Configure Cloudflare as Reverse Proxy

Limited Access

Your Auth0 subscription plan and the login method you choose can affect feature availability. To learn more, read:

To set up Cloudflare as a reverse proxy, a Cloudflare Enterprise Plan with the following features is required:

Host Header Override: To learn more, read Using Page Rules to Re-Write Host Headers in Cloudflare documentation
True-Client-IP Header: To learn more, read What is True-Client-IP? in Cloudflare documentation

Auth0 recommends turning off CNAME flattening unless it's strictly necessary, according to the Cloudflare documentation, Understand and configure CNAME flattening. CNAME flattening for Auth0 managed certificates is an unsupported configuration and as such may cause the custom domain to break without notice if CNAME flattening is enabled.

If you need to enable CNAME flattening for all subdomains managed by Cloudfare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read Delegating Subdomains Outside of Cloudflare in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.

Configure Custom Domains with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.
Configure a CNAME setup with Cloudflare.
Once Cloudflare has verified your domain, log in to the Cloudflare Dashboard.

Create a new Cloudflare Page Rule with the following settings:

Setting	Entry
Host Header Override	`YOUR_TENANT.<CUSTOM_DOMAIN_ID>.edge.tenants.auth0.com` Replace `<CUSTOM_DOMAIN_ID>` with the custom domain ID from the Origin Domain Name that you received from Auth0. If your tenants are not in the US region, use one of the following: EU: `YOUR_TENANT.<CUSTOM_DOMAIN_ID>.edge.tenants.eu.auth0.com` AU: `YOUR_TENANT.<CUSTOM_DOMAIN_ID>.edge.tenants.au.auth0.com`
True-Client-IP	Enable

Create and deploy a new Cloudflare Worker for the configured CNAME using the following script:

addEventListener('fetch', event => {
    event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
    request = new Request(request)
    request.headers.set('cname-api-key', '<YOUR_CNAME_API_KEY>')
    return await fetch(request)
}

Was this helpful?/

Replace <YOUR_CNAME_API_KEY> with the cname-api-key you received from Auth0.

Use the Management API Update Custom Domain Configuration patch endpoint with the following in the body:

{
  "tls_policy": "recommended",
  "custom_client_ip_header": "true-client-ip"
}

Was this helpful?/

Docs