Which origins are allowed
An origin in Paradarum is just a host string plus an optional Host Header and an SSL-verify boolean. This page is the complete reference for what that host string may contain.
:::info No origin types
There is no origin-type enum and no S3 / cloud-bucket origin kind. The "type" of an origin is implied entirely by the scheme prefix you put in the host (for example https://). Everything is expressed through the single host value.
:::
Accepted host forms
The origin host field accepts a broad set of forms. All of the following are valid:
| Form | Example | Notes |
|---|---|---|
| Plain hostname | example.com | Must have a TLD of 2+ letters. |
| Hostname with port | origin.example.com:8080 | Any port is accepted. |
| IPv4 | 127.0.0.1 | No private-IP blocking (see below). |
| IPv4 with port | 127.0.0.1:4000 | |
| IPv6 in brackets | [::1] | IPv6 literals must be wrapped in square brackets. |
| IPv6 with port/zone | [fe80::ea9f:80ff:fe46:cbfd%eth0]:443 | Zone identifiers are allowed inside the brackets. |
localhost | localhost:4000 | The only bare single-word host allowed. |
http:// scheme | http://localhost:4000 | |
https:// scheme | https://example.com | Use this (or :443) for a TLS origin on 443. |
h2c:// scheme | h2c://127.0.0.1 | Server only — see the warning below. |
| Unix socket | unix//var/php.sock | Prefix unix/. Passed through untouched, no port appended. |
| Port range | localhost:8001-8006 | A :port may be followed by a -port range suffix. |
:::warning h2c:// is server-side only
The CDN's normalizer accepts h2c:// (cleartext HTTP/2), but the panel's client-side validator only matches an optional https?:// prefix. If you type an h2c:// origin in the panel it will fail client validation even though the server would accept it.
:::
Port normalization
If the host has no scheme and no port, the API appends :80:
example.com -> example.com:80
origin.example.com -> origin.example.com:80
:::danger Plain hostnames default to port 80
A bare example.com becomes example.com:80 — even if you intended an HTTPS origin. To reach a TLS origin on 443 you must be explicit:
example.com:443
https://example.com
:::
Unix sockets (unix/…) skip port normalization entirely and are passed through as-is.
No private-IP restriction
There is no private-IP / RFC 1918 blocking on the validator. The following are all accepted host formats:
localhost
127.0.0.1
10.0.0.5
192.168.1.20
[fe80::1%eth0]
This makes loopback, LAN, and link-local origins valid — useful for sidecar and same-host backends, but be deliberate about what you point at.
Rejected forms
- A bare single-word host other than
localhost(for examplebackendwith no dot) is rejected — domain names need a TLD of 2 or more letters. - Values that don't match the accepted forms above show
Invalid hostname format!in the panel.
Putting it together
A full origin update sends the host plus its companion fields:
{
"host": "https://backend.example.com:8443",
"hostHeader": "backend.example.com",
"sslVerify": true,
"isEnabled": true
}
PUT this to https://api.paradarum.com/api/Property/{propertyId}/origins/{id}?accountId={accountId}. Only host, hostHeader, sslVerify, and isEnabled are persisted.
Related
- Origin server and Host header — the General-tab UI, the Host Header override, and SSL verification.
- Origin Shield — put a central cache node in front of the origin.