Using an External Proxy with Alokai

This guide explains how to configure and use an external proxy with the Alokai@Edge feature. Using an external proxy is typically not required, but may be appropriate if you have specific needs—such as supporting a gradual, "page-by-page" migration to Alokai while maintaining your existing proxy solution.

Follow the steps below to restrict access and review important information about certificate management when using an external proxy with Alokai.

Limit access to Alokai instance

To restrict access to your Alokai@Edge instance (via the technical domain), you can use one or both of the following methods: IP allowlist and header allowlist. It is strongly recommended to enable at least one of these options to ensure that only traffic from your proxy provider can reach your Alokai instance.

IP allowlist

Add the IP addresses used by your external proxy provider to the allowlist. Make sure to include all relevant IPs to ensure only traffic from your proxy can access your Alokai@Edge instance. Refer to your proxy provider’s documentation to obtain the complete and up-to-date list of their IP addresses.

For detailed instructions on configuring the IP allowlist, see the article IP Whitelist.

Header allowlist

You can further restrict access to your Alokai@Edge instance by requiring a custom HTTP header on incoming requests. Configure your proxy provider to add this header with a unique, hard-to-guess value to every request forwarded to Alokai. Only requests containing the correct header and value will be allowed access.

For more information on configuring an Header allowlist, see Allow or Block Headers.

Certificate managed by Alokai

If you are using an external proxy, you should manage the SSL certificate for your custom domain directly on your proxy or load balancer. This approach allows you to provision and install your own certificate, rather than relying on Alokai to handle certificate management for your domain. For secure communication between your proxy and Alokai@Edge, use the technical domain (<instance_name>.i.alokai.cloud) instead of your custom domain.

If you require a custom domain on Alokai@Edge, we strongly recommend managing your own TLS certificate rather than relying on Alokai to handle certificate management. Using a custom TLS certificate gives you full control over security, renewal processes, and compatibility with your infrastructure.

If you cannot use a custom certificate for your domain, we generally recommend using the DNS-01 challenge method for certificate issuance and renewal, as it is more secure and does not require exposing any HTTP endpoints on your external proxy. With DNS-01, you prove domain ownership by creating specific DNS records, allowing you to keep all HTTP traffic fully restricted. This approach is preferred over HTTP-01 challenges, which require unauthenticated HTTP access to certain paths.

If using the DNS-01 challenge is not possible, ensure your external proxy is configured to allow ACME HTTP-01 challenge requests.

Allow ACME Challenge Requests on the External Proxy

When using a certificate managed by Alokai certificate, it is essential to allow ACME HTTP-01 challenge requests through your external proxy or load balancer. These requests are made to paths under /.well-known/acme-challenge/ and are required for automated SSL certificate issuance and renewal.

Make sure your external proxy configuration explicitly permits unauthenticated HTTP access to /.well-known/acme-challenge/ so that the ACME provider can reach your Alokai instance as needed.