Skip to content

feat(cloudflare): native Cloudflare integration — credentials, Tunnel publishing, Access (zero-trust)#116

Open
AminDhouib wants to merge 8 commits into
canaryfrom
port/upr-4528
Open

feat(cloudflare): native Cloudflare integration — credentials, Tunnel publishing, Access (zero-trust)#116
AminDhouib wants to merge 8 commits into
canaryfrom
port/upr-4528

Conversation

@AminDhouib

Copy link
Copy Markdown
Member

Ports Dokploy#4528, Dokploy#4531, Dokploy#4532 by @maxsam4 (Mudit Gupta).

A native, org-scoped Cloudflare integration delivered upstream as three stacked PRs, cherry-picked in order with upstream per-commit authorship preserved. Each upstream feature commit is paired with a fork-regenerated migration (slots 0192–0194).

What's included

Fork adaptations (authored by us, in separate commits)

  • Migrations regenerated locally into fork slots 0192 (foundation), 0193 (tunnel), 0194 (access) — upstream's 0170–0172 collide with the fork's existing 0170–0174. Regenerated with drizzle-kit against the fork schema; when timestamps set to sort strictly after all existing fork migrations; LF line endings.
  • Domain test mocks completed in forward-auth.test.ts (fork) and cloudflare-redirect-suppression.test.ts (upstream) for the union of the fork's forwardAuthEnabled and the new Cloudflare domain columns.
  • Credential read hardening: the cloudflare.all list query excludes apiToken at the query level (columns: { apiToken: false }), matching the fork's registry-password convention, rather than fetch-then-redact.

Security notes (class-level)

The Cloudflare API token is a stored secret. It is write-only from the dashboard, redacted on every client-facing return, excluded from the list query at the DB layer, and never placed in thrown error messages or logs (the API client derives error text only from Cloudflare's structured error array). Account id is URL-encoded before use in API paths. All mutations are admin-gated and audit-logged.

Preserved fork divergences

The fork's sslip.io generated-domain branding and the network-management (networkIds) service-spec attach path are untouched. The only change to utils/traefik/domain.ts and utils/docker/domain.ts is suppressing the web→websecure redirect for Cloudflare-published domains (they terminate TLS at the edge and reach Traefik over plain HTTP).

Verification

  • pnpm --filter=dokploy run typecheck — clean (0 errors) in a fresh worktree.
  • Full vitest suite: 648/658 pass. The 9 failures are the known environment-only cases (server-setup docker probes, wss/readValidDirectory, application.real — Windows/Linux-only) and are unrelated to this change. Cloudflare suite: 52/52.

maxsam4 and others added 8 commits July 12, 2026 21:31
Org-scoped Cloudflare integration: a settings page to store a scoped API token + account ID (and optional default tunnel), a Test Connection action, and full CRUD. All procedures are admin-gated; the API token is redacted from responses and never logged; account id is URL-encoded; mutations are audit-logged.

(cherry picked from commit 6b15591)
Closes Dokploy#4309

Publish a domain through Cloudflare Tunnel (origin stays closed): upserts a per-host ingress rule + proxied CNAME, via a Dokploy-managed shared connector or an existing remotely-managed tunnel. Idempotent with compensating cleanup and DB-backed no-clobber guards; teardown precedes domain-row deletion across single/cascade/import paths; admin-gated; tested.

(cherry picked from commit 817d66b)
Closes Dokploy#4515

Optionally gate a Cloudflare-published domain behind a Cloudflare Access self-hosted app (email / email-domain allow rules, configurable session). Adds org-level defaults plus protect-by-default and require-protected policy (admins can override), a lockout guard, fail-closed integration selection, and an update pre-flight. Idempotent, admin-gated, tested.

(cherry picked from commit 698c3a6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants