feat(cloudflare): native Cloudflare integration — credentials, Tunnel publishing, Access (zero-trust)#116
Open
AminDhouib wants to merge 8 commits into
Open
feat(cloudflare): native Cloudflare integration — credentials, Tunnel publishing, Access (zero-trust)#116AminDhouib wants to merge 8 commits into
AminDhouib wants to merge 8 commits into
Conversation
Org-scoped Cloudflare integration: a settings page to store a scoped API token + account ID (and optional default tunnel), a Test Connection action, and full CRUD. All procedures are admin-gated; the API token is redacted from responses and never logged; account id is URL-encoded; mutations are audit-logged. (cherry picked from commit 6b15591)
Closes Dokploy#4309 Publish a domain through Cloudflare Tunnel (origin stays closed): upserts a per-host ingress rule + proxied CNAME, via a Dokploy-managed shared connector or an existing remotely-managed tunnel. Idempotent with compensating cleanup and DB-backed no-clobber guards; teardown precedes domain-row deletion across single/cascade/import paths; admin-gated; tested. (cherry picked from commit 817d66b)
Closes Dokploy#4515 Optionally gate a Cloudflare-published domain behind a Cloudflare Access self-hosted app (email / email-domain allow rules, configurable session). Adds org-level defaults plus protect-by-default and require-protected policy (admins can override), a lockout guard, fail-closed integration selection, and an update pre-flight. Idempotent, admin-gated, tested. (cherry picked from commit 698c3a6)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ports Dokploy#4528, Dokploy#4531, Dokploy#4532 by @maxsam4 (Mudit Gupta).
A native, org-scoped Cloudflare integration delivered upstream as three stacked PRs, cherry-picked in order with upstream per-commit authorship preserved. Each upstream feature commit is paired with a fork-regenerated migration (slots 0192–0194).
What's included
cloudflaretable (scoped API token + account id), a Settings → "Cloudflare Tunnel & Access" page (add / test / edit / remove), atestConnectionaction, and acloudflarepermission resource wired like the other org-level admin resources (owner/admin only; every procedureadminProcedure-gated). The API token is write-only and redacted on read.Fork adaptations (authored by us, in separate commits)
whentimestamps set to sort strictly after all existing fork migrations; LF line endings.forward-auth.test.ts(fork) andcloudflare-redirect-suppression.test.ts(upstream) for the union of the fork'sforwardAuthEnabledand the new Cloudflare domain columns.cloudflare.alllist query excludesapiTokenat the query level (columns: { apiToken: false }), matching the fork's registry-password convention, rather than fetch-then-redact.Security notes (class-level)
The Cloudflare API token is a stored secret. It is write-only from the dashboard, redacted on every client-facing return, excluded from the list query at the DB layer, and never placed in thrown error messages or logs (the API client derives error text only from Cloudflare's structured error array). Account id is URL-encoded before use in API paths. All mutations are admin-gated and audit-logged.
Preserved fork divergences
The fork's sslip.io generated-domain branding and the network-management (
networkIds) service-spec attach path are untouched. The only change toutils/traefik/domain.tsandutils/docker/domain.tsis suppressing the web→websecure redirect for Cloudflare-published domains (they terminate TLS at the edge and reach Traefik over plain HTTP).Verification
pnpm --filter=dokploy run typecheck— clean (0 errors) in a fresh worktree.wss/readValidDirectory,application.real— Windows/Linux-only) and are unrelated to this change. Cloudflare suite: 52/52.