Custom Domains

Configure custom domains, wildcard DNS, and automatic TLS certificates for your Outpost services.

Every Outpost service receives a default endpoint at <service-id>.onoutpost.com. Custom domains let you serve traffic from your own domain with automatic TLS certificates, wildcard subdomains, and full DNS control.

Add a custom domain

Open your service in the Outpost dashboard and navigate to the Settings tab.

In the Public Networking section, click + Custom Domain.

Enter your domain name (e.g., `api.yourdomain.com`). Wildcard domains like `*.yourdomain.com` are also supported.

Outpost provides a target domain (e.g., `abc123.onoutpost.com`). Add a DNS record pointing your domain to this target.

For subdomains (including `www`): Create a CNAME record.

For root/apex domains: See the Root domains section below.

Wait for Outpost to verify your DNS record. Once verified, a green checkmark appears next to your domain in the dashboard.

DNS propagation

DNS changes can take up to 72 hours to propagate worldwide, though most providers complete propagation within minutes.

DNS record setup

Subdomain (CNAME)

For any subdomain -- api.yourdomain.com, www.yourdomain.com, app.yourdomain.com -- create a CNAME record:

Type	Name	Value
`CNAME`	`api`	`abc123.onoutpost.com`

Replace abc123.onoutpost.com with the target domain provided by Outpost.

Root and apex domains

Standard DNS does not allow CNAME records at the root level (yourdomain.com). The approach depends on your DNS provider:

Provider	Record type	Notes
Cloudflare	CNAME	Cloudflare supports CNAME flattening at the root. Create a standard CNAME record.
DNSimple	ALIAS	Use an ALIAS record pointed at your Outpost domain.
Namecheap	CNAME	Namecheap supports root-level CNAME records.
Other providers	Varies	Check if your provider supports ALIAS, ANAME, or CNAME flattening.

Provider does not support root CNAME?

You can change your domain's nameservers to Cloudflare (free tier), which supports CNAME flattening at the root. Follow Cloudflare's nameserver setup guide.

TLS / SSL certificates

Outpost automatically provisions and renews Let's Encrypt certificates for every custom domain. No configuration is required.

Certificates are issued after DNS verification completes.
Renewal happens automatically before expiration.
All traffic is served over HTTPS. HTTP requests are redirected to HTTPS.

External certificates

Outpost does not support uploading external SSL certificates. All domains use automatically provisioned Let's Encrypt certificates.

Wildcard domains

Wildcard domains (*.yourdomain.com) route all subdomain traffic to your service. This is useful for multi-tenant applications, branch preview deployments, or any pattern where subdomains are dynamic.

When you add a wildcard domain, Outpost provides two CNAME targets:

Record	Type	Name	Value
Wildcard	`CNAME`	`*`	`abc123.onoutpost.com`
ACME challenge	`CNAME`	`_acme-challenge`	`def456.onoutpost.com`

The _acme-challenge record is required for Outpost to issue and renew the wildcard SSL certificate.

Wildcard domain rules

Wildcards apply to a single subdomain level. *.yourdomain.com matches app.yourdomain.com but not api.staging.yourdomain.com.
Nested wildcards (*.*.yourdomain.com) are not supported.
The _acme-challenge CNAME must not be proxied by your DNS provider (e.g., disable the orange cloud in Cloudflare).

Cloudflare-specific configuration

If you use Cloudflare as your DNS provider, follow these additional steps:

Proxied domains

If Cloudflare proxying is enabled (orange cloud), you must set your SSL/TLS mode to Full or Full (Strict) in Cloudflare's dashboard. Otherwise, you will encounter ERR_TOO_MANY_REDIRECTS.

Wildcard domains on Cloudflare

For wildcard domains with Cloudflare:

Disable proxying on the _acme-challenge record (set to DNS Only / grey cloud).
Disable Cloudflare's Universal SSL to avoid certificate conflicts.

Deep subdomains

Cloudflare's free Universal SSL only covers first-level subdomains (*.yourdomain.com). If you use a deeper subdomain like api.staging.yourdomain.com with Cloudflare proxying enabled, you need Cloudflare's Advanced Certificate Manager or must disable proxying for that record.

TCP proxying

For non-HTTP services (databases, gRPC without HTTP/2, custom protocols), Outpost supports TCP proxying:

Navigate to your service's Settings tab.
Under Public Networking, enable TCP Proxy and specify the target port.
Outpost generates a domain:port pair for your TCP traffic.

HTTP and TCP are mutually exclusive

A single service cannot expose both HTTP (custom domain) and TCP networking simultaneously. Remove one before enabling the other. If your use case requires both, deploy separate services.

Plan limits

Plan	Custom domains per service
Trial	1
Hobby	2
Pro	10 (increase available on request)

Subdomain counts

`yourdomain.com` and `www.yourdomain.com` count as two separate custom domains.

Troubleshooting

Domain not verifying. Ensure your DNS record points to the exact target provided by Outpost. Check for typos and confirm propagation with dig or an online DNS checker.

ERR_TOO_MANY_REDIRECTS. If using Cloudflare with proxying enabled, set SSL/TLS mode to Full or above.

Wildcard certificate not issuing. Verify that the _acme-challenge CNAME exists and is not proxied (DNS Only mode).

Freenom domains. Freenom domains (.tk, .ml, .ga, .cf, .gq) are not supported.

Next steps

Deploy a Service — configuration and deployment guide
Autoscaling — CoDel algorithm, replica policies, scale-to-zero

Previous → Autoscaling

Next Overview →