Dokploy/website
1
0
Fork 0
mirror of https://github.com/Dokploy/website.git synced 2026-06-15 20:25:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

docs: add Cloudflare Access + trusted origins troubleshooting section

Browse Source 
Documents the login-hangs-behind-Cloudflare-Access issue and the required
configuration (BETTER_AUTH_SECRET, BETTER_AUTH_TRUSTED_ORIGINS, Web Server
host/HTTPS settings) to fix it. Closes #4361.
This commit is contained in:
Mauricio Siu
2026-05-08 22:38:42 -06:00
parent c61283fab2
commit 5b48176575
1 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
apps/docs/content/docs/core/guides/cloudflare-tunnels.mdx
View File

@@ -162,4 +162,58 @@ This allows all subdomains (`app1.example.com`, `app2.example.com`, etc.) to rou
<Callout type="info">
With wildcard routing, you only need ONE public hostname in Cloudflare Tunnel. Traefik handles routing to different apps based on the domain configured in Dokploy.
</Callout>
## Using Cloudflare Access (Zero Trust) with Dokploy
If you protect your Dokploy dashboard with **Cloudflare Access** (Zero Trust), there are a few extra steps required to make login work correctly.
### Why login hangs behind Cloudflare Access
When Cloudflare Access sits in front of Dokploy, the login request (`POST /api/auth/sign-in/email`) may appear to hang indefinitely even with valid credentials. Invalid credentials still return a `401` immediately, which makes it easy to miss this issue.
The root cause is that Better Auth (Dokploy's auth library) validates the `Origin` header of every request. When the request comes through Cloudflare Access, the origin may not match any of the trusted origins Dokploy knows about, so the request is silently dropped.
### Required configuration
You need to configure three things:
**1. Set a stable `BETTER_AUTH_SECRET`**
Make sure this value is set and does not change between restarts. If it is missing or rotates, sessions are invalidated and auth flows may break.
```bash
BETTER_AUTH_SECRET=your-random-secret-here
```
Generate a secure value with:
```bash
openssl rand -hex 32
```
**2. Add your domain to trusted origins**
Set the `BETTER_AUTH_TRUSTED_ORIGINS` environment variable to include all origins that can reach Dokploy:
```bash
BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:3000,http://<internal-ip>:3000,https://dokploy.example.com
```
Replace `dokploy.example.com` with your actual public domain.
**3. Configure Web Server settings in the Dokploy UI**
Go to **Settings → Server** and set:
- **Host**: `dokploy.example.com` (your public domain)
- **HTTPS**: enabled
This ensures Dokploy includes your domain as a trusted origin automatically.
<Callout type="info">
After applying these changes, redeploy the Dokploy service so the new environment variables take effect.
</Callout>
<Callout type="warn">
If you access Dokploy through multiple origins (public domain, internal IP, Tailscale), make sure all of them are listed in `BETTER_AUTH_TRUSTED_ORIGINS`.
</Callout>