Sandbox: production preview URL setup guide for subdomains, request flow, and troubleshooting

[ask-bonk]

All 10 changes from the issue have been implemented. Here is a summary of what was done and my review findings:

Changes implemented

src/content/docs/sandbox/guides/production-deployment.mdx

1. DNS record section split into tabs -- Apex domain (*) vs. Subdomain (*.sandbox) with clear explanations of how preview URLs differ in each case.
2. Worker routes section split into matching tabs -- Apex (*.yourdomain.com/*) vs. Subdomain (*.sandbox.yourdomain.com/*).
3. TLS warning added inside subdomain tab -- A :::caution block directly in the subdomain DNS setup path so developers cannot miss it.
4. HTTPS container error added to Troubleshooting.
5. Error 1016 and Error 522 added to Troubleshooting with sandbox-specific guidance.
6. "How preview URL requests flow" section added between the intro and Prerequisites, explaining the 5-step request path.

src/content/docs/sandbox/concepts/preview-urls.mdx

7. Request flow expanded -- Replaced the terse one-line description with a detailed flow diagram and explanation about TLS termination at the edge.
8. HTTPS servers added to "What Does Not Work" list.
9. "Container HTTPS Error" troubleshooting subsection added with common causes (Node.js https.createServer, framework HTTPS flags, proxy trust).
10. HTTPS bullet in Security section rewritten -- Now clearly distinguishes apex (Universal SSL works) vs. subdomain (needs additional cert), instead of the misleading "certificates are provisioned automatically" phrasing.

Items flagged for human review

1. Advanced Certificate Manager pricing ($10/month): This price appears only in the sandbox docs and nowhere in the official ACM documentation (/ssl/edge-certificates/advanced-certificate-manager/). The ACM docs do not list any specific price. I preserved the $10/month figure since it was already in the existing page and the issue explicitly includes it, but this should be verified against current pricing and may go stale. Consider linking to a pricing page instead of hardcoding the amount.

2. Error message text "Connecting to a container using HTTPS is not currently supported": This exact error string comes from the issue author (who is a Cloudflare employee on the Sandbox team), so it is likely accurate. However, I could not verify this error string exists in any public documentation or source code in the docs repo. If the error message text changes in the SDK, the docs will need updating.

3. exposed.exposedAt vs exposed.url: The Verify section in production-deployment.mdx uses exposed.exposedAt while the preview-urls.mdx page uses exposed.url. Both were already present in the existing docs before my changes, but this inconsistency may confuse developers. Worth checking which is the current API.

4. Step 5 of the request flow ("Container: The Durable Object forwards the request to the service inside your container over an internal connection (HTTP)"): The claim that transport between the Durable Object and container is "already secure within Cloudflare's network" is architecturally reasonable but is a security claim I cannot independently verify from the docs. It was stated in the issue by a Cloudflare engineer, so it is likely accurate.

Closes #28381

github run

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/docs/sandbox/	@whoiskatrin, @ghostwriternr, @cloudflare/pcx-technical-writing, @cloudflare/ai-agents

[irvinebroque]

/bonk please remove the part about ACM pricing. Omit the specific error text. Please research the correct API for previews

[irvinebroque]

/bonk please review this line. Think we can frame it better than this — traffic from the Worker to the Container is already encrypted and secure. This needs to just point out that you dont need to use HTTPS yourself, that securing communication between worker and container is already handled by Cloudflare

[irvinebroque]

/bonk y u no bonk

[ask-bonk]

Here is a summary of all changes made:

Changes applied (2 files, 3 categories)

1. Removed ACM pricing ($10/month) — 3 occurrences across 2 files

• production-deployment.mdx:25 — Removed ($10/month) from ACM bullet in TLS caution
• production-deployment.mdx:78 — Removed ($10/month) from subdomain TLS caution block
• preview-urls.mdx:199 — Removed ($10/month) and added a proper link to the ACM docs page instead of just mentioning it by name

2. Omitted specific error text — 2 occurrences across 2 files

• preview-urls.mdx:246 — Replaced the verbatim error string "Connecting to a container using HTTPS is not currently supported; use HTTP instead" with a generic description: "If you receive an error when connecting to your container..."
• production-deployment.mdx:167 — Replaced the quoted error string in the troubleshooting bullet with a bold label Container HTTPS error (matching the heading style in preview-urls.mdx)

3. Fixed exposePort() return property — 1 occurrence

• production-deployment.mdx:155 — Changed exposed.exposedAt to exposed.url

Research finding on the API: The exposePort() method returns an ExposePortResponse with a url property (per the API reference at sandbox/api/ports.mdx line 34 and the SDK quick reference). The exposedAt property belongs to the getExposedPorts() response shape, not exposePort(). This was an existing inconsistency across several docs pages — I fixed the one occurrence in this PR's scope.

github run

[irvinebroque]

/bonk please link to the relevant Cloudflare docs for these two errors, 522 and 1016. We shouldn't explain them in depth here. We should link to sources of truth. And we shouldn't say that this often happens when creating or changing records.

