[GH-ISSUE #499] Add support for cloudflare origin certificates & custom-hostnames #316

New issue

Open

opened 2026-03-03 11:29:12 +03:00 by kerem · 0 comments

kerem commented 2026-03-03 11:29:12 +03:00

Owner

Copy link

Originally created by @pavanbhaskardev on GitHub (Dec 3, 2025).
Original GitHub issue: https://github.com/dflow-sh/dflow/issues/499

Originally assigned to: @pavanbhaskardev on GitHub.

Decription

Moves traefik configuration from fileProvider to etcd, uses cloudflare origin-certificate & custom-hostnames instead of letsencrypt resolver

Why

Everytime when service is deployed a new certificate is generated using the wildcard domain, Cloudflare origin-certificate resolves that single certificate for entire wild-card domain. We now can use Cloudflare DDOS, WAF and BOT protection.

Server Changes

• Domains configuration tab in server page
• Because custom-domain add server-level will propagate to each service
• So custom-hostname validation needs to be done

Service Changes

• Update domain format from serviceName.serverHostname.up.domain.com -> serviceName-serverHostname.up.domain.com
• Migrate traefik from letsencrypt configuration to cloudflare origin certificate
• Migrate custom-domain configuration to cloudflare custom-hostnames with TXT validation
• Remove Certificate Type, Regenerate SSL option

Onboarding Changes

• Remove following steps
  - letsencrypt plugin installation
  - global email configuration
• Move custom domain attachment to 1st step

Docs

• Update traefik configuration in docker-compose.yaml
  - Use etcd instead for fileProvider
  - Use cloudflare origin certificate instead on letsencrypt resolver
• Create a migration script to change file-based configuration to etcd configuration

Originally created by @pavanbhaskardev on GitHub (Dec 3, 2025). Original GitHub issue: https://github.com/dflow-sh/dflow/issues/499 Originally assigned to: @pavanbhaskardev on GitHub. ## Decription Moves traefik configuration from fileProvider to etcd, uses cloudflare origin-certificate & custom-hostnames instead of letsencrypt resolver ## Why Everytime when service is deployed a new certificate is generated using the wildcard domain, Cloudflare origin-certificate resolves that single certificate for entire wild-card domain. We now can use Cloudflare DDOS, WAF and BOT protection. ## Server Changes - Domains configuration tab in server page - Because custom-domain add server-level will propagate to each service - So custom-hostname validation needs to be done ## Service Changes - Update domain format from `serviceName.serverHostname.up.domain.com` -> `serviceName-serverHostname.up.domain.com` - Migrate traefik from letsencrypt configuration to cloudflare origin certificate - Migrate custom-domain configuration to cloudflare custom-hostnames with TXT validation - Remove Certificate Type, Regenerate SSL option ## Onboarding Changes - Remove following steps - letsencrypt plugin installation - global email configuration - Move custom domain attachment to 1st step ## Docs - Update traefik configuration in docker-compose.yaml - Use `etcd` instead for `fileProvider` - Use cloudflare origin certificate instead on letsencrypt resolver - Create a migration script to change file-based configuration to etcd configuration

kerem added the

frontend

backend

labels 2026-03-03 11:29:12 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

turborepo-extended

turborepo-simple

turborepo

monorepo

monorepo-mutli-package

monorepo-test-1

feat/webhook-events

feat/activity-tracking

ui-fixes-team

ui-updates

headway

mobile-view-layout-ui

feat/preserve-terminal-logs

enhance/empty-states-ui

template-deploy-fix

bugfix/disabled-projects-access

enhance/embedded-toast-in-bubble

migrate-restapi-to-restsdk

middleware-redirects-issue

feat/bubble-ui

restrict-role-updation

fix/beszel-edge-case

safety/restrict-plugin-uninstall

feat/purge-redis-queues

feat/cross-domain-auth

cros

add-clickhouse

update-services-ui

feat/magic-link-auth-selection

feat/auto-detect-and-install-plugins

bugfix/scaling-units-metrics-config

chore/remove-hidden-projects

feat-custom-branding-live-preview-support

update-template

replace-netdata-with-beszel

feat/beszel-integration

feat/update-server-status-ui

feat/show-delete-card-in-detail-pages

feat-rbac

feat/resource-check

volumes-fix

template-select-ui

feat/service-switching

queueLogs

bug/build-path

vps-plans-update

sample_selenium_testing

feat/servers-tailscale-support

2fa

documentation

db-backup

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.0

latest

Labels

Clear labels   

backend

  

bug

  

developer

  

documentation

  

enhancement

  

enhancement

  

enhancement

  

feature

  

feature

  

fix

  

frontend

  

frontend

  

good first issue

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

safety-check

  

security

  

styles

  

styles

  

templates

  

templates

No labels

backend

bug

developer

documentation

enhancement

enhancement

enhancement

feature

feature

fix

frontend

frontend

good first issue

help wanted

pull-request

safety-check

security

styles

styles

templates

templates

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/dflow#316

No description provided.