DockFlare v3.1.2: You Look Good

Hello everyone,

v3.1.2 is a visual release.

No new infrastructure, no new services. This one is about making DockFlare feel cohesive the same design language across the website, the Master app, and the Webmail client. While I was at it, the login screens got a proper redesign.

Highlights

• New DockFlare logo dedicated light and dark SVG variants, auto-switching everywhere
• Website, Master, and Webmail now share the same visual design system
• Login screens redesigned with a split-panel layout
• All assets bundled locally no CDN, no external requests

What's New

New Logo

DockFlare has a proper logo now with separate light and dark SVG variants. The GitHub README already uses it if you're reading this in dark mode you should see the light version, and vice versa. Both the website and all app surfaces serve the correct variant automatically based on your active theme.

Design Sync

The website, Master app, and Webmail client now speak the same visual language same colours, same typography, same component style. Previously each surface had drifted slightly. That drift is gone.

Login Pages

Both login screens have been redesigned with a 50/50 split panel and a refreshed form card. Toggle between light and dark mode on the login screen the panel colours invert and the logo switches variant automatically. Worth a look.

Fixed

Outbound display name: The display name set during mailbox creation was stored but never applied when sending. Outbound emails now correctly use Display Name <address> in the From header. Thanks to the community for the report — #363.

Notes

No changes to agents, Docker Compose, or Cloudflare configuration. Master and Webmail update by pulling the new images.

---

For the full breakdown see CHANGELOG.md.

Happy tunnelling,
Christian

DockFlare v3.1.1: You've Got Aliases

Hello everyone,

v3.1.1 is out.

The headline feature is email aliases - a disposable address layer built directly into DockFlare Mail, no third-party service required. Alongside that, a round of webmail UI improvements landed in this release including inline settings, bulk email actions, and a handful of dark mode and layout fixes.

Highlights

• Email aliases: create disposable addresses that route to your real mailbox
• Alias enforcement at the Cloudflare Worker layer - unknown aliases rejected at the SMTP level
• Outbound reply support: reply from an alias, not your real address
• Bulk email actions: select, trash, and move multiple messages at once
• Settings redesigned as an inline split panel
• Date and time format selector: US, European, or ISO 8601

What's New

Email Aliases

Thanks to [@f3vkx](https://github.com/f3vkx) for the idea in [#348](#348).

You can now create email aliases that forward mail to your real mailbox while keeping your actual address private - similar to SimpleLogin or addy.io, but self-hosted and built into the platform.

Aliases are enforced at the Cloudflare Worker layer via KV lookups. Mail to an unknown or deactivated alias is rejected at the SMTP level before it ever reaches your server.

Full management is available from the webmail Settings panel:

• Generate an alias automatically or define a custom local-part
• Add a label and description for organisation
• Set an optional expiry date - expired aliases are deactivated automatically by an hourly background job and their KV entries cleaned up from Cloudflare
• Toggle aliases active or inactive at any time
• Track usage count per alias

Outbound reply support: when you reply to a message that arrived via an alias, the compose dialog pre-selects that alias as the sender. Your real address stays hidden end to end.

Rate limiting: 20 alias creations per hour and 100 aliases per mailbox, enforced server-side.

Inline Settings Panel

The settings modal is replaced with a split-panel view inside the main mail area. Clicking any folder closes settings and returns to mail. Three new sections added: Appearance (date/time format), About (project links, PWA install), and Help (documentation placeholder).

Bulk Email Actions

Multi-select mode in the message list with select-all, trash, and folder move controls.

Webmail UI Refinements

Animated logo in the sidebar and login page, sidebar controls reorganised, folder section label cleaned up, and several unnecessary dividers removed.

Notes

No changes to the DockFlare Master, agent, or Docker Compose configuration. Webmail and Mail Manager update by pulling the new images.

---

For the full breakdown see [CHANGELOG.md](https://github.com/ChrispyBacon-dev/DockFlare/blob/stable/CHANGELOG.md).

Happy tunnelling,
Christian

DockFlare v3.1.0: You've Got Mail

Hello everyone,

v3.1.0 is a big one. Probably the biggest feature release since the multi-server agent system in v3.0.

This release introduces DockFlare Mail a fully self-hosted email suite that uses Cloudflare as a zero-infrastructure delivery layer while keeping every message, attachment, and mailbox record on your own hardware. No third-party mail servers. No SaaS subscriptions. No sending your email to someone else's cloud.