[ask-bonk]

Here's what I changed:

• Error 1016: Replaced the inline explanation with a link to /support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/error-1016/. Kept only the sandbox-specific DNS guidance (wildcard record name must be *.sandbox for subdomains).
• Error 522: Replaced the inline explanation with a link to /support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522/. Removed the "This often happens temporarily after creating or changing DNS records and routes" language. Kept only the sandbox-specific advice about proxyToSandbox() and the 192.0.2.0 origin.

github run

[irvinebroque]

/bonk please make updates to this PR based on the feedback below:

Sandbox docs PR #28382 — additional changes

PR: #28382

The PR covers the DNS/TLS/routing issues well. The gap is in the Container HTTPS Error troubleshooting: it assumes the server itself is listening on HTTPS, when the more common failure (especially with Next.js) is the container producing HTTPS redirect URLs that workerd follows internally.

Context: the redirect-following mechanism

The container binding (containerFetch) follows HTTP redirects by default (redirect: "follow"). If the application inside the container responds with 302 Location: https://..., workerd follows the redirect internally and fails at container.c++:149 because https:// connections to containers aren't supported.

This happens even when the server serves plain HTTP, because:

1. proxyToSandbox() sets X-Forwarded-Proto: https on requests to the container
2. Frameworks like Next.js read this header and construct internal URLs with https://
3. Middleware or auth libraries construct redirect URLs from these internal URLs
4. The redirect Location header contains an absolute https:// URL
5. workerd follows the redirect and rejects the https:// scheme

Changes to make

1. Expand the "Container HTTPS Error" troubleshooting bullet in production-deployment.mdx

The current text:

Container HTTPS error: Your service inside the sandbox is using HTTPS (for example, Node.js https.createServer() or a framework with --https enabled). Configure it to serve plain HTTP instead. Cloudflare terminates TLS at the edge, so the browser connects over HTTPS, but the internal connection to your container uses HTTP. This is the same model as running behind any reverse proxy. If your framework checks the protocol and redirects HTTP to HTTPS, configure it to trust the proxy (for example, app.set('trust proxy', 1) in Express).

Add a second paragraph after the existing text:

This error also occurs when your application responds with an HTTP redirect to an https:// URL. The container binding follows redirects by default. If your framework middleware or auth library constructs redirect URLs using the X-Forwarded-Proto header (which proxyToSandbox() sets to https), the Location header may contain an absolute https:// URL that fails when followed. To debug, pass redirect: "manual" to your containerFetch call and log the Location header. To fix, use relative paths in redirects, or set your auth library's base URL to the container's internal HTTP address (for example, NEXTAUTH_URL=http://localhost:3001 for NextAuth).

2. Expand the "Container HTTPS Error" troubleshooting section in preview-urls.mdx

The current section lists three common causes. Add a fourth:

- Auth middleware or framework middleware producing HTTPS redirect URLs. `proxyToSandbox()` sets `X-Forwarded-Proto: https` on requests to your container. Frameworks like Next.js read this header and construct internal URLs with `https://`. If your middleware redirects using these URLs, the `Location` header may contain an absolute `https://` URL. The container binding follows redirects by default and rejects the `https://` scheme. To fix, use relative paths in redirects, or set your auth library's base URL to the container's internal HTTP address (for example, `NEXTAUTH_URL=http://localhost:3001`).

Then add a Next.js-specific subsection after the common causes:

#### Next.js

Next.js reads the `X-Forwarded-Proto` header and uses it to construct internal URLs. When running `next dev` behind a Sandbox preview URL:

- Middleware receives `request.url` with `https://` protocol
- Auth libraries (NextAuth, Auth.js, Clerk) may construct redirect URLs using this protocol
- Server Actions that call `redirect()` trigger an internal self-fetch using the HTTPS protocol

To fix:

- Set your auth library's base URL to the container's internal address: `NEXTAUTH_URL=http://localhost:3001` or `AUTH_URL=http://localhost:3001`
- If using Server Actions with redirects, set `__NEXT_PRIVATE_ORIGIN=http://localhost:3001` as an environment variable in the container
- Use relative paths in middleware redirects instead of constructing URLs from `request.url`

3. Add redirect: "manual" debugging tip to production-deployment.mdx troubleshooting

Add a new troubleshooting bullet:

- **Debugging container HTTPS errors**: The container binding follows HTTP redirects by default. If your application redirects to an `https://` URL (for example, auth middleware redirecting to a sign-in page), the binding follows the redirect internally and fails. To debug, pass `redirect: "manual"` to your `containerFetch` call and log the response status and `Location` header to see what URL your application is producing.

