Custom domains


Published tunnels can now use a hostname from a domain you control, instead of an address under the rstream tunnel namespace.

Register the hostname from the project dashboard, publish the ownership and traffic records shown there, and wait for DNS verification. The project engine then obtains and renews the certificate before the hostname can be used by an edge-terminated tunnel. Certificate state remains visible separately from DNS verification, including provisioning and renewal failures.

Custom hostnames work with published HTTP, TLS, QUIC, and DTLS tunnels. TLS passthrough remains possible when the upstream service must present its own certificate. In both cases, the engine checks that the authenticated project owns the requested hostname before opening the route.

This release supports individual hostnames through TLS-ALPN-01 validation on TCP port 443. Custom domains are available to Pro and Enterprise projects. DNS-01 validation is not supported yet, so wildcard hostnames cannot be registered.

See Custom Domains for DNS records, certificate states, tunnel commands, and TLS passthrough behavior.