Exposing a Container App over HTTPS¶
A Fleet is a dedicated resource pool you can deploy multiple things into: game servers, databases, and Container Apps (any Docker image you want to run, with its own CPU/RAM allocation). This guide covers the part people get stuck on: getting a Container App reachable over HTTPS at a real domain, not just an internal address.
The three ways to expose a Container App¶
When you add a Container App to your fleet and turn on Expose over HTTPS, the setup wizard asks how you want the public address to work. There are three modes:
| Mode | What you get | Setup effort |
|---|---|---|
| Free platform subdomain | A free *.zaroz.cloud address with an automatic certificate |
None, no DNS to touch |
| Your own domain (HTTP validation) | HTTPS on a domain you own, certificate issued via an HTTP challenge | Add one DNS record, verified live in the wizard |
| Your own domain (Cloudflare DNS) | HTTPS on a domain you own, works even behind Cloudflare's proxy | Needs a Cloudflare account and a scoped API token |
If you just want something online fast with zero DNS work, pick Free platform subdomain and skip the rest of this guide, there's nothing else to configure. The other two modes are for when you need your own domain.
Option A: Your own domain, HTTP validation¶
This is the simplest way to use a domain you own, as long as that domain isn't sitting behind a proxy (see Option B if it is).
Step 1: pick the mode and enter your domain¶
In the setup wizard, select Your own domain (HTTP validation), then enter the domain on the next screen, for example app.example.com. Just the hostname, not a full URL.
Step 2: point your domain's DNS¶
Just like our other domain-based products, the wizard shows you the exact IP to point at and lets you verify it before moving on:
- The wizard displays a public IP, for example
188.213.7.49. This is the ingress that terminates HTTPS traffic for your app. - Log into your registrar (or wherever you manage DNS for your domain) and add an A record for your domain pointing at that IP.
- Back in the wizard, click Check DNS Now. It does a live lookup and tells you whether it matches, whether it found something else, or whether nothing resolves yet.
Once the check passes (or you're confident propagation just hasn't caught up yet and click Continue anyway), move on to confirm your Container App configuration.
Don't proxy this domain through Cloudflare
HTTP validation needs to reach your domain directly to issue the certificate. If the domain is proxied through Cloudflare (the orange cloud icon), certificate issuance will fail. If you want to keep the domain behind Cloudflare's proxy, use Option B instead, it's built for exactly that case. If our live DNS check notices the domain currently resolves to a Cloudflare IP, it'll flag that specifically rather than a generic mismatch, so you know that's likely what's going on.
Common pitfalls¶
- Same pitfalls as WordPress's DNS setup: wrong DNS zone, propagation delay, typing a URL instead of a bare hostname. See Setting up your WordPress site for the detailed rundown, the underlying DNS step works exactly the same way here.
- No IP shown / "not configured" error. This means the cluster your fleet landed on doesn't have its ingress IP configured on our side. Contact support, it's not something on your end.
Option B: Your own domain, Cloudflare DNS¶
Use this when you want to keep your domain proxied through Cloudflare (orange cloud), or you'd rather not touch DNS records manually at all.
Step 1: pick the mode and enter your details¶
Select Your own domain (Cloudflare DNS). On the next screen you'll need:
- Domain — the domain you want to use, e.g.
app.example.com. - Cloudflare account email — the email on the Cloudflare account that manages this domain's DNS.
- Cloudflare API token — a token scoped to
Zone:DNS:Editfor that domain.
Create a scoped token, not your Global API Key
In the Cloudflare dashboard, go to My Profile → API Tokens → Create Token, and use the Edit zone DNS template scoped to just the domain you're using here. Don't use your account-wide Global API Key, a leaked scoped token can only touch DNS on one zone; a leaked Global Key can touch your entire Cloudflare account.
Step 2: that's it¶
Unlike the HTTP validation mode, there's no DNS record for you to add or verify. We create and manage the DNS record automatically using the API token, and the certificate is issued through Cloudflare's DNS challenge, which also works if the domain is proxied.
Confirm and finish¶
Whichever mode you picked, the confirm screen recaps your image, port, exposure mode, and domain (if applicable). Once you confirm, the app deploys and, for the domain-based modes, certificate issuance follows shortly after DNS is confirmed live.
Frequently asked questions¶
Can I switch modes later?
Yes, reopen your Container App's configuration and go through the HTTPS steps again. Switching away from Cloudflare DNS mode won't remove the DNS record Cloudflare created; delete it yourself if you no longer want it.
Why does HTTP validation need a plain A record, but Cloudflare mode doesn't?
They use different ACME challenge types. HTTP validation proves you control the domain by serving a file at a specific URL on port 80, so the certificate authority needs to reach your server directly, hence no proxy in front. The Cloudflare DNS challenge proves control by creating a TXT record via the API instead, which doesn't care whether HTTP traffic to the domain is proxied.
My API token stopped working after I confirmed setup.
Cloudflare API tokens can expire or be revoked independently of Zaroz. If certificate renewal starts failing, generate a fresh scoped token in the Cloudflare dashboard and update it in your Container App's HTTPS settings.
Do I need a Container App specifically, or does this apply to game servers too?
This guide is specific to Container Apps. Game servers and other fleet members use different exposure mechanisms (ports, SRV records) covered in their own product's docs; see the WordPress guide or the FiveM section for those.