4. Mention redirect behavior in Step 5 of "How preview URL requests flow"

The current text:

Container: The Durable Object forwards the request to the service inside your container over an internal connection (HTTP -- TLS is not needed because the transport is already secure within Cloudflare's network).

Add after that sentence:

If your service responds with an HTTP redirect, the container binding follows it automatically. If the redirect Location header contains an https:// URL, the request fails. To prevent this, ensure your application produces HTTP or relative redirect URLs, or pass redirect: "manual" in your Worker to handle redirects yourself.

5. Expand Step 4 of "How preview URL requests flow" to mention X-Forwarded-Proto

The current text:

proxyToSandbox(): Your Worker calls proxyToSandbox(), which extracts the sandbox ID and port from the hostname and routes the request to the correct Durable Object.

Replace with:

proxyToSandbox(): Your Worker calls proxyToSandbox(), which extracts the sandbox ID and port from the hostname, rewrites the URL to http://localhost:{port}, and forwards the request to the correct Durable Object. It sets X-Forwarded-Proto: https so your application can detect the original protocol.

[ask-bonk]

All 5 changes have been applied and committed:

Summary of changes

production-deployment.mdx (3 changes):

1. Change 1 — Expanded the "Container HTTPS error" troubleshooting bullet with a second paragraph about redirect-following behavior, X-Forwarded-Proto, and the redirect: "manual" debugging approach.
2. Change 3 — Added a new "Debugging container HTTPS errors" troubleshooting bullet explaining how to use redirect: "manual" to inspect Location headers.
3. Changes 4 & 5 — Updated Step 4 to mention that proxyToSandbox() rewrites URLs to http://localhost:{port} and sets X-Forwarded-Proto: https. Updated Step 5 to document the redirect-following behavior and how https:// redirect URLs cause failures.

preview-urls.mdx (1 change):
4. Change 2 — Added a fourth bullet to the Container HTTPS Error common causes list about auth/framework middleware producing HTTPS redirect URLs. Added a Next.js-specific subsection covering NEXTAUTH_URL, AUTH_URL, __NEXT_PRIVATE_ORIGIN, and relative path redirects.

github run

[ask-bonk]

The comment /bonk y u no bonk is the reviewer expressing frustration that the bot didn't respond to a previous /bonk command on this line. Looking at the review context, this was posted at 2026-02-16T23:54:07Z on the diff line showing the "Container HTTPS error" troubleshooting bullet.

There's no actionable code change request in this comment — it's a meta-complaint about the bot not triggering on a previous invocation. The diff context shows the line where contractions were removed (won't -> will not) and — was changed to --, which are style fixes that were already applied.

Since there's no specific content change being requested here, there's nothing for me to do. The reviewer was just noting that a prior /bonk command on this line didn't get picked up by the automation.

github run

[irvinebroque]

/bonk can you create a mermaid diagram of this request flow based on the description in this section?

Please don't yet add it to the docs but just leave it here as a comment and put it in a markdown block to render

[ask-bonk]

Here's the mermaid diagram for the preview URL request flow:

```mermaid
sequenceDiagram
    participant Browser
    participant DNS
    participant Edge as Cloudflare Edge (TLS)
    participant Route as Worker Route
    participant Worker as Worker (proxyToSandbox)
    participant DO as Durable Object
    participant Container as Container (HTTP)

    Browser->>DNS: Resolve 8080-my-sandbox-abc123.yourdomain.com
    DNS-->>Browser: *.yourdomain.com → Cloudflare proxy IP

    Browser->>Edge: HTTPS request
    Edge->>Edge: Terminate TLS using domain certificate
    Edge-->>Browser: Secure HTTPS connection established

    Edge->>Route: Forward request
    Route->>Route: Match *.yourdomain.com/*
    Route->>Worker: Dispatch to Worker

    Worker->>Worker: Extract sandbox ID & port from hostname
    Worker->>Worker: Rewrite URL to http://localhost:{port}
    Worker->>Worker: Set X-Forwarded-Proto: https
    Worker->>DO: Forward request to Durable Object

    DO->>Container: HTTP request (internal, already secure)
    Container-->>DO: HTTP response
    DO-->>Worker: Response
    Worker-->>Edge: Response
    Edge-->>Browser: HTTPS response

    Note over DO,Container: If container responds with 302 Location: https://...<br/>the binding follows the redirect and fails.<br/>Use redirect: "manual" to debug.
```

