Docs

Configure Cloudflare for Use as Reverse Proxy

Configure Cloudflare for Use as Reverse Proxy

Feature availability

Auth0 custom domains are available with any paid subscription plan. If you want to manage the SSL/TLS certificates yourself, you will need an Enterprise subscription. For more information refer to Auth0 pricing plans.

To set up Cloudflare as a reverse proxy, a Cloudflare Enterprise Plan with the following features is required:

  1. Complete the steps on Configure Custom Domains with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.
  2. Configure a CNAME setup with Cloudflare.
  3. Once Cloudflare has verified your domain, log in to the Cloudflare Dashboard.
  4. Create a new Cloudflare Page Rule with the following settings:
Setting Value
Host Header Override Enter YOUR_TENANT.<CUSTOM_DOMAIN_ID>.edge.tenants.auth0.com, replacing <CUSTOM_DOMAIN_ID> with the custom domain ID from the Origin Domain Name you received from Auth0. If your tenants are not in the US region, use one of the following:
  • EU: YOUR_TENANT.<CUSTOM_DOMAIN_ID>.edge.tenants.eu.auth0.com
  • AU: YOUR_TENANT.<CUSTOM_DOMAIN_ID>.edge.tenants.au.auth0.com
True-Client-IP Select Enable.
  1. Next, create and deploy a new Cloudflare Worker for the configured CNAME using the following script. Replace <CNAME_API_KEY_VALUE> below with the cname-api-key you received from Auth0:
addEventListener('fetch', event => {
    event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
    request = new Request(request)
    request.headers.set('cname-api-key', '<CNAME_API_KEY_VALUE>')
    return await fetch(request)
}

Configure Auth0

Once you've configured Cloudflare, you'll need to contact Auth0. Auth0 will enable your tenant to accept the True-Client-IP header as the remote client IP address.

Keep reading