Cloudflare IPv4 proxy
DollarBox is IPv6-only, so IPv4-only clients cannot connect to your container directly. Cloudflare's proxy solves this: it accepts traffic on Cloudflare's anycast IPv4 and IPv6 addresses, then connects back to your container over IPv6. Your service becomes reachable from the IPv4 internet without paying for a dedicated IPv4 address.
This page covers HTTP and HTTPS web services.
What you need
- A running container with a stable public IPv6 address, shown on the container detail page.
- A domain whose nameservers are delegated to Cloudflare.
- The container serving its own TLS on port 443. This page uses Cloudflare's Full (strict) mode, which requires a valid certificate on the origin. See the HTTPS notes for how DollarBox handles TLS.
Set up the proxied DNS record
In the Cloudflare dashboard, add an AAAA record for the hostname you want to serve, pointing at the container's IPv6 address, and set the proxy status to Proxied (the orange cloud).
| Type | Name | Value | Proxy status |
|---|---|---|---|
AAAA | app | 2a01:4f8:c2c:1234::5 | Proxied |
This is the key difference from a direct AAAA record: there, the record is DNS-only and clients connect straight to your IPv6 address. Here, the record is proxied, so Cloudflare answers on its own IPv4 and IPv6 edge and forwards to your origin.
TLS: Full (strict)
Set the zone's SSL/TLS mode to Full (strict). Cloudflare terminates TLS for clients at the edge and opens a second TLS connection to your origin over IPv6, verifying the origin certificate.
The cleanest way to satisfy this on an IPv6-only origin is a Cloudflare Origin CA certificate: issue one from the dashboard (SSL/TLS → Origin Server), install it on your container's server, and Full (strict) is satisfied. This avoids Let's Encrypt HTTP-01 validation, which is unreliable over IPv6-only paths. If you prefer a publicly trusted certificate, DNS-01 with Let's Encrypt also works.
Verify it
Confirm the hostname now resolves to Cloudflare's IPv4 edge and serves your content over IPv4:
dig A app.example.com
curl -4 https://app.example.com/
Your container is still reachable directly over IPv6 for testing:
curl -6 https://app.example.com/
To test the raw origin address directly, wrap it in brackets:
curl -6 https://[2a01:4f8:c2c:1234::5]/
What this does and doesn't cover
This covers HTTP and HTTPS. Cloudflare's standard proxy does not forward arbitrary TCP or UDP ports — for non-web protocols you need Cloudflare Spectrum (a paid product) or direct IPv6 access.
A proxied record hides your origin IPv6 address from public DNS, but the container must remain reachable over IPv6 from Cloudflare for the proxy to work.