Skip to Content
DocsCloud OSDomains & SSL

Domains & SSL

Cloud OS uses an embedded Caddy reverse proxy to handle HTTPS certificates, domain routing, and secure headers for all your applications. Every installed app gets a reverse proxy route automatically, and you can add custom domains with automatic SSL provisioning via Let’s Encrypt.

How It Works

Caddy runs as an embedded Go library inside the Cloud OS binary — not as a separate process. When you install an app, Cloud OS automatically:

  1. Creates a reverse proxy route pointing to the app container
  2. Assigns a subdomain based on the app name and your hostname
  3. Requests a TLS certificate from Let’s Encrypt (HTTP-01 challenge)
  4. Configures secure headers (HSTS, X-Frame-Options, CSP, X-Content-Type-Options)
  5. Redirects all HTTP traffic to HTTPS

No manual Nginx or Apache configuration is needed.

Adding a Custom Domain

  1. Navigate to Domains & SSL from the sidebar
  2. Click Add Domain
  3. The wizard walks you through three steps:

Step 1: Enter Domain

Type the domain name you want to use (e.g., cloud.example.com) and select which app it should point to.

Step 2: Configure DNS

Cloud OS shows the exact DNS records to create at your registrar:

Record TypeNameValue
Acloud.example.comYOUR_SERVER_IP
AAAAcloud.example.comYOUR_SERVER_IPV6 (if applicable)

The DNS helper tool verifies your records in real time and shows a green checkmark when propagation is complete.

DNS propagation can take up to 48 hours, but most providers update within a few minutes. Cloud OS checks every 30 seconds during the wizard.

Step 3: Confirm

Once DNS is verified, click Confirm to activate the domain. Cloud OS requests a TLS certificate and begins routing traffic to your app.

Managing Domains

The Domains page shows all configured domains with their status:

ColumnDescription
DomainThe fully qualified domain name
AppThe app this domain points to
SSL StatusValid, Expiring Soon, or Expired
Certificate ExpiryDate the TLS certificate expires

SSL Certificate Inspection

Click any domain to view full SSL certificate details:

  • Issuer (Let’s Encrypt)
  • Serial number
  • Valid from and valid until dates
  • Subject Alternative Names (SANs)

Certificate Renewal

Caddy automatically renews certificates before they expire. No cron jobs or certbot setup is needed. If renewal fails (for example, due to a DNS change), Cloud OS shows a warning on the Domains page and triggers an alert if you have SSL expiry alerts configured.

Wildcard Certificates

For wildcard certificates (e.g., *.example.com), you need a DNS provider that supports the DNS-01 challenge. Configure your DNS provider API credentials in Domains > Settings:

  1. Select your DNS provider (Cloudflare, Route53, DigitalOcean, etc.)
  2. Enter API credentials
  3. Add the wildcard domain

Caddy uses the DNS-01 challenge to validate ownership and issue a wildcard certificate.

Subdomain Routing

By default, each installed app is accessible at a subdomain based on its name:

https://nextcloud.server.example.com

This requires a wildcard DNS record pointing *.server.example.com to your server IP address. With a wildcard certificate configured, all app subdomains are covered by a single certificate.

You can also assign custom domains to individual apps, routing traffic from any domain to any app.

Reverse Proxy Headers

Cloud OS generates the Caddy configuration programmatically. For each app route, the following security headers are set by default:

HeaderValue
Strict-Transport-Securitymax-age=31536000; includeSubDomains
X-Frame-OptionsSAMEORIGIN
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin

Troubleshooting

SSL certificate not issued

Ensure port 80 is open on your firewall. Let’s Encrypt uses the HTTP-01 challenge, which requires an inbound connection on port 80. Also verify that your DNS A record points to the correct server IP.

curl -I http://your-domain.com

Domain shows “DNS not verified”

Double-check the DNS records at your registrar. Use dig or nslookup to verify the record has propagated:

dig A cloud.example.com +short

The result should show your server IP address.

App not accessible after adding domain

Verify the app is running. Go to Apps > Installed and check the app status. Also confirm that the reverse proxy route was created by checking the Domains page for the new entry.

Certificate renewal failed

Check the Cloud OS logs for Caddy renewal errors. Common causes include changed DNS records, firewall rules blocking port 80, or rate limit exhaustion from Let’s Encrypt (5 certificates per domain per week).

BackupsReverse Proxy