Cloudflare handles the edge. You keep the data.

Cloudflare's Email Service entered public beta today. Read their announcement: Email for Agents

Highlights

• Self-hosted inbound and outbound email via Cloudflare Email Routing, Workers, and R2
• Local email storage in SQLite with FTS5 full-text search everything stays on your server
• Multi-domain support with complete per-domain isolation of secrets, buckets, and Workers
• One-click provisioning of all required Cloudflare infrastructure from the DockFlare UI
• PWA-ready Webmail client installable on desktop and mobile
• Desktop and mobile push notifications for new mail via Web Push (VAPID)
• Per-mailbox storage quotas enforced at the Cloudflare KV layer
• Backup, restore, and full teardown tooling built in
• 7 new Help Center guides covering every part of the email setup

What's New

DockFlare Mail

DockFlare Mail turns Cloudflare into a stateless mail relay that you own and control.

Inbound emails arrive at Cloudflare, get routed through an Email Worker, buffered briefly in R2, and pulled down to your server by the new Mail Manager service. Outbound mail goes the other direction from your server, through an authenticated Cloudflare Worker with automatic SPF, DKIM, and DMARC handling, and out to the internet.

Your messages live in a local SQLite FTS5 database. Your attachments live in a dedicated Docker volume. Cloudflare never stores your email permanently it is a pipe, not a vault.

One-Click Infrastructure Provisioning

The Email Setup flow provisions everything directly from the DockFlare UI:

• Cloudflare Email Routing and catch-all rules
• Inbound and outbound Workers with correct bindings
• R2 buckets for message buffering
• MX, SPF, DMARC, and DKIM DNS records

A Repair DNS tool is also available to re-apply or fix missing records if anything drifts. Worker redeployment is one click whenever you push configuration changes.

Multi-Domain Support

DockFlare Mail supports an unlimited number of domains simultaneously, with complete isolation per domain:

• Separate secrets, R2 buckets, and Worker endpoints per domain
• Domain-aware inbound webhook routing with per-domain signature verification
• Dynamic sync of domain configuration from the Master to the Mail Manager

PWA Webmail

The included Webmail client is built with Vue 3, Vite, and TypeScript.

It runs as a Progressive Web App installable directly from the browser on desktop and with mobile support soon. The interface uses a 3-panel layout with folder navigation, message list, and rich message display. Push notifications for new mail are supported via Web Push (VAPID) and Service Workers, so new messages reach you even when the app is in the background.

Per-Mailbox Quotas

Storage quotas are enforced at the Cloudflare KV layer, so the check happens before a message is delivered to your server. When a mailbox is full, incoming messages are rejected cleanly at the edge no surprise disk usage, no silent drops. Quota configuration and current usage are visible in the mailbox management UI.

Backup, Restore, and Teardown

Full backup and restore of the mail database and data volume is built in. Teardown options including a complete wipe of local data and Cloudflare resources are available directly from the Email section.

Security

• EdDSA JWT authentication Ed25519 key pair-based communication between Webmail, Mail Manager, and Master
• Outbound rate limiting 50 emails per hour, 200 per day per sender, enforced at the Worker layer
• CVE scan and dependency refresh included in this release

Changed

• Navigation: Email is now a primary item in the Master navigation bar
• Login page: A "Login to Email" shortcut appears on the main login page when email services are active
• Docker Compose: Updated to include dockflare-mail-manager and dockflare-webmail services under a shared email profile opt-in, no impact on existing setups

Help Center

Seven new guides covering the full email setup are now available in the Help Center (English):

• Email Overview
• Prerequisites
• Docker Deployment
• Domain Setup
• Mailbox Management
• Using Webmail
• Maintenance

Notes

Email services are fully opt-in. Existing installations are unaffected unless the email profile is added to the Compose configuration.

---

For the full technical breakdown see CHANGELOG.md.

Happy tunneling,
Christian

DockFlare v3.0.9: One Command to Rule Them All

Hello everyone,

v3.0.9 is out, and it is a meaningful one for anyone running agents across multiple servers.

The headline is Cloudflare Zero Trust integration for the agent layer. But there is a lot more in here: a one-liner install for the master, live connector data from the Cloudflare API, a one-liner deploy flow for agents, a handful of fixes, and some UI polish on the Agents page.