This covers all 5 steps from the section: DNS resolution → TLS termination at the edge → worker route matching → proxyToSandbox() extracting the sandbox ID/port and setting X-Forwarded-Proto → the Durable Object forwarding over internal HTTP to the container, with the note about the redirect-following pitfall.

github run

[github-actions]

Preview URL: https://a90ee497.preview.developers.cloudflare.com
Preview Branch URL: https://opencode-issue28381-20260216232233.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/sandbox/guides/production-deployment/	https://opencode-issue28381-20260216232233.preview.developers.cloudflare.com/sandbox/guides/production-deployment/
https://developers.cloudflare.com/sandbox/concepts/preview-urls/	https://opencode-issue28381-20260216232233.preview.developers.cloudflare.com/sandbox/concepts/preview-urls/

[irvinebroque]

/bonk please substantiate this claim by researching the Next.js codebase (https://github.com/vercel/next.js) and linking to relevant context

[irvinebroque]

/bonk this should be clear that you should do this only in the context of local dev within the sandbox, in a context where TLS is handled by the proxy in front

[irvinebroque]

/bonk please add the mermaid diagram you created on a previous comment to the docs, in the relevant section

[ask-bonk]

Research: Next.js X-Forwarded-Proto handling — source code substantiation

I investigated the Next.js codebase (vercel/next.js, canary branch) to substantiate each claim in this section. All claims are confirmed. Here are the relevant source locations:

---

Claim 1: "Next.js reads the X-Forwarded-Proto header and uses it to construct internal URLs"

packages/next/src/server/lib/router-utils/resolve-routes.ts (source):

const protocol =
  (req?.socket as TLSSocket)?.encrypted ||
  req.headers['x-forwarded-proto']?.includes('https')
    ? 'https'
    : 'http'

const initUrl = opts.port
  ? `${protocol}://${formatHostname(opts.hostname || 'localhost')}:${opts.port}${req.url}`
  : req.url || ''

addRequestMeta(req, 'initURL', initUrl)
addRequestMeta(req, 'initProtocol', protocol)

This is the primary location. The protocol is derived from x-forwarded-proto and stored as initProtocol in request metadata, then used to construct initUrl.

packages/next/src/server/base-server.ts (source) also reads it:

const xForwardedProto = originalRequest?.headers['x-forwarded-proto']
const isHttps = xForwardedProto
  ? xForwardedProto === 'https'
  : !!(originalRequest?.socket as TLSSocket)?.encrypted
req.headers['x-forwarded-proto'] ??= isHttps ? 'https' : 'http'

---

Claim 2: "Middleware receives request.url with https:// protocol"

packages/next/src/server/next-server.ts — runMiddleware method (source):

url = `${getRequestMeta(params.request, 'initProtocol')}://${
  this.fetchHostname || 'localhost'
}:${this.port}${locale ? `/${locale}` : ''}${params.parsed.pathname}${
  query ? `?${query}` : ''
}`

The middleware request URL is constructed using initProtocol (from x-forwarded-proto). If a proxy set X-Forwarded-Proto: https, middleware's request.url will have an https:// scheme.

---

Claim 3: "Server Actions that call redirect() trigger an internal self-fetch using the HTTPS protocol"

packages/next/src/server/app-render/action-handler.ts — createRedirectRenderResult (source):

const proto =
  getRequestMeta(req, 'initProtocol')?.replace(/:+$/, '') || 'https'

const origin =
  process.env.__NEXT_PRIVATE_ORIGIN || `${proto}://${originalHost.value}`

const fetchUrl = new URL(
  `${origin}${appRelativeRedirectUrl.pathname}${appRelativeRedirectUrl.search}`
)

const response = await fetch(fetchUrl, { method: 'GET', headers: forwardedHeaders, ... })

When a Server Action calls redirect(), Next.js performs a self-fetch to the redirect target to stream an RSC response. The fetch URL uses initProtocol (derived from x-forwarded-proto) with a fallback to 'https'. If the proxy set X-Forwarded-Proto: https, this internal fetch goes to https://host/..., which fails if the server only listens on HTTP.

