How UnifySSL works.

Everything hangs off an organization → app → site → route hierarchy. A route is a matcher-to-handler pair (the same idea as Caddy's JSON). Nodes are a shared, platform-level fleet; a site is placed on nodes via a selector. Postgres is the source of truth, and the running Caddy config is always generated from it, never hand-edited.

Provision a fresh server through the dashboard and UnifySSL boots it with the fleet Caddy build (Caddy plus the bundled plugins) and a lightweight agent. Or adopt a server you already run: point UnifySSL at it over SSH and it reads the running config, imports it into the editable model, and installs the agent next to your existing Caddy — nothing is disrupted.

Adopted nodes can keep running their own Caddy build. When you want feature parity with the fleet (JA4 fingerprinting, rate-limiting, the DNS plugins), Standardize walks the config to confirm every module it uses is covered, builds a matching Caddy with exactly those plugins, and swaps the binary in place — validating the new binary against the running config before any change, with automatic rollback if anything goes wrong. No rip-and-replace.

Add a domain and prove control with a TXT record; UnifySSL handles certificate issuance and renewal automatically (Let's Encrypt or ZeroSSL, on-demand and gated to verified domains). Then route it: reverse-proxy to your backends, redirect, rewrite, set headers — point-and-click, or raw Caddy JSON when you need it. Stage changes, then deploy to the fleet with one click; every deploy is versioned and rollback-able.

A built-in edge firewall blocks by country, network (ASN), path pattern, IP, or rate, with automatic suggestions from real scanner traffic and an optional auto-block. Every request is logged and enriched (geo, network, JA4, risk score) at ingest, powering the Traffic, Threats, and Logs views — so you can see who's probing, what they're hitting, and whether it's blocked, across every node.

Nodes bootstrap from three endpoints served by the control plane: GET /install.sh (the installer run at provision time), GET /install/agent?arch=… (the cross-compiled agent), and GET /install/caddy?arch=… (the fleet Caddy build with bundled plugins). The agent dials home over HTTPS — your Caddy admin API never leaves the node.

Create an account, add your first domain, and point a node at it. Questions? Talk to us.