Highlights

• One-liner install for DockFlare Master via [dockflare.app](https://dockflare.app)
• One-liner and Compose snippet agent deployment, generated per API key
• Cloudflare Zero Trust service token provisioning for secure agent communication
• Live cloudflared version and origin IP fetched directly from the Cloudflare API
• Agents table responsive layout fix and visual refresh

What's New

One-Liner Install for DockFlare Master

Getting DockFlare running now takes a single command:

curl -fsSL https://dockflare.app/install.sh | bash

The script checks that Docker and Docker Compose are available, creates ~/dockflare/, writes a production-ready docker-compose.yml, provisions the cloudflare-net network, pulls the images, and starts all services. Open http://<your-server-ip>:5000 when it finishes and follow the setup wizard.

Optional overrides are supported via environment variables before the pipe. The Quick Start guide has been updated to present this as Option A alongside the existing manual compose path as Option B.

One-Liner Agent Deployment

Each agent API key now has a Deploy button on the Agents page. It opens a modal with two tabs:

• Quick Deploy - a fully pre-filled curl | bash one-liner with all credentials embedded automatically: Master URL, API key, CF Access client ID and secret.
• Compose Snippet - a ready-to-use docker-compose.yml for anyone who prefers to review before running.

This option requires two things to be configured on the master first: Cloudflare Zero Trust (Agents → Setup Zero Trust) and the DockFlare Public URL (Settings → General). The Public URL is used to construct the master endpoint baked into the generated script. Both are opt-in.

Cloudflare Zero Trust for Agent Communication

DockFlare can now automatically provision a Cloudflare Access Application and Service Token scoped to the agent API endpoint. Once configured, all agent traffic is authenticated at the Cloudflare edge before it ever reaches your server.

This removes the need for a separate private network, VPN, or Tailscale setup between master and agents.

Setup and removal are handled entirely from the Agents page, no Cloudflare dashboard visit required. The Access Application is created with a non_identity service token policy for agents alongside an automatic bypass policy for admin browser sessions, so nothing breaks for existing workflows.

Existing agents without service token credentials continue to work without any changes required.

Note: This requires adding Account: Access: Service Tokens: Edit to your Cloudflare API token permissions. The Prerequisites guide and README have both been updated to reflect this.

Live Cloudflared Version and Origin IP

The Agents table previously showed a hardcoded cloudflared version. It now shows live data fetched directly from the Cloudflare API, no changes to the DockFlare Agent required.

Two new data points per agent:

• Cloudflared Version with platform sub-line (e.g. 2026.3.0 / linux_arm64)
• Origin IP showing the public IP of the cloudflared connector

Data is cached for 60 seconds to avoid unnecessary API calls.

DockFlare Public URL Setting

The DockFlare Public URL is now configurable from Settings → General. It is stored in the encrypted config store and used when constructing the Cloudflare Access Application scope and the generated deploy commands.

---

For the full technical breakdown see CHANGELOG.md.

Updated documentation:

• [Quick Start](https://dockflare.app/docs/quick-start-docker-compose
• [Multi-Server Agent](https://dockflare.app/docs/multi-server-agent)

Happy tunnelling,
Christian

DockFlare v3.0.8: The Babelfish Update

Hello. Hallo. Grüessech. Bonjour. Ciao. Hola. Cześć. 你好. こんにちは. Halo.

Hello everyone,

I’ve just pushed DockFlare v3.0.8, and this is a pretty special one.

I’m calling it the Babelfish Update, as a small nod to The Hitchhiker’s Guide to the Galaxy. It felt like the right name for a release focused on language, accessibility, and making DockFlare easier to use for more people around the world.

What started as issue #318 grew into a much bigger milestone than I originally expected.

With this release, DockFlare now supports 9 additional languages across the Web UI, the Help Center documentation, and the project website as well.

This was a major piece of work, but one I felt was worth doing properly.

Highlights

• Full localization support across the DockFlare Web UI
• Help Center docs fully updated and translated
• Project website fully updated and translated
• New global language selector in the top navigation bar
• Safe English fallback when a translation is missing
• Performance fix for the Waitress connection issue that could cause long page stalls

What’s New

Multi-language support across DockFlare

The DockFlare interface is now available in 9 additional languages, covering the dashboard, settings, dialogs, and the rest of the web UI.

The goal here was not just to translate the obvious parts, but to make the entire experience feel complete and consistent.

