Connection Domains
Domain Format
Every circuit in Horizon is assigned a unique, publicly accessible domain in the format {prefix}.horizon.mutexercloud.com, where the prefix is a system-generated unique identifier that is assigned at creation time and remains constant for the entire lifetime of the circuit. This domain is the entry point for all traffic to the circuit - users, browsers, API clients, and any other HTTP consumers use this URL to reach the backend service. The domain is always served over HTTPS, regardless of whether the backend service uses HTTP or HTTPS internally. The prefix cannot be customized, changed, or selected - it is generated automatically by the platform to ensure uniqueness and prevent conflicts.
How Traffic Flows
The following describes the full traffic flow, which is relevant to performance, security, and troubleshooting considerations. When a client navigates to a circuit's domain ({prefix}.horizon.mutexercloud.com), the browser establishes an HTTPS connection to the Horizon proxy infrastructure in the Mutexer cloud. The proxy terminates the TLS connection (decrypting the request), and then begins evaluating the request against every configured security layer for that circuit. The IP filtering rules check the source address against any configured blacklist or whitelist rules. The country blocking rules geolocate the source IP and verify it does not match a blocked country. The bot detection layer examines the User-Agent header. The access policy checks the requester's identity and authorization level. If the request passes all of these checks, the proxy forwards it through the Mutexer Core API to the Agent running on the target device. The Agent then delivers the request to the internal service at the configured IP address and port, using the configured protocol (HTTP or HTTPS). The backend service processes the request and returns a response, which travels the reverse path: from the service to the Agent, from the Agent through the Core API to the Horizon proxy, and from the proxy back to the client's browser over the encrypted HTTPS connection. Every request - whether allowed or blocked - is logged with comprehensive metadata including the source IP, geolocated country, request path, response status code, action taken, reason for blocking (if applicable), authenticated user (if applicable), and request and response sizes.
DNS and TLS
DNS resolution for all *.horizon.mutexercloud.com domains is managed entirely by the Mutexer platform. No manual creation, modification, or management of DNS records is required - when a circuit is created and enabled, the domain automatically resolves to the Horizon proxy infrastructure. TLS certificates for all Horizon domains are also managed by the platform: certificates are provisioned automatically, renewed before they expire, and configured with modern cipher suites and TLS versions. No manual certificate obtainment, installation, or renewal is required for Horizon circuits. The public-facing connection is always encrypted with HTTPS, providing confidentiality and integrity for all traffic between the client's browser and the Horizon proxy.
Domain Lifecycle
A circuit's domain is active and resolving for as long as the circuit is enabled. When a circuit is disabled (toggled off but not deleted), the domain stops serving traffic - requests will not reach the backend service, though the domain assignment is retained and the circuit can be re-enabled at any time. When a circuit is deleted (either manually or through expiration), the domain permanently stops resolving and the prefix is not reused. A deleted circuit's domain will not be reassigned to another circuit, ensuring that old URLs do not accidentally point to new, unrelated services.