Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.phala.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide shows you how to expose HTTP services from your Docker containers to the public internet with automatic HTTPS.

Prerequisites

  • A Phala Cloud account
  • A Docker image that runs an HTTP service

Step 1: Define Your Service

Create a docker-compose.yml file with port mapping: 
services:
  api:
    image: your-image:latest
    ports:
      - "8080:3000"  # Maps container port 3000 to public port 8080
The format is "HOST_PORT:CONTAINER_PORT", following standard Docker behavior:
  • HOST_PORT: The port number that appears in your public URL
  • CONTAINER_PORT: The port your application listens on inside the container

Step 2: Deploy Your Service

  1. Open the Phala Cloud Dashboard
  2. Click “Create CVM”
  3. Select “docker-compose.yml” deployment method
  4. Paste your configuration
  5. Add any secure environment variables if needed
  6. Click “Deploy”

Step 3: Access Your Endpoint

After deployment completes, find your endpoint in the Network tab: 
https://<app-id>-8080.dstack-prod5.phala.network
Click the link to test your service. The connection is automatically secured with TLS.

Multiple Ports Per Service

A single service can expose any number of ports, just like in Docker: 
services:
  app:
    image: my-app:latest
    ports:
      - "3000:3000"  # Web interface
      - "8080:8080"  # API endpoint
      - "9090:9090"  # Metrics endpoint
      - "4000:4000"  # WebSocket server
This creates four public endpoints for the same service:
  • https://<app-id>-3000.dstack-prod5.phala.network
  • https://<app-id>-8080.dstack-prod5.phala.network
  • https://<app-id>-9090.dstack-prod5.phala.network
  • https://<app-id>-4000.dstack-prod5.phala.network

Multiple Services Example

You can also deploy multiple services, each with their own ports: 
services:
  frontend:
    image: my-frontend:latest
    ports:
      - "3000:3000"  # Frontend on port 3000
  
  api:
    image: my-api:latest
    ports:
      - "8080:8080"  # API on port 8080
      - "8081:8081"  # API admin on port 8081
    environment:
      DATABASE_URL: ${DATABASE_URL}
  
  admin:
    image: my-admin:latest
    ports:
      - "9000:9000"  # Admin panel on port 9000

Health Checks

Add health checks to ensure your service is ready before receiving traffic: 
services:
  api:
    image: your-image:latest
    ports:
      - "8080:3000"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

Internal Communication

Services within the same deployment can communicate using service names: 
services:
  frontend:
    image: my-frontend:latest
    ports:
      - "3000:3000"
    environment:
      API_URL: http://api:8080  # Internal communication
  
  api:
    image: my-api:latest
    ports:
      - "8080:8080"
The frontend can reach the API at http://api:8080 internally, while external users access it at https://<app-id>-8080.dstack-prod5.phala.network.

Zero-Trust Security

All traffic follows zero-trust principles:
  • External traffic arrives encrypted via TLS at the gateway
  • The gateway forwards it through WireGuard tunnels to your CVM
  • Only your code inside the TEE can decrypt and see the traffic
  • Not even Phala Cloud operators or you as the developer can inspect the traffic
  • The hardware-based isolation ensures complete privacy
This means your application handles sensitive data with true confidentiality. Credit cards, API keys, personal information - all remain private to your code alone.

Security Notes

  • All external traffic is encrypted with TLS
  • Internal service-to-service communication uses the Docker network
  • Don’t expose ports you don’t need public access to
  • Use secure environment variables for sensitive data

Next Steps