DNS and Proxy Configuration Guide
This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications, with specific implementation details for Cloudflare.
DNS Configuration​
DNS records for Zerops services can be configured in two main ways:
- With Proxy: Routes traffic through proxy services, providing additional security and performance features (recommended for DDoS protection)
- Without Proxy (DNS Only): Direct connection to your Zerops service's IP address
DNS allows you to set two records based on IP address type:
- A record for IPv4 - Zerops offers either a free shared IPv4 or a paid dedicated IPv4
- AAAA record for IPv6 - Zerops provides a free dedicated IPv6
With Proxy​
IPv6 only​
Make sure your proxy service supports IPv4 to IPv6 translation for this configuration to work for both IPv4 and IPv6 users.
Do not add a proxied A record with shared IPv4 - doing so would prevent the proxy from properly routing IPv4 traffic to your service.
Dedicated IPv4​
Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
Shared IPv4 (valid but NOT recommended)​
It does not make sense to expose your IPv6 address while proxying the shared IPv4. Use IPv6 only setup instead.
Without Proxy​
Shared IPv4​
Adding AAAA record is essential for shared IPv4 configuration as it serves as a security measure to prevent unauthorized domain claims.
Dedicated IPv4​
Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
IPv6 only​
This configuration will only work for users with IPv6 connectivity, which may limit your service accessibility.
Wildcard Domain Configuration​
Zerops supports wildcard domains (*.<your-domain>
) that allow routing all subdomains to your project.
DNS Configuration​
Method A: Direct configuration of A and AAAA records​
Configure wildcard DNS records following the same patterns described in the DNS Configuration section, using *.<your-domain>
in the Name field:
Method B: Using a CNAME record​
First configure A and AAAA records for your main domain (<your-domain>
), then set up a CNAME record:
Certificate Validation​
For proper HTTPS certificate functionality with wildcard domains, configure:
This record enables Zerops to issue and verify a wildcard certificate for your domain.
Higher-Level Wildcard Subdomains​
You can also set up higher-level wildcard subdomains like *.<subdomain>.<your-domain>
:
Method A: Direct configuration​
Method B: Using a CNAME record​
or
For certificate validation:
Combining Main Domain and Wildcard Domain​
To use both <your-domain>
and *.<your-domain>
, specify both variants in your Zerops configuration. Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
Cloudflare-Specific Configuration​
SSL/TLS Mode​
Set encryption mode to Full (strict)
or Full
- Ensures end-to-end encryption
- Full mode requires any SSL certificate (even if self-signed/expired), while Full (strict) requires a valid certificate
Certificate Management​
- Enable Edge Certificates to allow Cloudflare to manage SSL/TLS certificates
- During initial setup, handle HTTPS settings in one of two ways:
- Option A (Simple but Limited):
- Disable
Always Use HTTPS
- Disable
- Option B (Recommended for Production):
- Keep
Always Use HTTPS
enabled - Create and enable a Configuration Rule, which disables Automatic HTTPS Rewrites for this specific path: This rule disables Automatic HTTPS Rewrites for the certificate validation path.
- Keep
- Option A (Simple but Limited):
Validation Steps​
Test your configuration:
Troubleshooting Guide​
-
DNS Resolution Issues
- Confirm correct record configuration
- Verify proxy status settings
- Check IPv6 address accuracy
- Allow time for DNS propagation (typically 5-10 minutes)
-
Connection Problems
- Test both IPv4 and IPv6 connectivity
- Check proxy server status if applicable
- Confirm port configurations
-
Certificate Issues
- Verify proper _acme-challenge CNAME configuration for wildcard domains
- Check that DNS records match the domains configured in Zerops
- Cloudflare-specific certificate problems:
- Verify
Always Use HTTPS
is disabled - If you encounter too many redirects or similar SSL errors:
- Double-check that SSL/TLS encryption mode is set to Full or Full (strict), not Flexible
- SSL mode might show incorrectly for newly added domains, try refreshing the page if settings appear incorrect
- Verify
Technical Background​
Understanding Shared IPv4 Addresses​
Shared IPv4 allows multiple Zerops projects to use the same IPv4 address while maintaining separate routing for each project. Here's how it works:
- When a visitor makes a request, it first arrives at the shared IPv4 address
- The system looks at the domain name in the request (using SNI - Server Name Indication)
- For security, it checks if this domain properly resolves to your project's IPv6 address
- Only if IPv6 address matches your project will the traffic be routed correctly
This is why configuring both A (IPv4) and AAAA (IPv6) records is crucial when using shared IPv4 addresses - the IPv6 record acts as a security key that helps prevent unauthorized use of the shared IPv4 address.
Certificate Verification Methods​
When issuing SSL/TLS certificates, different verification methods are used depending on the certificate type:
HTTP-01 vs DNS-01 Verification​
-
Regular certificates (for a single domain like
<your-domain>
) are typically issued using the HTTP-01 challenge method. This verification checks that you control the domain by placing a specific file at a specific URL. -
Wildcard certificates (for domains like
*.<your-domain>
) must be issued using the DNS-01 challenge method. This method requires creating specific TXT records in your DNS configuration.
How Zerops Handles Wildcard Certificate Verification​
Zerops simplifies the DNS-01 challenge process:
- You create a CNAME record (e.g.,
_acme-challenge.<your-domain> CNAME <your-domain>.zerops.zone
) - When a certificate needs to be issued or renewed, Zerops automatically creates the required TXT records on its
zerops.zone
domain - The certificate authority verifies these TXT records through the CNAME redirection
- Once verified, the wildcard certificate is issued without requiring manual intervention