Help Center and website translations

Alongside the UI, all Help Center guides were updated and translated too.

The project website was also fully refreshed and translated into the same languages, so the public-facing experience now matches the application much more closely.

Language selector

A new global language selector has been added to the top navigation bar, making it easy to switch languages on the fly.

DockFlare remembers the selected language during the session, so navigation stays consistent.

English fallback

If a localized string or page is not available, DockFlare will safely fall back to English.

That avoids broken pages, missing content, and awkward dead ends while keeping the experience reliable.

Fixed

• Resolved a Waitress connection exhaustion issue that could cause the UI to stall or hang for around 30 seconds after clicking through several pages.

This should make the interface feel much smoother and more stable during normal use.

Special Thanks

A special thank you to @netesheng for helping kick off and inspire this work.

Final Note

This is one of the biggest usability updates DockFlare has had so far.

Making DockFlare more accessible to an international community has been on my mind for a while, and v3.0.8 is a big step in that direction.

Thanks again to everyone using DockFlare, opening issues, sharing feedback, and helping shape the project.

Some parts of the translations were assisted by Google Translate and DeepL. If you notice anything inaccurate, awkward, or unclear in your language, I’d really appreciate your feedback or a correction suggestion. Community input will help improve and refine the translations over time.

You can also visit the project website here: dockflare.app

Security Fixes

This release also includes a dependency security refresh across both the frontend and Python stack.

At a high level, vulnerable dependencies were updated, lockfiles were refreshed, and the current dependency set was re-audited so there are no known vulnerabilities remaining in the dependency set shipped for this release.

For the full breakdown of the updated packages and technical details, see the CHANGELOG.md.

Happy tunneling and cheers,
Christian

DockFlare v3.0.7

It focuses on practical improvements that came straight from your real-world setups, and I really appreciate how specific and actionable the reports were.

Highlights

• Added Match SNI to Host support for manual ingress rules in the web UI.
• Added a UI setting to preserve unmanaged Cloudflare ingress fields during sync.
• Updated Cloudflare Zero Trust deep links to match Cloudflare’s current URL structure.
• Fixed tunnel-name edge cases where Docker-invalid characters could break cloudflared agent container creation.
• Added Dashboard grouping for Managed Ingress Rules by Status, Tunnel, or Access Policy.

Community shout-outs

• Enhancement: add grouping to dashboard #320
  Thank you @MischaBoender

• Match SNI to host toggle or option to ignore rules #319
  Thank you @Slogstorm

• Wrong endpoint in access manager #304
  Thank you @x3lq for raising the Cloudflare email endpoint issue in Access Manager

• Invalid container name #309
  Thank you @martingjohn

Added

• Manual Rule SNI Control:

  • New Match SNI to Host toggle for manual rules (create/edit).
  • Persisted in DockFlare state and synchronized to Cloudflare as originRequest.matchSNIToHost.

• UI-Managed Ingress Field Preservation:

  • New General Settings option:
    • Preserve Unmanaged Cloudflare Ingress Fields
  • Lets DockFlare keep Cloudflare-side route fields it does not explicitly manage.

• Dashboard Grouping:

  • New Group by control in Managed Ingress Rules.
  • Group by:
    • Status
    • Tunnel
    • Access Policy
  • Includes per-group counts for easier navigation on larger rule sets.

Fixed

• Cloudflare Dashboard Deep Links:

  • Tunnel route links now use:
    • .../networks/connectors/cloudflare-tunnels/.../public-hostname/.../{index}
  • Access application links now use:
    • .../access-controls/apps/self-hosted/.../edit?tab=basic-info
  • Access policy links now use:
    • .../access-controls/policies/.../edit

• Access Manager Cloudflare Email Call:

  • Corrected account email retrieval flow related to the wrong endpoint behavior raised in issue #304.

• Tunnel Name Character Handling:

  • Fixed cloudflared agent startup failures when tunnel names contain Docker-invalid characters (for example spaces or parentheses), as reported in issue #309.
  • DockFlare now normalizes generated container names across setup, config load, and settings updates.

Notes

• No migration steps required for standard installs.
• If you rely on Cloudflare-only ingress options, consider enabling:
  • Preserve Unmanaged Cloudflare Ingress Fields
• Existing rules continue to work; grouping is a UI enhancement.

Thanks again for building, testing, and pushing DockFlare forward with me.

