# ----------------------------------------------------------------------------- # This file provides a template for your DockFlare configuration. # 1. Copy this file to '.env' in the project root: cp .env.example .env # 2. Edit '.env' with your actual values. # 3. DO NOT commit your actual .env file (with secrets) to version control! # # Lines starting with # are comments and will be ignored by DockFlare. # Default values are often shown after the '=', remove the value to use DockFlare's internal default if applicable. # ----------------------------------------------------------------------------- # === REQUIRED CLOUDFLARE CREDENTIALS === # These are essential for DockFlare to interact with the Cloudflare API. # Generate an API Token at: https://dash.cloudflare.com/profile/api-tokens # # RECOMMENDED Scoped API Token Permissions: # Account Level: # - Account Settings: Read # - Cloudflare Tunnel: Edit (Read & Write for tunnel operations) # - Access: Apps and Policies: Edit (Read & Write for Access Application management) # - Worker Routes: Read (Often needed by Tunnel functionality) # - Worker Scripts: Edit (Often needed by Tunnel functionality) # Zone Level (for EACH zone DockFlare will manage DNS for): # - DNS: Edit (Read & Write for CNAME record management) # - Zone Settings: Read (To get zone details) # CF_API_TOKEN=your_cloudflare_api_token_here CF_ACCOUNT_ID=your_cloudflare_account_id_here # Find in Cloudflare dashboard URL after /dash.cloudflare.com/ # Default Cloudflare Zone ID (Optional but Recommended) # The ID of your primary Cloudflare zone (e.g., example.com). # Find this on the Cloudflare dashboard "Overview" page for your domain. # - If set, DockFlare uses this zone for hostnames unless a 'cloudflare.tunnel.zonename' label specifies otherwise. # - If not set, you MUST use the 'cloudflare.tunnel.zonename' label on ALL Docker containers # and provide a Zone Name when adding Manual Rules via the UI. CF_ZONE_ID=your_default_cloudflare_zone_id_here # === TUNNEL CONFIGURATION === # Defines how DockFlare interacts with or manages the Cloudflare Tunnel. # Tunnel Name (Required if NOT using an external cloudflared instance) # DockFlare will create/use a tunnel with this name. # Example: dockflare-myhome TUNNEL_NAME=dockflared-tunnel # --- External Cloudflared Mode (Advanced) --- # Set USE_EXTERNAL_CLOUDFLARED to 'true' if you want DockFlare to manage DNS/Access # for an existing tunnel managed by a separate cloudflared agent, instead of running its own. # # WARNING: If USE_EXTERNAL_CLOUDFLARED is 'false' (default), DockFlare v1.7+ takes an # authoritative stance on its managed tunnel's ingress configuration. It will remove # non-wildcard, non-catch-all ingress rules found on Cloudflare for that tunnel if # they are not defined in DockFlare's state (from Docker labels or Manual UI entries). # This ensures consistency. True external wildcards and the catch-all are preserved. # # USE_EXTERNAL_CLOUDFLARED=false # External Tunnel ID (Required ONLY if USE_EXTERNAL_CLOUDFLARED=true) # Please note currently under review not recommended. # The ID of your existing, externally managed Cloudflare Tunnel. # Find in Cloudflare Dashboard: Zero Trust -> Access -> Tunnels -> (select your tunnel) # EXTERNAL_TUNNEL_ID=your_existing_external_tunnel_id # === DOCKFLARE BEHAVIOR & CUSTOMIZATION === # Docker Label Prefix # All Docker labels DockFlare looks for will start with this prefix. LABEL_PREFIX=cloudflare.tunnel # Grace Period for Rule Deletion (seconds) # How long DockFlare keeps ingress rules for a stopped Docker container before deletion. # Default: 28800 (8h) GRACE_PERIOD_SECONDS=600 # Cleanup Interval (seconds) # How often DockFlare checks for expired rules to delete. # Default: 300 (5 minutes) CLEANUP_INTERVAL_SECONDS=300 # Agent Status Update Interval (seconds) # How often DockFlare updates the status of its managed cloudflared agent (if not in external mode). # Default: 10 AGENT_STATUS_UPDATE_INTERVAL_SECONDS=10 # State File Path # Location within the container where DockFlare saves its state (managed_rules.json). # Should be mapped to a persistent volume. STATE_FILE_PATH=/app/data/state.json # Docker Network Scanning # Set to 'true' for DockFlare to discover labeled containers across ALL Docker networks. # If 'false' (default), DockFlare typically only sees containers on networks it shares # (like CLOUDFLARED_NETWORK_NAME) or if it's on the host network. SCAN_ALL_NETWORKS=false # Cloudflared Agent Network Name (Only used when DockFlare manages the cloudflared agent) # The name of the Docker network for the cloudflared agent container. # DockFlare will create this network if it doesn't exist. CLOUDFLARED_NETWORK_NAME=cloudflare-net # Additional Zones for UI DNS Scan (Optional) # Comma-separated list of additional Cloudflare Zone NAMES (e.g., another.com,mydomain.org) # that DockFlare should query when displaying DNS records for tunnels in the # "All Cloudflare Tunnels on Account" section of the UI. # This is useful if a tunnel has CNAMEs in multiple zones you own. # CF_ZONE_ID is automatically included if set. # Example: TUNNEL_DNS_SCAN_ZONE_NAMES=extradomain.com,another-zone.net TUNNEL_DNS_SCAN_ZONE_NAMES= # === PERFORMANCE & RESOURCE MANAGEMENT === # Maximum Concurrent DNS API Operations # Limits simultaneous DNS read/write calls to Cloudflare API during reconciliation. # Helps prevent API rate limiting. Default: 3 MAX_CONCURRENT_DNS_OPS=3 # Reconciliation DNS Batch Size (Not currently used, but placeholder for future) # How many DNS records to process in each batch during full reconciliation. # Lower this value on systems with limited resources if/when implemented. # RECONCILIATION_BATCH_SIZE=3 # === ADVANCED & DEPRECATED (Review if using) === # Trusted Proxies for X-Forwarded-* headers (Less relevant for direct Cloudflare Tunnel) # Comma-separated list of IPs or CIDR ranges. # If DockFlare itself is behind another reverse proxy that sets X-Forwarded-Proto. # TRUSTED_PROXIES=172.16.0.0/12,192.168.0.0/16 # Default TLS Verification Setting for Service Targets (DEPRECATED - Use per-rule labels/UI) # This global default is less flexible than per-rule settings. # It's recommended to manage 'noTLSVerify' via Docker labels # (cloudflare.tunnel.no_tls_verify=true) or the Manual Rule UI. # DEFAULT_NO_TLS_VERIFY=false