Configure Cloudflare as Reverse Proxy
Availability varies by Auth0 plan
Your Auth0 plan or custom agreement affects the availability of this feature. To learn more, read Auth0's Pricing Page.
To set up Cloudflare as a reverse proxy using the recommended approach, a Cloudflare Enterprise Plan with the following features is required:
| Feature | Description |
|---|---|
| Host Header Override | Rewrite Host headers using different Cloudflare rules. To learn more, read Rewrite Host headers on Cloudflare Docs. |
| True-Client-IP Header | Enabling the True-Client-IP Header adds the True-Client-IP header to all requests to your origin server, which includes the end user’s IP address. To learn more, read Understanding the True-Client-IP Header on Cloudflare Docs. |
Configure Cloudflare
As a prerequisite, the parent domain for your chosen custom domain must be added and activated within the Cloudflare dashboard. Also, confirm that your desired custom domain does not already exist within your Cloudflare zone. If it already exists, Cloudflare verification will fail.
To configure Cloudflare as a reverse proxy, you’ll need to create a CNAME record, a Page Rule, and a Transform Rule in Cloudflare.
Configure and verify a Custom Domain with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.
In the Cloudflare dashboard for the target zone, create a CNAME record with the following settings:
Setting Value Name The custom domain name. Target The Origin Domain Name value recorded earlier. Proxy Status ProxiedCreate a Page Rule scoped to all URLs under the chosen custom domain and with the following settings:
Setting Value Host Header Override The Origin Domain Name value recorded earlier. True-Client-IP EnableSwitch to the Modify Request Header view.
Select Create Rule and provide a name of your choice.
Under When incoming requests match, select Custom filter expression and set an expression that scopes the Rule to requests associated with the chosen custom domain. For example, use an exact match on the Hostname field.
Under Modify request header, select Set static, and then set the following fields:
Field Value Header name cname-api-keyValue The cname-api-key value recorded earlier.
Ensure that Always Use HTTPS is enabled and encryption mode is set, at least, to Full for your chosen custom domain.
While it is possible to use Cloudflare Workers instead of Page and Transform rules to set up a reverse proxy that meets the requirements for a self-managed certificate custom domain, we recommend using the rules-based approach because it eliminates the need for custom code.
Configure Auth0
Call the Auth0 Management API Update custom domain configuration endpoint with the following payload in the body:
{
"custom_client_ip_header": "true-client-ip"
}Was this helpful?