Happy tunneling and cheers,
Christian

DockFlare v3.0.6: Minor Update - Back for more

Hi everyone,

After a break to recharge and revisit a few open topics, I’m back with v3.0.6. This release focuses on performance improvements and clarity in the UI. Nothing flashy, just solid refinements that make DockFlare behave better in real-world environments.

Improvements & Fixes

Docker Event Listener Optimization

Reduced log noise and improved resource usage by introducing filtered Docker event listeners.

DockFlare now processes container start and stop events only for containers explicitly opted in via:

• dockflare.enable
• cloudflare.tunnel.enable (legacy support)

This prevents unnecessary inspection of unmanaged containers and keeps things much cleaner, especially on hosts running many services.

Fixes #296

Access Policy Label Clarification

Renamed the Access Policy label from:

None (Public - No App)

to:

No Policy Assigned

The previous wording implied that a service was public, which is not necessarily true since a broader Zone Policy may still apply. The new label better reflects the actual state without creating confusion.

Thanks to everyone who continues to report issues and share feedback. More refinements are coming.

Christian

DockFlare v3.0.5: A Tale of Two Toggles

Hello everyone,

This is a small feature release that adds two new CloudFlare features for more specific use cases.

A special thank you to @SeraphimSerapis for the input on GitHub issue #281, which directly led to the features in this update.

New Additions

• HTTP/2 Origin Support: You can now enable the HTTP/2 protocol for the connection between cloudflared and your origin services. This is necessary for services that use gRPC and only applies to HTTP/HTTPS services.

• Disable Chunked Encoding: Support has been added to disable chunked transfer encoding. This is useful for origins that do not properly support it, such as some WSGI servers (Flask, Django, FastAPI).

These new settings can be configured in a few ways:

• Container Labels: Use the new dockflare.http2_origin and dockflare.disable_chunked_encoding labels on your Docker containers. This works for containers on the main DockFlare instance as well as those on remote servers running the DockFlare Agent.

• Manual Rules: When creating or editing a manual rule in the web UI, both "HTTP/2 Origin" and "Disable Chunked Encoding" can now be enabled for the rule.

For usage details on the new labels, please see the updated Container Labels documentation.

Vielen Dank!
Cheers,
Chris

DockFlare v3.0.4: Bug Squashing and Quality of Life Update

Hello everyone,

I've just pushed a new update, version 3.0.4. This release is focused on fixing several key bugs that many of you have reported, along with some nice quality-of-life improvements for the UI.

Bug Fixes and Stability Improvements

Thanks to some very helpful and detailed bug reports from the community, I was able to track down and fix a few significant issues:

• Agent Management is working again: A couple of key features on the Agents page were broken. Trying to roll an agent's API key was causing a network error, and attempting to redeploy a tunnel container would result in a 500 error from the server (fixes #274). Both of these issues have been resolved, and those actions should now work as expected.
• Access Policy editing is fixed: There was an annoying bug where, after saving a policy with country restrictions, the selected countries wouldn't be displayed correctly when you went back to edit it. This has been fixed (addressing #275), so you should be able to see and modify your selections properly now.
• Multi-hostname Access Policies fixed: I fixed an edge case where if you assigned the same access group to multiple hostnames on a single container (like www.domain.com and domain.com), only the first rule would be secured correctly. Subsequent hostnames would incorrectly bypass authentication. This is now resolved, and the policy will be applied to all hostnames as expected (addressing #276).
• Better security validation: I've added some important checks to prevent accidentally creating an insecure Access Policy. The system will now make sure you specify required email addresses when using an Identity Provider and will warn you if you're only using geo-restrictions without any real authentication.
• Prevents duplicate system policies: DockFlare is now smarter about checking if the default system policies already exist before trying to create them on startup. This should prevent duplicate policies from being created if you happen to run multiple instances.

UI Improvements

One thing that has bothered me for a while was the use of the default browser popups for alerts and confirmations. They were functional, but they didn't really fit DockFlare's style. I went through and replaced all 53 of them with custom modals that match the DaisyUI theme, which I think makes for a much cleaner and more consistent experience.

I also made a few other small improvements to the UI:

• I added a new sort option to the Dashboard so you can group your ingress rules by their assigned Access Policy. This should make it a bit easier to audit which services are using which policies.
• The Agents page got a small visual refresh to match the style of the Access Policies page.