The same pattern exists in createForwardedActionResponse in the same file.

---

Claim 4: __NEXT_PRIVATE_ORIGIN controls the origin for internal requests

packages/next/src/server/lib/start-server.ts (source):

const protocol = selfSignedCertificate ? 'https' : 'http'
const appUrl = `${protocol}://${formattedHostname}:${port}`
process.env.__NEXT_PRIVATE_ORIGIN = appUrl

Next.js sets __NEXT_PRIVATE_ORIGIN at startup to the actual listen address. In action-handler.ts, __NEXT_PRIVATE_ORIGIN takes precedence over the initProtocol-derived origin:

const origin = process.env.__NEXT_PRIVATE_ORIGIN || `${proto}://${originalHost.value}`

Setting __NEXT_PRIVATE_ORIGIN=http://localhost:3001 overrides the HTTPS protocol for internal self-fetches, which is the recommended fix for running behind a reverse proxy like Sandbox.

---

The chain of events in a Sandbox context

1. Browser request arrives at Cloudflare edge over HTTPS
2. proxyToSandbox() forwards to the container, setting X-Forwarded-Proto: https
3. Next.js reads this header in resolve-routes.ts → initProtocol = 'https'
4. Middleware receives request.url with https:// scheme (from next-server.ts)
5. Server Action redirect() constructs a self-fetch URL using https:// (from action-handler.ts)
6. The container binding follows this redirect internally and rejects the https:// scheme
7. Fix: Set __NEXT_PRIVATE_ORIGIN=http://localhost:3001 so internal fetches use HTTP

All claims in the docs section are substantiated by the Next.js source code.

[ask-bonk]

All claims in the Next.js section at line 257 are substantiated by the Next.js source code. I posted a detailed review comment on the PR with links to four key files in vercel/next.js:

1. resolve-routes.ts — reads x-forwarded-proto header and stores it as initProtocol in request metadata
2. next-server.ts — runMiddleware constructs request.url using initProtocol, so middleware sees https:// when X-Forwarded-Proto: https is set
3. action-handler.ts — createRedirectRenderResult and createForwardedActionResponse use initProtocol (with a fallback to 'https') to construct internal self-fetch URLs for Server Action redirects. __NEXT_PRIVATE_ORIGIN takes precedence if set.
4. start-server.ts — sets __NEXT_PRIVATE_ORIGIN to the actual listen address at startup

The documentation's recommendation to set __NEXT_PRIVATE_ORIGIN=http://localhost:3001 is the correct fix — it overrides the x-forwarded-proto-derived protocol for internal self-fetches.

github run

[irvinebroque]

/bonk please take your findings about Next.js and the links, and add links where relevant to the documentation where we call out this Next.js behavior. This should help the reader understand where in Next.js this behavior happens

[ask-bonk]

Added the mermaid sequence diagram to the "How preview URL requests flow" section in production-deployment.mdx:39-72. The diagram visualizes all 5 steps of the request flow:

1. DNS resolution of the wildcard hostname
2. TLS termination at the Cloudflare edge
3. Worker route matching
4. proxyToSandbox() extracting sandbox ID/port, rewriting to HTTP, and setting X-Forwarded-Proto
5. Durable Object forwarding to the container over internal HTTP

It also includes a note about the redirect-following pitfall where https:// Location headers cause failures.

github run

[irvinebroque]

/bonk this screenshot shows that it doesnt work to have tabs for Apex and subdomain, because the component within it also has tabs, so it looks weird. Please restructure the docs so that the Apex and subdomain examples are separate, rather than being tabbed.

[irvinebroque]

/bonk please take your findings about Next.js and the links, and add links where relevant to the documentation where we call out this Next.js behavior. This should help the reader understand where in Next.js this behavior happens

[ask-bonk]

The structure looks clean. The "Apex domain" and "Subdomain" examples are now under separate H4 headings (####) instead of being inside <Tabs>/<TabItem> components. This eliminates the nested-tabs problem where <WranglerConfig> (which renders its own TOML/JSON tabs) was nested inside the Apex/Subdomain tabs.

Changes made to production-deployment.mdx:

1. DNS section: Replaced <Tabs>/<TabItem> with #### Apex domain and #### Subdomain headings
2. Worker Routes section: Same replacement -- separate #### Apex domain and #### Subdomain headings, so the <WranglerConfig> tabs render cleanly without nesting
3. Import: Removed unused Tabs, TabItem from the import statement (only WranglerConfig remains)

github run