Control plane domains and SSL

TLS certificates and hostnames for the self-hosted dashboard and Traefik (control plane).

Written By Zoro

Last updated 3 days ago

This page is about the dashboard and Traefik stack you run for self-hosted dFlow.

It is not about custom domains for individual Services your teams deploy; for that, read Domains and SSL under Deployments and Operations in the sidebar in Deployments and Operations.

1. Decide hostnames

Pick a stable hostname (or wildcard) for the UI, for example dflow.company.internal or control.company.com. Set NEXT_PUBLIC_WEBSITE_URL to the full origin users will open (including https: when TLS is enabled).

Align WILD_CARD_DOMAIN and NEXT_PUBLIC_PROXY_DOMAIN_URL with the same DNS plan so generated proxy config and UI links stay consistent.

2. DNS records

  • A or AAAA records pointing to the load balancer or VM that runs Traefik, or
  • CNAME to an elastic hostname if your cloud provides one.

For Let's Encrypt DNS-01 via Cloudflare, create the API token referenced as CF_DNS_API_TOKEN in docker-compose.yml with only the zones you need.

3. Traefik static and dynamic config

The reference Compose file mounts:

  • ./traefik.yaml as the static config
  • ./acme.json for ACME account and certificates
  • ./dynamic for generated routes

Operators must supply files appropriate to their environment. Common tasks:

  1. Create an empty acme.json on the host and chmod 600 acme.json before the first Traefik start.
  2. Point certificate resolvers at your DNS provider (for example Cloudflare).
  3. Route the dashboard router to the payload-app service port Traefik expects (follow your traefik.yaml).

If your checkout does not include a committed traefik.yaml, copy or create one from your deployment playbook; the exact contents are site-specific.

4. First certificate issuance

  1. Bring traefik up with valid env and config.
  2. Confirm DNS has propagated to the challenge names (HTTP-01 or DNS-01).
  3. Watch traefik logs for ACME success before sending users to HTTPS.

5. Renewal and rotation

Traefik renews certificates automatically when acme.json is writable and DNS credentials remain valid. Put acme.json on persistent storage if the VM is ephemeral. After rotating CF_DNS_API_TOKEN, restart Traefik.

6. Split horizon and internal CA

Some teams terminate TLS on a corporate proxy and run HTTP internally. If you do that, still set NEXT_PUBLIC_WEBSITE_URL to what browsers use externally, and ensure the proxy forwards WebSockets if the dashboard requires them.

Related