This guide explains how to configure dstack-ingress to work with different DNS providers for managing custom domains and SSL certificates.
- Cloudflare - The original and default provider
- Linode DNS - For Linode-hosted domains
- Namecheap - For Namecheap-hosted domains
- Route53 - For AWS hosted domains
DOMAIN- Your custom domain (e.g.,app.example.com)GATEWAY_DOMAIN- dstack gateway domain (e.g.,_.dstack-prod5.phala.network)CERTBOT_EMAIL- Email for Let's Encrypt registrationTARGET_ENDPOINT- Backend application endpoint to proxy toDNS_PROVIDER- DNS provider to use (cloudflare,linode,namecheap)
SET_CAA- Enable CAA record setup (default: false)PORT- HTTPS port (default: 443)TXT_PREFIX- Prefix for TXT records (default: "_tapp-address")ALIAS_DOMAIN- An additional domain to include as a Subject Alternative Name (SAN) on the TLS certificate and in nginxserver_name. When set, the node's certificate covers bothDOMAINandALIAS_DOMAIN, and nginx will accept requests for either hostname.
DNS_PROVIDER=cloudflare
CLOUDFLARE_API_TOKEN=your-api-tokenRequired Permissions:
- Zone:Read
- DNS:Edit
DNS_PROVIDER=linode
LINODE_API_TOKEN=your-api-tokenRequired Permissions:
- Domains: Read/Write access
Important Note for Linode:
- Linode has a limitation where CAA and CNAME records cannot coexist on the same subdomain
- To work around this, the system will attempt to use A records instead of CNAME records
- If the gateway domain can be resolved to an IP, an A record will be created
- If resolution fails, it falls back to CNAME (but CAA records won't work on that subdomain)
- This is a Linode-specific limitation not present in other providers
DNS_PROVIDER=namecheap
NAMECHEAP_USERNAME=your-username
NAMECHEAP_API_KEY=your-api-key
NAMECHEAP_CLIENT_IP=your-client-ipRequired Credentials:
NAMECHEAP_USERNAME- Your Namecheap account usernameNAMECHEAP_API_KEY- Your Namecheap API key (from https://ap.www.namecheap.com/settings/tools/apiaccess/)NAMECHEAP_CLIENT_IP- The IP address of the node (required for Namecheap API authentication)
Important Notes for Namecheap:
- Namecheap API requires node IP address for authentication, and you need add it to whitelist IP first.
- Namecheap doesn't support CAA records through their API currently
- The certbot plugin uses the format
certbot-dns-namecheappackage
DNS_PROVIDER=route53
AWS_ACCESS_KEY_ID=service-account-key-that-can-assume-role
AWS_SECRET_ACCESS_KEY=service-account-secret-that-can-assume-role
AWS_ROLE_ARN=role-that-can-mod-route53
AWS_REGION=your-closest-regionRequired Permissions:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowDnsChallengeChanges
Effect: Allow
Action:
- route53:ChangeResourceRecordSets
Resource: !Sub arn:aws:route53:::hostedzone/${HostedZoneId}
- Sid: AllowListingForDnsChallenge
Effect: Allow
Action:
- route53:ListHostedZonesByName
- route53:ListHostedZones
- route53:GetChange
- route53:ListResourceRecordSetsImportant Notes for Route53:
- The certbot plugin uses the format
certbot-dns-route53package - CAA will merge AWS & Let's Encrypt CA domains to existing records if they exist
- It is essential that the AWS service account used can only assume the limited role. See cloudformation example.
version: '3.8'
services:
ingress:
image: dstack-ingress:latest
ports:
- "443:443"
environment:
# Common configuration
- DNS_PROVIDER=linode
- DOMAIN=app.example.com
- GATEWAY_DOMAIN=_.dstack-prod5.phala.network
- CERTBOT_EMAIL=admin@example.com
- TARGET_ENDPOINT=http://backend:8080
# Linode specific
- LINODE_API_TOKEN=your-api-token
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./evidences:/evidencesversion: '3.8'
services:
ingress:
image: dstack-ingress:latest
ports:
- "443:443"
environment:
# Common configuration
- DNS_PROVIDER=namecheap
- DOMAIN=app.example.com
- GATEWAY_DOMAIN=_.dstack-prod5.phala.network
- CERTBOT_EMAIL=admin@example.com
- TARGET_ENDPOINT=http://backend:8080
# Namecheap specific
- NAMECHEAP_USERNAME=your-username
- NAMECHEAP_API_KEY=your-api-key
- NAMECHEAP_CLIENT_IP=your-public-ip
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./evidences:/evidencesservices:
dstack-ingress:
image: dstack-ingress:latest
restart: unless-stopped
volumes:
- /var/run/dstack.sock:/var/run/dstack.sock
- cert-data:/etc/letsencrypt
ports:
- 443:443
environment:
DNS_PROVIDER: route53
DOMAIN: app.example.com
GATEWAY_DOMAIN: _.${DSTACK_GATEWAY_DOMAIN}
AWS_REGION: ${AWS_REGION}
AWS_ROLE_ARN: ${AWS_ROLE_ARN}
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
CERTBOT_EMAIL: ${CERTBOT_EMAIL}
TARGET_ENDPOINT: http://backend:8080
SET_CAA: 'true'
If you're currently using the Cloudflare-only version:
- No changes needed for Cloudflare users - The default behavior remains Cloudflare
- For other providers - Add the
DNS_PROVIDERenvironment variable and provider-specific credentials
If you see "Could not detect DNS provider type", ensure you have either:
- Set
DNS_PROVIDERenvironment variable explicitly, OR - Set provider-specific credential environment variables (e.g.,
CLOUDFLARE_API_TOKEN)
Different providers may have different propagation times. The default is 120 seconds, but you may need to adjust based on your provider's behavior.
Ensure your API tokens/credentials have the necessary permissions listed above for your provider.
- Go to https://dash.cloudflare.com/profile/api-tokens
- Create token with Zone:Read and DNS:Edit permissions
- Scope to specific zones if desired
- Go to https://cloud.linode.com/profile/tokens
- Create a Personal Access Token
- Grant "Domains" Read/Write access
- Go to https://ap.www.namecheap.com/settings/tools/api-access/
- Enable API access for your account
- Note down your API key and username
- Make sure your IP address is whitelisted in the API settings