High-performance SSL termination proxy with dynamic routing for AlternateFutures services running on Akash Network. Built on Cloudflare's Pingora framework with etcd backend for hot-reload configuration.
| Field | Value |
|---|---|
| DSEQ | 24673191 |
| Provider | DigitalFrontier (akash1aaul837r7en7hpk9wv2svg8u78fdq0t2j2e82z) |
| Dedicated IP | 77.76.13.214 |
| Image | ghcr.io/alternatefutures/infrastructure-proxy-pingap:3c34c45 |
| Status | Running |
Decision: The secrets service (secrets.alternatefutures.ai) runs outside the proxy, connecting directly to its Akash deployment.
Rationale: Infisical holds the secrets for all other services. Keeping it on an independent path provides better resilience - if the proxy has issues, you can still access Infisical to debug and retrieve credentials.
| Service | Routing |
|---|---|
secrets.alternatefutures.ai |
Direct to Akash (CNAME + Cloudflare Transform Rule) |
auth.alternatefutures.ai |
Through proxy (77.76.13.214) |
api.alternatefutures.ai |
Through proxy (77.76.13.214) |
app.alternatefutures.ai |
Through proxy (77.76.13.214) |
docs.alternatefutures.ai |
Through proxy (77.76.13.214) |
alternatefutures.ai |
Through proxy (77.76.13.214) |
This proxy solves two key challenges with Akash Network:
-
SSL for custom domains: Akash providers use wildcard certificates for their own domains but cannot provision certificates for tenant custom domains. We use Cloudflare Origin Certificates for end-to-end encryption.
-
Dynamic routing without restart: Customer sites deployed to IPFS/Arweave need proxy routes created automatically. The etcd backend enables hot-reload within ~10 seconds.
| Mode | Image Tag | Use Case |
|---|---|---|
| Static | :main |
Fixed routes in pingap.toml, manual updates |
| Dynamic | :etcd |
Routes managed via etcd, auto-updated by service-cloud-api |
| Feature | Pingap | Caddy |
|---|---|---|
| Memory usage | ~15MB | ~30MB |
| CPU usage | 70% less | Baseline |
| Hot reload | Native etcd | Requires restart |
| Custom build | No | Yes (xcaddy) |
| Framework | Rust (Pingora) | Go |
Internet
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DNS (Cloudflare + Google + deSEC) β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SSL Proxy (Pingap) β
β β’ Cloudflare Origin Certificate (Full Strict) β
β β’ Static routes in pingap.toml β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββΌββββββββββββββββ
βΌ βΌ βΌ
ββββββββββββ ββββββββββββ ββββββββββββ
β Auth API β β GraphQL β β Web App β
ββββββββββββ β API β ββββββββββββ
ββββββββββββ
Internet
β
Customer Domains β Core Services
docs.example.com β auth.alternatefutures.ai
mysite.xyz β api.alternatefutures.ai
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SSL Proxy (Pingap) β
β β’ Cloudflare Origin Certificate β
β β’ Dynamic routes from etcd (--autoreload) β
β β’ Hot-reload ~10 seconds β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ
β
ββββββ΄βββββ
β etcd ββββββββ service-cloud-api
ββββββ¬βββββ (writes routes)
β
ββββββββββββββββββββββββΌβββββββββββββββββββββββ
βΌ βΌ βΌ
ββββββββββββ ββββββββββββ ββββββββββββ
β IPFS β β Arweave β β Akash β
β Gateway β β Gateway β β Services β
ββββββββββββ ββββββββββββ ββββββββββββ
| File | Purpose |
|---|---|
Dockerfile |
Pingap image with etcdctl for dynamic mode |
pingap.toml |
Static proxy configuration (bootstrap) |
entrypoint-etcd.sh |
Dynamic mode entrypoint (etcd bootstrap + Pingap) |
entrypoint.sh |
Static mode entrypoint |
deploy-akash.yaml |
Multi-container Akash SDL (etcd + Pingap) |
SSL_ARCHITECTURE.md |
Detailed SSL/TLS documentation |
Caddyfile |
(Deprecated) Old Caddy config |
When deployed with the :etcd image tag, the proxy uses etcd as a configuration backend. This enables:
