Configure Cloudflare as Reverse Proxy

Configure Cloudflare as Reverse Proxy

Availability varies by Auth0 plan and login method

Both the login implementation you use and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read New Universal Login vs. Classic Universal Login and Pricing.

To set up Cloudflare as a reverse proxy, a Cloudflare Enterprise Plan with the following features is required:

CNAME flattening

If you need to enable CNAME flattening for all subdomains managed by Cloudfare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read Delegating Subdomains Outside of Cloudflare in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.

Configure Cloudflare

  1. Configure Custom Domains with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.

  2. Configure a CNAME setup with Cloudflare.

  3. Once Cloudflare has verified your domain, log in to the Cloudflare Dashboard.

  4. Create a new Cloudflare Page Rule with the following settings:

    Setting Entry
    Host Header Override {yourTenant}.<CUSTOM_DOMAIN_ID>
    Replace <CUSTOM_DOMAIN_ID> with the custom domain ID from the Origin Domain Name that you received from Auth0. If your tenants are not in the US region, use one of the following:
    EU: {yourTenant}.<CUSTOM_DOMAIN_ID>
    AU: {yourTenant}.<CUSTOM_DOMAIN_ID>
    True-Client-IP Enable

  5. Create and deploy a new Cloudflare Worker for the configured CNAME using the following script:

    addEventListener('fetch', event => {
    async function handleRequest(request) {
        request = new Request(request)
        request.headers.set('cname-api-key', '<{yourCnameApiKey}>')
        return await fetch(request)

    Was this helpful?


    Replace <YOUR_CNAME_API_KEY> with the cname-api-key you received from Auth0.

Configure Auth0

Use the Management API Update Custom Domain Configuration patch endpoint with the following in the body:

  "custom_client_ip_header": "true-client-ip"

Was this helpful?


Learn more

Was this article helpful?