Domains and DNS
AI Admin Panel manages domain routing for all deployed services. Every service gets an automatic subdomain, and customers can optionally attach custom domains.
Automatic Subdomains
When a service is deployed, it automatically receives a subdomain:
https://{service-name}.{panel-domain}
For example, if your panel domain is panel.example.com and you deploy a service named my-app:
https://my-app.panel.example.com
This works because:
- A wildcard DNS record (
*.panel.example.com) points to your server - Traefik matches the hostname and routes to the correct container
- Let's Encrypt issues an SSL certificate for the subdomain
No manual DNS configuration is needed for subdomains.
Custom Domains
Customers can attach custom domains to their services. For example, mapping app.acme.com to a deployed service.
Setup Process
- Navigate to the service detail page
- Click Settings > Custom Domain
- Enter the custom domain (e.g.,
app.acme.com) - The panel displays a CNAME record to create:
app.acme.com CNAME my-app.panel.example.com - Create the CNAME record in the custom domain's DNS provider
- Click Verify — the panel checks DNS resolution
- Once verified, Traefik provisions an SSL certificate for the custom domain
SSL for Custom Domains
Traefik automatically issues a Let's Encrypt certificate for verified custom domains using the HTTP-01 challenge. The domain must resolve to your server for the challenge to succeed.
Multiple Custom Domains
A service can have multiple custom domains. Each domain gets its own SSL certificate and Traefik route.
Cloudflare DNS Integration
When configured, the panel automates DNS record management through the Cloudflare API.
What It Does
For each deployed service, the panel:
- Creates an A record pointing
{service-name}.{panel-domain}to the server IP - When a service is deleted, removes the corresponding DNS record
- Optionally enables Cloudflare proxy (orange cloud) on created records
Configuration
Set these environment variables in /opt/aiadminpanel/.env:
CF_DNS_API_TOKEN=your-cloudflare-api-token
CF_ZONE_ID=your-zone-id # Optional — auto-detected if token has zone:read
CF_PROXIED=false # Set to true to enable Cloudflare proxy
Creating the API Token
In the Cloudflare dashboard:
- Go to My Profile > API Tokens > Create Token
- Use the Edit zone DNS template
- Set permissions:
- Zone > DNS > Edit
- Zone > Zone > Read (for auto-detection of zone ID)
- Set zone resources to your specific domain
- Click Create Token and copy the token
With vs. Without Cloudflare
| Feature | With Cloudflare | Without Cloudflare |
|---|---|---|
| DNS record creation | Automatic | Manual (wildcard covers subdomains) |
| DNS record cleanup | Automatic on delete | Manual |
| Per-service records | Yes | No (wildcard only) |
| CDN/DDoS protection | Available (if proxied) | No |
| Custom domain DNS | Still manual (different zone) | Manual |
Cloudflare Proxy Considerations
If CF_PROXIED=true:
- Traffic routes through Cloudflare's CDN and DDoS protection
- Cloudflare terminates SSL and re-encrypts to your server
- WebSocket connections work but require Cloudflare's WebSocket support
- Real client IPs are in the
CF-Connecting-IPheader
If CF_PROXIED=false:
- DNS-only mode — Cloudflare resolves the domain but does not proxy traffic
- Direct SSL from Let's Encrypt
- Lower latency for real-time applications
DNS Troubleshooting
Subdomain not resolving
# Check wildcard DNS
dig +short *.panel.example.com
# Should return your server IP
If empty, verify the wildcard A record exists in your DNS provider.
Custom domain verification failing
# Check CNAME record
dig +short app.acme.com CNAME
# Should return: my-app.panel.example.com
Ensure the CNAME points to the service's subdomain, not the server IP.
SSL certificate not issuing
Check Traefik logs:
docker logs aiadminpanel_traefik | grep -i "acme\|certificate"
Common causes:
- DNS not yet propagated (wait a few minutes)
- Let's Encrypt rate limits (5 certificates per domain per week for non-wildcard)
- Port 80 blocked (required for HTTP-01 challenge)