The External tier & CDN caveats (Cloudflare, Bunny, …)
What "External" means as a detected authority tier, how to create the records SpipCP asks for by hand, and the per-provider caveats (Cloudflare orange-cloud, etc.).
External is one of the three authority tiers SpipCP detects for a hostname: its zone lives in DNS that SpipCP holds no credential for — the customer's or registrar's — so SpipCP can't write records automatically. On the Domains inventory an External row shows the detected nameserver (display-only) and the exact records you need to create by hand, then a re-verify action.
External is a property, not a page
There is no longer a separate "External DNS" panel page — External is detected per hostname and shown
on Domains. If you do hold an API credential for the zone, add it under
Providers and the same hostname becomes Connected (records auto-created).
The old /dns/external link redirects to Providers.
Two guided journeys land a hostname in the External tier on purpose, and the Set up surface treats both as first-class, named choices:
- "I'll manage records at my provider myself" — the no-token fork of the Connect a managed provider journey. Your nameservers stay at Cloudflare (or Bunny, deSEC, …), SpipCP holds no credential, and the row shows "NS at cloudflare.com (detected); you manage records there."
- "Bring your own DNS" — the same posture with no provider named: keep DNS wherever it is, attach with the manual driver, paste the record.
Both are the honest do-it-yourself path. The trade they share — no wildcard, per-host HTTP-01 only,
because SpipCP has no credential to write the _acme-challenge TXT — is laid out in full in the
managed-provider fork table.
If your records live at a provider you can hold a credential for (Cloudflare, Bunny, deSEC, Hetzner, Gcore), that's the managed fast path (scenario B/C) — SpipCP writes the records through the provider's API. No nameserver boxes, no glue records. The trade: that provider holds (and can see) your records; for the sovereignty path see Self-hosted DNS.
Everything besides record-writing — sites, certificates, deploys, backups, monitoring — works identically in both postures.
Install the panel with a real hostname
Follow Installation. Because your provider already serves DNS for your
domain, you can create the panel's record before installing — add an A/AAAA record
(e.g. panel → your VPS IP) in the provider's dashboard — and install directly with
SITE_ADDRESS=panel.example.com + TLS_MODE=you@example.com. No IP-first bootstrap needed.
Turn the posture on (and the other one off, if you like)
Networking → Providers → Offer these providers: enable the provider you'll use so it appears in the Add-account picker. (This per-provider switchboard used to be its own "External" page; it now lives on Providers.)
Add the provider account
Networking → Providers → Add account: pick the provider tab and paste an API token. The
dialog shows exactly which token scopes to create per provider (e.g. Cloudflare wants a token
scoped to Zone → DNS → Edit for your zone — never your global API key). The token is encrypted
at rest with MASTER_KEY. Details: Managed DNS providers.
Point the cascade + attach domains
Set the account as the DNS default at the level you want — node, instance, or per-domain (the cascade) — then attach your site's domain. From here the panel writes the records (A/AAAA, wildcard, ACME TXT) automatically as you create sites and issue certs.
Per-provider caveats
| Provider | Caveats worth knowing |
|---|---|
| Cloudflare | Proxied ("orange-cloud") records break TLS-ALPN certificate issuance — the challenge terminates at Cloudflare's edge, not your node. Either keep panel-managed records DNS-only (grey-cloud), or use the DNS-01 lane (which also unlocks wildcards). For on-demand custom customer domains an orange-cloud CNAME does work (HTTP-01 passes through on port 80), with a first-hit 525 until issuance completes — grey-cloud is still recommended. US-based; see recommendations for the EU-first alternatives. |
| Bunny | Bunny DNS is what SpipCP drives. Bunny's CDN pull zones are a separate product — configure them in Bunny's dashboard if wanted; the panel doesn't manage them (yet). |
| deSEC | Non-profit, EU. Strict API rate limits — bulk record churn (many sites at once) can throttle; the panel's writes are modest, but keep it in mind for mass imports. |
| Hetzner | Straightforward zone API. The zone must already exist in Hetzner DNS (delegated there) before the panel can write into it. |
| Gcore | Same shape as Hetzner — delegate first, then the panel writes records. |
Migrating to self-hosted later
Nothing here locks you in. To move to your own nameservers later: stand them up
(Self-hosted DNS), create the zone, re-create your records (the records
editor's Paste many takes a block of name type [ttl] value lines), verify both boxes answer
authoritatively, then re-delegate at your registrar. Disable DNSSEC at the provider first if it
was on, or the domain goes dark on the switch.
Managed DNS providers
Use a managed DNS provider — Cloudflare, Bunny, Hetzner, deSEC, or Gcore — to hold your records without running servers. Pick one, add a credential, select it via the cascade, attach a domain.
SSL/TLS certificates
The full SpipCP certificate matrix — per-host and wildcard, managed and self-hosted, bring-your-own PEM — the fleet cert dashboard, and the passthrough guarantee that TLS terminates on your own node.