Avnology ID
Self-Hosting

DNS Setup

DNS records you need to point at your Avnology ID host.

DNS Setup

Every DOMAIN_* variable in your .env.production needs a corresponding A (or AAAA) record pointing to the public IP of your Traefik host. Avnology does not require wildcard DNS; seven (or eight, if you keep the legacy internal-docs host) explicit records are enough.

Replace <YOUR_PUBLIC_IP> with the Traefik host's IPv4 address. If you're running behind a load balancer, use its IP instead.

Required records

RecordTypeValueHost line (DOMAIN_*)
api-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_API
id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_WEB
docs-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_DOCS
sso-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_POLIS
saml-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_SAML
grafana-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_GRAFANA
minio-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_MINIO

Optional -- internal docs redirect

Only keep this if your team has bookmarks pointing at the legacy host from pre-merge days:

RecordTypeValueHost line
docs-internal-id.your-company.comA<YOUR_PUBLIC_IP>DOMAIN_DOCS_INTERNAL

Traefik routes this host to a 302 at https://${DOMAIN_DOCS}/internal/<path> so bookmarks keep working.

IPv6

If your host has a public IPv6 address, add AAAA records in parallel. Traefik and the upstream services are dual-stack out of the box.

TTL recommendations

  • During initial rollout: 300 seconds (5 min).
  • After stable for 7 days: bump to 3600 seconds (1h) or your DNS provider's default.

Validation

Once records propagate (check with dig or your DNS provider's UI), confirm they all resolve to the same IP:

for host in api-id id docs-id sso-id saml-id grafana-id minio-id; do
  printf '%-30s -> ' "$host.your-company.com"
  dig +short "$host.your-company.com" A | head -1
done

All seven lines must print the same address. If any resolve to a Cloudflare / Fastly edge, your provider is proxying -- disable proxy mode (orange-cloud -> grey-cloud) so Traefik can run ACME itself. Alternatively, configure DNS-01 challenges -- see TLS.