Configure Cloudflare as Reverse Proxy
Availability varies by Auth0 plan and login method
Both the login implementation you use and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read New Universal Login vs. Classic Universal Login and Pricing.
To set up Cloudflare as a reverse proxy, a Cloudflare Enterprise Plan with the following features is required:
Host Header Override: To learn more, read Using Page Rules to Re-Write Host Headers in Cloudflare documentation.
True-Client-IP Header: To learn more, read What is True-Client-IP? in Cloudflare documentation.
To learn more, explore the sample code in our GitHub repo.
CNAME flattening
Auth0 recommends turning off CNAME flattening unless it's strictly necessary, according to the Cloudflare documentation, Understand and configure CNAME flattening. CNAME flattening for Auth0 managed certificates is an unsupported configuration and as such may cause the custom domain to break without notice if CNAME flattening is enabled.
If you need to enable CNAME flattening for all subdomains managed by Cloudfare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read Delegating Subdomains Outside of Cloudflare in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.
Configure Cloudflare
Confirm that your desired custom domain does not already exist within your Cloudflare zone. If it already exists, Cloudflare verification will fail.
Configure Custom Domains with Self-Managed Certificates if you haven't already. Make note of the Origin Domain Name and cname-api-key values since you'll need these later.
Configure a CNAME setup with Cloudflare.
Once Cloudflare has verified your domain, log in to the Cloudflare Dashboard.
Create a new Cloudflare Page Rule with the following settings:
Setting Entry Host Header Override {yourTenant}.<CUSTOM_DOMAIN_ID>.edge.tenants.auth0.com
Replace<CUSTOM_DOMAIN_ID>with the custom domain ID from the Origin Domain Name that you received from Auth0. If your tenants are not in the US region, use one of the following:
EU:{yourTenant}.<CUSTOM_DOMAIN_ID>.edge.tenants.eu.auth0.com
AU:{yourTenant}.<CUSTOM_DOMAIN_ID>.edge.tenants.au.auth0.comTrue-Client-IP Enable Create and deploy a new Cloudflare Worker for the configured CNAME using the following script:
addEventListener('fetch', event => { event.respondWith(handleRequest(event.request)) }) async function handleRequest(request) { request = new Request(request) request.headers.set('cname-api-key', '<{yourCnameApiKey}>') return await fetch(request) }Was this helpful?
/Replace
<YOUR_CNAME_API_KEY>with the cname-api-key you received from Auth0.
Configure Auth0
Use the Management API Update Custom Domain Configuration patch endpoint with the following in the body:
{
"tls_policy": "recommended",
"custom_client_ip_header": "true-client-ip"
}Was this helpful?