Proxy and SSL controls reference
| Control | What it does | When to use it |
|---|---|---|
| SSL Status | Shows whether the current certificate covers the domain | Check after connecting a domain, changing DNS, or seeing a browser certificate warning |
| Resync Proxy | Refreshes the route, upstream target, and certificate request | Use after changing DNS, connected project, port, proxy rules, or SSL state |
| Renew / Resync | Rechecks certificate coverage and expiry from the SSL tab | Use when HTTPS is missing, expired, or issued for the wrong hostname |
| Force HTTPS | Redirects plain HTTP traffic to HTTPS | Enable for production domains once SSL coverage is confirmed |
| Force www Redirect | Sends www.yourdomain.com traffic to the root domain | Enable when you want one canonical hostname and no duplicate www traffic |
Proxy route controls reference
These controls apply before traffic reaches your project container.| Setting | What it changes |
|---|---|
| WebSocket Support | Allows upgrade requests for realtime apps, dashboards, terminals, and streaming responses |
| Security Headers | Adds baseline browser protection headers from the edge |
| Maintenance Mode | Returns a controlled maintenance response without deleting the project route |
| Rate Limiting | Throttles abusive clients by route, IP, or domain |
| WAF Checks | Blocks common SQL injection, XSS, path traversal, and bad bot patterns |
| Allowed / Blocked IPs | Restricts access by IP address or CIDR range |
| Allowed / Blocked Countries | Restricts access by country code |
| HTTP Methods | Allows or blocks methods such as GET, POST, PUT, or DELETE |
| Content Types | Limits accepted request content types for the route |
| Request Headers | Adds controlled headers before traffic reaches your app |
| Response Headers | Adds controlled headers before responses leave the proxy |
| Circuit Breaker | Temporarily pauses routing after repeated upstream failures |
| Retry Upstream Errors | Retries temporary 502, 503, and 504 upstream responses |
| In-flight Limit | Caps concurrent requests for the route |
Enable WebSocket support
Enable WebSocket support
Enable WebSocket Support when your app uses upgrade requests — realtime events, terminals, collaborative dashboards, or streaming connections. Without it, the proxy drops WebSocket handshakes and the connection fails silently.
If it still fails after enabling WebSocket Support, check:
- The project port in settings matches the port your app listens on.
- The app server binds to
0.0.0.0, not onlylocalhostor127.0.0.1. - The latest deployment is healthy with no crash loops.
- Runtime logs do not show WebSocket server errors.
- The browser is connecting to the correct
https://hostname (not HTTP).
Set up IP, country, method, and content-type access rules
Set up IP, country, method, and content-type access rules
Use access rules when a domain should only accept traffic from specific networks, geographic regions, HTTP methods, or content types. Rules can be configured as allowlists (only permit listed values) or blocklists (deny listed values).Available rules
Setup steps
| Rule | Use it for |
|---|---|
| Allowed IPs | Private dashboards, admin panels, and internal tools |
| Blocked IPs | Known abusive clients or networks |
| Allowed Countries | Region-restricted products or private launches |
| Blocked Countries | Reducing traffic from regions you do not serve |
| Allowed Methods | APIs that should only accept specific HTTP methods |
| Blocked Methods | Preventing unused methods like TRACE or DELETE |
| Allowed Content Types | Restricting uploads or API request bodies to known formats |
| Blocked Content Types | Blocking unsupported request formats before they reach your app |
Configure your rules
Add IP addresses, CIDR ranges, country codes, HTTP methods, or content types to the relevant allowlists or blocklists.
Add security headers and maintenance mode
Add security headers and maintenance mode
Security Headers add baseline browser protection at the edge — headers like
X-Content-Type-Options, X-Frame-Options, and Referrer-Policy are applied to every response without requiring changes to your application code.Maintenance Mode instructs the proxy to return a controlled response for all incoming traffic while keeping the route intact. Use it during planned deployments or incidents when you want to show users a clear message rather than an error.Enable Security Headers
Toggle Security Headers on to add baseline browser protection headers to all responses from this route.
Enable Maintenance Mode if needed
Toggle Maintenance Mode on if you want the proxy to return a maintenance response. Set a custom maintenance status code if your use case requires a specific HTTP status.
Add custom request or response headers if needed
Use the Request Headers and Response Headers fields to inject headers consistently at the proxy layer. This is useful for headers your app expects on every request. Avoid adding secrets or private tokens as response headers.
Custom request and response headers added here are applied at the edge proxy and appear on every request or response for this route. Use them for consistent cross-cutting concerns like correlation IDs or permitted origins, not for app-specific logic.
Protect upstreams with circuit breaker and retries
Protect upstreams with circuit breaker and retries
Use these controls when a project is temporarily unhealthy, overloaded, or returning intermittent errors. They reduce the impact of upstream instability without requiring an immediate redeploy.Upstream protection controls
Setup steps
| Control | What it does |
|---|---|
| Circuit Breaker | Pauses routing briefly after repeated upstream failures, preventing a flood of requests from hitting an already-unhealthy container |
| Retry Upstream Errors | Automatically retries temporary 502, 503, and 504 responses from the upstream before returning an error to the client |
| In-flight Limit | Caps the number of concurrent requests the proxy will send to the upstream at one time, protecting it from being overwhelmed |
Open the domain
Go to Dashboard > Domains and select the domain connected to the project you want to protect.
Configure upstream protection
Enable the Circuit Breaker, Retry Upstream Errors, and/or In-flight Limit controls as needed for your situation.
Monitor after enabling
Watch the usage and proxy analytics pages after enabling these controls to confirm they are behaving as expected and not masking a deeper issue.
Common symptoms quick reference
| Symptom | What to check first |
|---|---|
| Browser shows the wrong certificate | Open the SSL tab, then click Resync Proxy |
www does not load | Check the www DNS A record points to Pxxl, then click Resync Proxy |
| HTTP works but HTTPS shows a certificate warning | Confirm SSL coverage is Covered, then enable Force HTTPS only after coverage is confirmed |
| Realtime sockets fail silently | Enable WebSocket Support, save, and resync |
| Legitimate users are being blocked | Review country, IP, method, content-type, and WAF rules for overly broad allowlists or blocklists |
Domain returns 503 | Check the project port and confirm the upstream is healthy before changing any SSL or proxy rules |
Safe update order
Always follow this sequence when making changes to a domain’s proxy or SSL settings to avoid accidentally taking your domain offline.Confirm the project connection
Confirm the domain is connected to the correct project and the latest deployment is healthy.
Resync the proxy
Open SSL and click Resync Proxy to establish a clean baseline before making any other changes.
Update proxy controls
Open Settings and make your desired changes — security headers, access rules, upstream protection, etc.
Resync again
Click Resync Proxy a second time so the active route picks up the new settings immediately.