Marlin DNS Management

aniket · April 11, 2025, 2:23pm

Confidential computing unlocks powerful data‑protection guarantees, but wiring them up for production traffic—complete with domain names, HTTPS, and automatic certificate management—can be tricky. In this guide, we’ll walk you through how to:

Package your enclave‑hosted service behind Caddy, a zero‑config HTTPS server.
Auto‑assign a subdomain (e.g. xyz.hostedapp.work) via Marlin’s DNS service.
Swap in your own custom domain and Caddyfile when needed.

Why This Matters

Seamless TLS: Caddy obtains and renews Let’s Encrypt certificates automatically—no manual certbot steps.

Easy DNS: Marlin’s auto‑DNS service instantly binds a *.hostedapp.work subdomain to your enclave’s IP.

Secure Enclaves: AWS Nitro Enclaves isolate your application and data from the host OS, minimizing attack surface.

Prerequisites

Before you begin, ensure you have:

The oyster-cvm CLI installed and configured with your wallet private key. See Marlin CVM Quickstart.

Deploy Enclave with a domain name

Create the Docker Compose File

Create docker compose file(docker-compose.yml) with Auto-TLS service which sets up the automatic DNS service which sets up a reverse proxy to 8080 port. Along with that any application related services can be added as follows. Note that for the application services, please ensure that the docker images can run on the architecture of the enclave deployed.

services:
# Service that enables automatic TLS
  Auto-TLS:
    image: marlinorg/dns_caddy_service
    init: true
    network_mode: host
    restart: unless-stopped
    volumes:
      - /app/ecdsa.sec:/app/ecdsa.sec

# Application specific services come here
  http-server:
    image: aniket711/http_server:amd64
    init: true
    network_mode: host
    restart: unless-stopped

Deploy the enclave

For amd64

oyster-cvm deploy --wallet-private-key private_key --docker-compose ./docker-compose.yml --instance-type c6a.2xlarge --duration-in-minutes 20 --pcr-preset base/blue/v3.0.0/amd64

For arm64

oyster-cvm deploy --wallet-private-key private_key --duration-in-minutes 15 --docker-compose docker-compose.yml --instance-type r6g.large

This command will deploy the enclave and return its public IP once the deployment is complete.

Fetching the Subdomain

To retrieve the assigned subdomain, use the following command:

curl -X GET https://getmysubdomain.hostedapp.work/subdomain/<ENCLAVE_IP>

replace IP with the IP of your enclave

After enclave is deployed,wait for 1 min for caddy to be configured and start. You can then test the server in your browser

https://{subdomain}.hostedapp.work

This URL will redirect to the enclave-hosted server.