A New Tool for Advanced Users

Finally, I've included a new command-line utility in this release. To be honest, I originally built this tool for myself. While testing and fixing the agent bugs, I had to run multiple DockFlare instances, which left my Cloudflare account with a lot of duplicate policies. This tool was my way of cleaning that up safely. It has a --dry-run mode to let you see what it will do before it makes any changes. I decided to leave it in the project in case it might be useful for anyone else who runs into a similar situation. You can find more details on how to use it in the CLI_USAGE.md file.

As always, thank you for using DockFlare and for all the valuable feedback. For a more detailed breakdown of all the changes, you can refer to the full changelog. Let me know if you run into any issues with this new version.

Cheers,
Chris

DockFlare v3.0.3: Building Access the Way It Should Be

Hey everyone,

I’m excited to share this update with you. This release has been a real labor of love, focused on solving the same pain points that led me to build DockFlare in the first place.

It’s a longer read, but worth it: not just what changed, but why it changed.

---

Identity Provider Management

This is the big one I’ve wanted for a long time: manage OAuth/OIDC Identity Providers (IdPs) directly inside DockFlare, no more jumping between dashboards.

What’s New

• Full IdP management: Add, edit, test, and delete Identity Providers (Google, Azure AD, GitHub, Okta, or generic OIDC) directly from DockFlare.
• Friendly names: Use human-readable labels like google-main or github-dev. DockFlare automatically maps them to Cloudflare UUIDs.
• One-click Cloudflare sync: Import existing IdPs with auto-generated friendly names.
• Built-in testing: Verify OAuth flows before production rollout.
• Brand-accurate icons: Instantly recognize each provider.
• System protection: Prevent accidental deletion of critical providers like one-time PIN.

---

Security by Design: Email Restrictions Required

By default, Cloudflare allows any Google account when using "Google" as an IdP, even personal ones.
DockFlare now enforces secure defaults: you must specify allowed emails or domains (admin@example.com, @company.com).

Both UI and API validations ensure you cannot create insecure configurations by accident.

“When using Identity Providers, you must specify allowed email addresses to prevent unauthorized access.”

---

Integration with Access Groups

Identity Providers now tie neatly into Access Groups:

• Choose one or more IdPs
• Specify allowed emails or domains
• Users must authenticate via the IdP and match the allowlist
• Both conditions must pass for access to be granted

---

Public vs Authenticated Access Modes

Previously, DockFlare mixed Cloudflare’s bypass and allow modes in confusing ways.
This release introduces a clean separation.

Public Access Mode (bypass)

• No authentication required; ideal for public sites or marketing pages
• Supports geo-blocking (for example, block high-risk countries)
• Visitors from allowed countries access directly, no login

Authenticated Access Mode (allow)

• Authentication required via email/domain or IdP
• Perfect for internal dashboards or private apps
• Geo restrictions stack on top of authentication

Why it matters: DockFlare now aligns perfectly with Cloudflare’s intended behavior, clean, predictable, and secure.

---

Zone Default Policies & Performance

Wildcard Zone Protection

A new section on the Access Policies page displays all DNS zones and their wildcard protection status. With one click, create a *.yourdomain.com policy to protect all subdomains even future ones.

This serves as a safety net: every subdomain gets a default protection policy automatically.

---

Migration to Reusable Access Policies

Summary:
DockFlare now creates reusable Access Policies in Cloudflare, replacing older inline policies. This change dramatically improves maintainability, sync accuracy, and scalability.

The Old Way (Inline Policies)

Originally, DockFlare embedded policies directly in each Access Application. It worked, but:

• Rules were duplicated everywhere.

• Maintenance was painful (e.g., update an email in 10 places).

• No centralized overview.

• Policy drift between DockFlare and Cloudflare.

The New Way (Reusable Policies)

Reusable policies scale far better, especially with upcoming DockFlare Agent Swarm mode, where multiple agents report services to a master node. With reusable policies:

• Create once, use everywhere – Apply one policy to many services.

• Single source of truth – Edit once, update everywhere instantly.

• Bi-directional sync – Cloudflare ↔ DockFlare stay aligned.

• Cleaner dashboards – Cloudflare Access view makes sense again.

• Swarm-ready – Centralized management for multi-agent deployments.

In short: reusable policies are how DockFlare should work at scale. Inline rules served early simplicity; reusable rules bring long-term reliability.

