Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt

Use this file to discover all available pages before exploring further.

Dokploy uses Traefik as its built-in reverse proxy and handles all domain routing and SSL certificate management automatically. When you add a domain to an application or Compose service, Dokploy writes the corresponding Traefik router and service configuration in real time — no manual YAML editing or container restarts required. Let’s Encrypt certificates are provisioned and renewed automatically for any domain pointed at your server.

How Domains Work

Every application and Compose stack deployed by Dokploy is registered as a Traefik service on the internal Docker network. Traefik watches for configuration changes in its dynamic configuration directory, picks up new router rules immediately, and routes incoming HTTP/HTTPS requests to the correct container. The flow for a new domain:
  1. You add a domain in the Dokploy dashboard.
  2. Dokploy writes a Traefik dynamic configuration file for the router, service, and (if HTTPS) the TLS resolver.
  3. Traefik detects the new file and activates the route within seconds.
  4. If Let’s Encrypt is selected, Traefik contacts the ACME endpoint, completes the HTTP-01 challenge, and stores the certificate automatically.
DNS must be propagated before Let’s Encrypt can issue a certificate. Point your domain’s A record (or CNAME) to your server’s IP address and allow up to 24–48 hours for global propagation, though most records resolve within minutes.

Adding a Domain to an Application

1

Open the application

Navigate to the project and click on the application or Compose stack you want to expose.
2

Open the Domains tab

Click the Domains tab on the service detail page.
3

Add a domain

Click Add Domain and fill in the following fields:
FieldDescription
HostThe fully-qualified domain name, e.g. app.example.com
HTTPSEnable to use TLS; Traefik will request a certificate
PortThe port your container listens on (default: 3000)
PathOptional path prefix for sub-path routing (default: /)
Certificate Typeletsencrypt for automatic ACME certs, custom for an uploaded certificate, or none for HTTP only
Service Name(Compose only) The compose service to route traffic to
4

Save

Click Save. Dokploy immediately writes the Traefik configuration. If HTTPS is enabled and letsencrypt is selected, Traefik requests a certificate from Let’s Encrypt within seconds.

HTTPS and Certificate Types

Dokploy supports three certificate modes, controlled by the certificateType field on each domain:
The default and recommended option for public-facing domains. Traefik automatically requests, installs, and renews certificates from Let’s Encrypt using the HTTP-01 ACME challenge.Requirements:
  • Port 80 must be publicly reachable on the server (for the ACME challenge).
  • The domain’s DNS A record must point to the server’s IP.
Certificates are renewed automatically before expiry — no manual action needed.

Domain Validation

Before saving a domain, you can check whether DNS has propagated using the Validate Domain feature. Dokploy resolves the provided hostname and compares the returned IP address against the server’s configured IP.
# The validateDomain endpoint checks:
# 1. Resolves the hostname via DNS
# 2. Compares the result to the server's known IP address
# 3. Returns a match/mismatch result

Input:  { domain: "app.example.com", serverIp: "203.0.113.10" }
Result: { valid: true } or { valid: false, resolvedIp: "..." }
Domain validation is advisory — you can still save a domain before DNS propagates. The Traefik route will be created immediately; Let’s Encrypt will succeed once DNS resolves correctly.

Auto-Generated Domains

For quick testing without a real domain, Dokploy can generate a temporary .traefik.me subdomain. These domains use a wildcard DNS entry (*.traefik.me) that resolves to any IP address, so no DNS configuration is needed on your side. Click Generate Domain on any application’s Domains tab to get a domain in the format <random>.<server-ip>.traefik.me. The canGenerateTraefikMeDomains check confirms that your server IP is configured before showing the option.
.traefik.me domains are intended for development and testing only. They do not offer HTTPS via Let’s Encrypt because the IP-based wildcard DNS cannot be used for ACME validation. Use a real domain for production deployments.

Dashboard Domain

By default the Dokploy dashboard is served on port 3000. You can assign a custom domain to the dashboard itself so it is accessible at https://dokploy.example.com:
  1. Navigate to Settings → Server.
  2. Under Dashboard Domain, enter your desired hostname.
  3. Click Save (settings.assignDomainServer).
Dokploy configures a Traefik router for the dashboard and, if HTTPS is enabled, requests a Let’s Encrypt certificate for the domain.

Certificates Management

The dedicated Certificates panel (under Settings → Certificates) lets you manage custom TLS certificates independently of individual domains:
  • Upload a certificate with its private key.
  • Update an existing certificate (e.g. after manual renewal).
  • Delete certificates that are no longer in use.
Uploaded certificates are stored on the server and referenced by Traefik’s TLS configuration. They can be associated with a specific remote server if you are running a multi-server Dokploy setup.

Security Headers and Redirects

HTTP → HTTPS Redirect

When HTTPS is enabled on a domain, Dokploy automatically configures a Traefik middleware that permanently redirects all HTTP traffic (http://) to HTTPS (https://). No additional configuration is required.

Middlewares

Each domain entry supports an array of Middlewares — named Traefik middleware references that can add security headers, rate limiting, basic auth, or other request transformations. Middleware names must correspond to Traefik middleware configurations already defined on your server.
# Example: referencing a Traefik middleware that adds security headers
middlewares:
  - security-headers@file
  - rate-limit@file

Strip Path

Enable Strip Path on a domain to have Traefik remove the path prefix before forwarding the request to your container. Useful when routing sub-paths to different services.

Forward Auth

Each domain also supports a Forward Auth toggle that delegates authentication decisions to an external auth server (e.g. Authelia or Authentik) before passing the request through to the application.
Wildcard certificates (e.g. *.example.com) require a DNS-01 ACME challenge, which means your DNS provider must support programmatic record creation via an API. Traefik supports many DNS providers through its certResolvers configuration, but this requires additional setup beyond Dokploy’s default configuration. For most use cases, per-hostname Let’s Encrypt certificates using the HTTP-01 challenge are simpler and work out of the box.

Build docs developers (and LLMs) love