza
    depends_on:
      postgres:
        condition: service_healthy
    restart: always
    networks:
      - eliza-network

  dstack-ingress:
    image: kvin/dstack-ingress@sha256:2cc3bc50d71faa4d313084237b0f5d1d25963024f2484c7a6414aed075883cdd
    ports:
      - "443:443"
    environment:
      - DOMAIN=example.com
      - TARGET_ENDPOINT=http://eliza:3000
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      - GATEWAY_DOMAIN=_.${DSTACK_GATEWAY_DOMAIN}
      - CERTBOT_EMAIL=${CERTBOT_EMAIL}
      - SET_CAA=true
    volumes:
      - /var/run/tappd.sock:/var/run/tappd.sock
      - cert-data:/etc/letsencrypt
    restart: unless-stopped
    networks:
      - eliza-network

networks:
  eliza-network:
    driver: bridge

volumes:
  postgres-data:
  cert-data:

Now copy and paste the docker-compose.yaml code above into the compose.yml section similar to the screenshot below.

Next you need to grab your Cloudflare API Token for your domain, and fill in your encrypted secrets.

Click Deploy button and your CVM will deploy in a couple minutes with the custom domain. Here is an example of a custom domain deployed to phala.incipient.ltd.

Congratulations! You've successfully deployed your CVM with a custom domain. Your application is now secured with Zero Trust HTTPS, thanks to the seamless integration of Cloudflare DNS and Let's Encrypt. If you are interested in the verification of this process check the Domain Attestation and Verification.

Troubleshooting

First, make sure you have configured it properly. dstack-ingress is a sidecar in your docker compose file. When adding it, you should make sure:

  1. You have configured the necessary environmental variables and encrypted secrets according as described above

  2. Declare the cert-data volume in your docker compose file as it's used by dstack-ingress

  3. dstack-ingress service is connected to the same network as the service specified in TARGET_ENDPOINT . e.g. If you set networks: [net1] for your app, you should also have it in dstack-ingress .

After deploying your app, you can find the dstack-ingress container logs. It should print logs like below:

2025-07-17T23:12:12.758817184Z Account registered.
2025-07-17T23:12:12.760403962Z Requesting a certificate for custom-test.phala.systems
2025-07-17T23:12:16.184509409Z Waiting 120 seconds for DNS changes to propagate
2025-07-17T23:14:22.000463333Z 
2025-07-17T23:14:22.000488847Z Successfully received certificate.
# ...
2025-07-17T23:14:22.085351978Z Generated evidences successfully
# ...
2025-07-17T23:14:29.396160169Z [Thu Jul 17 23:14:29 UTC 2025] Next renewal check in 12 hours

Finally, access the custom domain. You should see nginx access logs in the dstack-ingress container logs like below:

2025-07-17T23:16:15.748373090Z 10.0.3.1 - - [17/Jul/2025:23:16:15 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" "-"

Knowledge

Now you have the knowledge base on the custom domain deployment with a basic nginx dstack application. The features you have used to enable your custom domain are defined below:

  • Automatic SSL certificate provisioning and renewal via Let's Encrypt

  • Cloudflare DNS configuration for CNAME, TXT, and CAA records

  • Nginx reverse proxy to route traffic to your application

  • Certificate evidence generation for verification

Read The Full Explanation

The dstack-ingress system provides a seamless way to set up custom domains for dstack applications with automatic SSL certificate management. Here's how it works:

  1. Initial Setup:

    • When first deployed, the container automatically obtains SSL certificates from Let's Encrypt using DNS validation

    • It configures Cloudflare DNS by creating necessary CNAME, TXT, and optional CAA records

    • Nginx is configured to use the obtained certificates and proxy requests to your application

  2. DNS Configuration:

    • A CNAME record is created to point your custom domain to the dstack gateway domain

    • A TXT record is added with application identification information to help dstack-gateway to route traffic to your application

    • If enabled, CAA records are set to restrict which Certificate Authorities can issue certificates for your domain

  3. Certificate Management:

    • Select the Create Token button as shown below

    • SSL certificates are automatically obtained during initial setup

    • A scheduled task runs twice daily to check for certificate renewal

    • When certificates are renewed, Nginx is automatically reloaded to use the new certificates

  4. Evidence Generation:

    • The system generates evidence files for verification purposes

    • These include the ACME account information and certificate data

    • Evidence files are accessible through a dedicated endpoint

Domain Attestation and Verification

The dstack-ingress system provides mechanisms to verify and attest that your custom domain endpoint is secure and properly configured. This comprehensive verification approach ensures the integrity and authenticity of your application.

Evidence Collection

When certificates are issued or renewed, the system automatically generates a set of cryptographically linked evidence files:

  1. Access Evidence Files:

    • Evidence files are accessible at https://your-domain.com/evidences/

    • Key files include acme-account.json, cert.pem, sha256sum.txt, and quote.json

  2. Verification Chain:

    • quote.json contains a TDX quote with the SHA-256 digest of sha256sum.txt embedded in the report_data field

    • sha256sum.txt contains cryptographic checksums of both acme-account.json and cert.pem

    • When the TDX quote is verified, it cryptographically proves the integrity of the entire evidence chain

  3. Certificate Authentication:

    • acme-account.json contains the ACME account credentials used to request certificates

    • When combined with the CAA DNS record, this provides evidence that certificates can only be requested from within this specific TEE application

    • cert.pem is the Let's Encrypt certificate currently serving your custom domain

You can check the example of the deployment at phala.incipient.ltd/evidences/.

CAA Record Verification

If you've enabled CAA records (SET_CAA=true), you can verify that only authorized Certificate Authorities can issue certificates for your domain:

dig CAA your-domain.com

The output will display CAA records that restrict certificate issuance exclusively to Let's Encrypt with your specific account URI, providing an additional layer of security.

TLS Certificate Transparency

All Let's Encrypt certificates are logged in public Certificate Transparency (CT) logs, enabling independent verification:

CT Log Verification:

  • Visit crt.sh and search for your domain

  • Confirm that the certificates match those issued by the dstack-ingress system

  • This public logging ensures that all certificates are visible and can be monitored for unauthorized issuance

Last updated

Was this helpful?