ArylLabs/Docs
DocsPage

Custom Domains & SSL Architecture

Learn how ArylLabs securely manages Custom Domains with automatic SSL provisioning.

1. Custom Hostname SSL Provisioning

ArylLabs uses Custom Hostnames with automatic SSL to provide seamless SSL certificates for custom domains. When you add a domain and point it to custom.aryl.app, a DV (Domain Validated) SSL certificate is automatically provisioned — no manual configuration required.

sequenceDiagram participant User participant CF as Edge Network participant Worker as ArylHive Worker participant DB as D1 Database User->>CF: Request https://example.com CF->>CF: SSL auto-provisioned via Custom Hostname CF->>Worker: Forward request with Host: example.com Worker->>DB: Query custom_domains DB-->>Worker: Resolve to project Worker-->>User: Serve site content

2. Edge Router Resolution Logic

When a user connects to a custom domain (e.g., https://my-blog.com), the Edge Router needs to understand which internal project it belongs to.

  • The Edge Controller reads the Host header of the incoming request.
  • Instead of the standard subdomain project.aryl.app, the script identifies it as an external custom domain.
  • It queries the Turso Edge Database by matching against the domain column in our lookup tables.
  • Once the project is resolved, the deployment logic resumes normally.
flowchart TD Req[Incoming Edge Request] Parse{Parse Host Header} Parse -- "*.aryl.app" --> SubCheck[Resolve by Subdomain] Parse -- "Custom Apex/Subdomain" --> DomainCheck[Resolve by Custom Domain] SubCheck --> Turso[(Turso Fast Query)] DomainCheck --> Turso Turso --> CacheLogic[Edge Routing & Zip Extraction Pipeline]

3. DNS & Domain Ownership Verification

To protect against domain hijacking and ensure reliable routing:

  • Subdomains: Add a CNAME record pointing to custom.aryl.app.
  • Apex/Root Domains: Add A records pointing to our IP addresses (shown in your dashboard). If your DNS provider supports CNAME flattening, you can use a CNAME instead.

4. Advanced: Wildcard Propagation

The platform fallback endpoints (*.aryl.app and *.aryl.cloud) utilize wildcard DNS and wildcard Universal SSL. This means that a user instantly gets HTTPS coverage the exact millisecond they create a new project—there is no waiting for SSL propagation on default hostnames.

Next: Learn How to Connect a Custom Domain →