---

UI / UX Improvements

• New Identity Providers section with table view and sync button
• Two-tab Access Policy modal separating Public vs Authenticated modes
• TomSelect dropdowns for multi-select IdPs
• Better feedback and validation for security rules
• Unified styling across Dashboard and Access Policies
• Updated documentation links and OAuth setup guides

Backend Architecture

• New idp_manager.py with full CRUD via Cloudflare API
• Friendly-name to UUID mapping
• Persistent IdP metadata storage
• Access Groups now support a public_mode flag
• Public mode uses bypass; Authenticated mode uses allow
• Legacy block policies automatically converted to deny
• Async zone policy loading

Bug Fixes

• Fixed: public groups incorrectly using allow
• Fixed: simplified country blocking logic
• Fixed: reusable policies preserve all decisions (bypass, allow, deny)
• Fixed: deprecated field JS errors and dropdown overflow
• Fixed: IdP modal close behavior

---

API Token Update Required

Add one new permission to your Cloudflare API token for IdP management:

• Account:Access: Organizations, Identity Providers, and Groups:Edit

Without it, IdP creation or sync will fail (existing features still work).
See: [Prerequisites]

---

Security Testing and Validation

A full audit of all 99 application endpoints was performed for authentication, CSRF, injection, and authorization.

✅ All routes secured (100%)
✅ Strong CSRF protection
✅ XSS, path traversal, and SQL injection mitigated
✅ Sessions managed safely with no leaks detected

Full reports:

• Security Assessment Report
• Security Fix Plan
• Comprehensive Test Results

---

Important: “Disable Password Login” Setting

This feature is intended to avoid double authentication when DockFlare is already behind an enforced SSO gateway.

Risks when enabled:

⚠️ All API endpoints become unauthenticated.

⚠️ Containers on the same Docker network can bypass Cloudflare Access entirely.

⚠️ The app assumes security is handled elsewhere — dangerous without proper isolation.

Example:

Internet → Cloudflare Access (Protected) → DockFlare ✅
         ↓
Docker Network → Other Container → DockFlare API (Unprotected) ❌

Recommended approach:

1. Use local DockFlare credentials for simplicity, or
2. Configure OAuth/OIDC providers (Google, GitHub, Azure AD, etc.) for secure SSO.

Both options maintain proper authentication while preserving convenience.

Bottom line: Unless your network isolation is airtight, keep password login enabled and use OAuth for SSO.

---

Breaking Changes?

None. Existing setups continue to work.
DockFlare automatically migrates your groups to reusable policies on next sync.
Manual Cloudflare edits will sync back correctly.

---

Why This Update Matters

As a daily DockFlare user, I wanted to fix the things that frustrated me most:

“I want to use my Google account for login, but setup in Cloudflare is tedious.”
“I want my portfolio site public, but still block some countries.”

Identity Provider management and access-mode separation directly solve these.
No more dashboard switching. No more unnecessary authentication prompts.
DockFlare now aligns perfectly with how Cloudflare designed these features, flexible, secure, and practical.

---

Shout-outs and Credits

A huge thank-you to the community for helping shape this release with testing, feedback, and sharp insights:

• @solipsist01 – detailed beta testing and feedback on issue [#250]
• @kernel-sanders – great observations on access rule logic and issue [#261]
• @sidbena – helpful suggestions and testing feedback on issue [#83]
• @johntdyer – excellent input on access handling and usability in issue [#259]

Your contributions directly improved DockFlare’s development. 🙌

---

Final Thoughts

DockFlare is still a solo-developer passion project, something I genuinely love building.
If you find bugs or have ideas, please open a GitHub issue. Your feedback drives DockFlare’s evolution.

The IdP feature alone took about 80% of this release’s development time, from OAuth flow debugging to security hardening, but it was worth it.

Thank you to everyone using DockFlare and supporting its growth.

Next up:

• Migration assistant for legacy policies
• Policy conflict detection
• More granular access controls
• DockFlare Agent Swarm Mode (in active development)

Stay tuned, and happy tunneling!
Chris

---

Documentation Updates

The in-app help system and Markdown docs are updated for v3.0.3:

• [Identity Providers]
• [Prerequisites]
• [OAuth Provider Setup]

---

Full Changelog

For a detailed list of all changes, see the full changelog on GitHub:
CHANGELOG.md

Note: The project site (dockflare.app/docs) will update soon. For now, use the in-app help or Markdown files.