Skip to content

feat(cloudflare): native Cloudflare Tunnel domain publishing#4529

Closed
maxsam4 wants to merge 2 commits into
Dokploy:canaryfrom
maxsam4:cf-tunnel-publishing
Closed

feat(cloudflare): native Cloudflare Tunnel domain publishing#4529
maxsam4 wants to merge 2 commits into
Dokploy:canaryfrom
maxsam4:cf-tunnel-publishing

Conversation

@maxsam4
Copy link
Copy Markdown

@maxsam4 maxsam4 commented Jun 1, 2026
edited
Loading

What is this PR about?

Part 2 of 3 of a native Cloudflare integration (builds on #4528). Lets a domain be published through a Cloudflare Tunnel — the origin stays closed; traffic enters at Cloudflare's edge and is forwarded to Dokploy's Traefik.

  • A publish toggle provisions a per-host tunnel ingress rule + a proxied CNAME, tagged as Dokploy-managed.
  • Two runtime modes (modes 1 & 2 from [Feature] Native Cloudflare Tunnel integration for domain publishing #4309): a Dokploy-managed shared connector (one cloudflared per server/integration) and an existing remotely-managed tunnel. Per-service sidecar (mode 3) is out of scope here.
  • No-clobber guards: refuses to overwrite a DNS record or ingress route it doesn't own; ownership is DB-backed and the ingress check runs inside a per-tunnel lock. Zone/tunnel listing is paginated for large accounts.
  • Advisory availability pre-check in the domain dialog.
  • Idempotent provision/deprovision across the domain lifecycle and cascade deletes; admin-gated; audit-logged; tested. Migration 0171.

Stacked PR

Stack: #4528 (foundation, merge first) -> this PR -> #4530 (Access). GitHub PRs must target canary, so this diff re-includes #4528 until it merges — please review per-commit and merge after #4528. This is an independent implementation of #4309.

Checklist

  • You created a dedicated branch based on the canary branch.
  • You have read the suggestions in the CONTRIBUTING.md file.
  • You have tested this PR in your local instance. Verified locally (server + app typecheck, Biome, Cloudflare + domain suites) and end-to-end on a live Docker-Swarm instance: published a domain via both a shared connector and an existing tunnel, verified DNS/ingress creation, no-clobber refusal on a foreign record, and clean teardown.

Issues related (if applicable)

Closes #4309

maxsam4 and others added 2 commits June 1, 2026 12:00
@maxsam4 @claude
feat(cloudflare): add Cloudflare integration credentials and settings
a263b47 
Adds an organization-scoped Cloudflare integration: a settings page to
store a scoped API token + account ID (plus optional default zone/tunnel),
a "Test connection" action, and full CRUD.

All procedures are admin-gated (adminProcedure, not withPermission —
`cloudflare` is an enterprise-only resource whose checkPermission bypass
would otherwise grant members). The API token is redacted from every
response and never logged, the account id is URL-encoded and inputs are
trimmed, and every mutation is written to the audit log (with the
audit-log UI label/filter wired up for the new resource type).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@maxsam4 @claude
feat(cloudflare): native Cloudflare Tunnel domain publishing
a4a127f 
Closes Dokploy#4309

Lets a domain be published through Cloudflare Tunnel instead of (or
alongside) direct Traefik exposure, in two modes: a Dokploy-managed
"shared" tunnel with an auto-deployed cloudflared connector, or an
existing remotely-managed tunnel.

Provisioning upserts a per-host ingress rule (preserving any unknown
rules and keeping the catch-all last) plus a proxied, Dokploy-tagged
CNAME, and is idempotent with compensating cleanup on partial failure.
The web->websecure redirect is suppressed for published domains, which
terminate TLS at the Cloudflare edge and reach Traefik over plain HTTP.

Cloudflare state is torn down before the domain row is removed on every
path — single delete, application/compose/project cascade, and compose
import — with shared tunnels/connectors reaped only once their last route
is gone. The connector token is mounted as a read-only file (never in
`docker inspect`, never persisted to the DB or logged). Account/zone/
tunnel id path segments are URL-encoded, all publishing is owner/admin-
gated, and the selected integration is verified to belong to the caller's
organization.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@maxsam4 maxsam4 requested a review from Siumauricio as a code owner June 1, 2026 10:26
@dosubot dosubot Bot added size:XXL This PR changes 1000+ lines, ignoring generated files. enhancement New feature or request labels Jun 1, 2026
@github-actions github-actions Bot closed this Jun 1, 2026
This was referenced Jun 1, 2026
Closed
Open
@maxsam4
Copy link
Copy Markdown
Author

maxsam4 commented Jun 1, 2026

Superseded by #4531 — rebased onto the latest canary (migration renumbered to 0171) and trimmed to pass the PR-quality checks. This one was auto-closed by the quality bot before the rebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Siumauricio Siumauricio Awaiting requested review from Siumauricio Siumauricio is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request size:XXL This PR changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Native Cloudflare Tunnel integration for domain publishing

1 participant

@maxsam4