Configure Cloudflare as Reverse Proxy

Availability varies by Auth0 plan

Your Auth0 plan or custom agreement affects the availability of this feature. To learn more, read Auth0's Pricing Page.

To set up Cloudflare as a reverse proxy using the recommended approach, a Cloudflare Enterprise Plan with the following features is required:

Feature Description
Host Header Override Rewrite Host headers using different Cloudflare rules. To learn more, read Rewrite Host headers on Cloudflare Docs.
True-Client-IP Header Enabling the True-Client-IP Header adds the True-Client-IP header to all requests to your origin server, which includes the end user’s IP address. To learn more, read Understanding the True-Client-IP Header on Cloudflare Docs.

Configure Cloudflare

To configure Cloudflare as a reverse proxy, you’ll need to create a CNAME record, a Page Rule, and a Transform Rule in Cloudflare.

  1. Configure and verify a Custom Domain with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.

  2. In the Cloudflare dashboard for the target zone, create a CNAME record with the following settings:

    Setting Value
    Name The custom domain name.
    Target The Origin Domain Name value recorded earlier.
    Proxy Status Proxied

  3. Create a Page Rule scoped to all URLs under the chosen custom domain and with the following settings:

    Setting Value
    Host Header Override The Origin Domain Name value recorded earlier.
    True-Client-IP Enable

  4. Create a Transform Rule:

    1. Switch to the Modify Request Header view.

    2. Select Create Rule and provide a name of your choice.

    3. Under When incoming requests match, select Custom filter expression and set an expression that scopes the Rule to requests associated with the chosen custom domain. For example, use an exact match on the Hostname field.

    4. Under Modify request header, select Set static, and then set the following fields:

      Field Value
      Header name cname-api-key
      Value The cname-api-key value recorded earlier.

  5. Ensure that Always Use HTTPS is enabled and encryption mode is set, at least, to Full for your chosen custom domain.

Configure Auth0

Call the Auth0 Management API Update custom domain configuration endpoint with the following payload in the body:

  "custom_client_ip_header": "true-client-ip"

Was this helpful?


Learn more