- Automatic route creation when sites are deployed via service-cloud-api
- Hot-reload without container restart (~10 second propagation)
- Route persistence across proxy restarts
- Centralized management of all proxy routes
/pingap/config/
βββ basic.toml # Global Pingap settings
βββ certificates/
β βββ alternatefutures.toml # Cloudflare Origin Cert
βββ upstreams/
β βββ ipfs-gateway.toml # Shared IPFS gateway
β βββ arweave-gateway.toml
β βββ auth.toml # Core service
β βββ api.toml # Core service
βββ locations/
β βββ auth.toml # Core route
β βββ api.toml # Core route
β βββ {routeId}.toml # Customer site routes
βββ servers/
βββ https.toml # Main HTTPS server
βββ health.toml # Health check server
| Backend Type | Use Case | Upstream |
|---|---|---|
IPFS |
Static sites on IPFS | gateway.pinata.cloud with CID rewrite |
ARWEAVE |
Permanent sites on Arweave | arweave.net with TX rewrite |
AKASH |
Dynamic apps on Akash | Direct to provider URL |
FUNCTION |
Serverless functions | Function runtime endpoint |
EXTERNAL |
External URLs | Custom upstream |
The ProxyRoutingService in service-cloud-api automatically manages routes:
Deployment SUCCESS β handleDeploymentSuccess() β etcd route created
Domain VERIFIED β handleDomainVerified() β etcd route created
Site DELETED β removeRoute() β etcd route removed
| Domain | Backend |
|---|---|
auth.alternatefutures.ai |
Auth service |
api.alternatefutures.ai |
GraphQL API |
app.alternatefutures.ai |
Web dashboard |
-
Cloudflare Account (free tier)
- Add
alternatefutures.aidomain - Create API token with
Zone:DNS:Editpermission - Zone must be
activestatus
- Add
-
Multi-Provider DNS (see
infrastructure-dnsrepo)- Cloudflare, Google Cloud DNS, deSEC
- ACME challenges delegated to Cloudflare
# Build the image
docker build -t ssl-proxy .
# Run locally
docker run -p 443:443 -p 8080:8080 \
-e PINGAP_DNS_SERVICE_URL="https://api.cloudflare.com?token=your-token" \
ssl-proxy
# Health check
curl http://localhost:8080/health- Push to
mainbranch triggers build - Image pushed to
ghcr.io/alternatefutures/infrastructure-proxy-pingap - Manual deployment via Akash Console or MCP
# Using Akash MCP or Console with deploy-akash.yaml
# Set env var:
PINGAP_DNS_SERVICE_URL=https://api.cloudflare.com?token=<CF_API_TOKEN>| Variable | Format | Description |
|---|---|---|
PINGAP_DNS_SERVICE_URL |
https://api.cloudflare.com?token=xxx |
Cloudflare API for DNS-01 |
| Variable | Example | Description |
|---|---|---|
PINGAP_ETCD_ADDR |
http://etcd:2379 |
etcd cluster address |
PINGAP_ETCD_PREFIX |
/pingap/config |
Key prefix for config |
PINGAP_TLS_CERT |
-----BEGIN CERT... |
Cloudflare Origin Certificate (PEM) |
PINGAP_TLS_KEY |
-----BEGIN KEY... |
Private key (PEM) |
PINGAP_ADMIN_ADDR |
0.0.0.0:3018 |
Admin interface address |
ETCD_ROOT_PASSWORD |
(optional) | etcd authentication password |
curl http://<provider>:<health-port>/health
# Current: http://provider.sa1.pl:32077/healthecho | openssl s_client -connect auth.alternatefutures.ai:443 2>/dev/null | \
openssl x509 -noout -dates -issuerVia Akash MCP:
get-logs with dseq=24576255, provider=akash162gym3szcy9d993gs3tyu0mg2ewcjacen9nwsu
- Check Cloudflare zone status is
active(notinitializing) - Verify
PINGAP_DNS_SERVICE_URLformat is correct - Check logs for ACME errors:
lookup dns txt record of _acme-challenge...
- Verify backend services are running
- Check backend addresses in
pingap.toml - Ensure Akash internal networking allows service-to-service communication
If provider serves old image:
- Change image name (append
-v2, etc.) - Or use SHA tag instead of
:main
infrastructure-dns- Multi-provider DNS managementservice-auth- Authentication serviceservice-cloud-api- GraphQL API