vrr/DockFlare
2
0
Fork 0
mirror of https://github.com/ChrispyBacon-dev/DockFlare.git synced 2026-04-28 03:39:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
DockFlare/CHANGELOG.md
ChrispyBacon-dev be72eb3922 v3.1.0 - Update - Cloudflare Email Support
2026-04-12 14:30:43 +02:00

781 lines
64 KiB
Markdown
Raw Blame History

# Changelog
All notable changes to this project will be documented in this file.
## [v3.1.0] - 2026-04-12
### Added
- **Sovereign Email Suite:** A fully self-hosted email system that uses Cloudflare as a stateless delivery layer while keeping all email data local.
- **Inbound Processing:** Automated setup of Cloudflare Email Routing, Workers, and R2 buckets for message ingestion.
- **Outbound Processing:** Authenticated outbound relay via Cloudflare Workers and the `send_email` binding.
- **Local Data Sovereignty:** All emails are stored in a local SQLite FTS5 database with attachments saved to a dedicated Docker volume.
- **Mail Manager Service:** A new backend service handling MIME parsing, R2 interaction, mailbox management, and a full REST API.
- **PWA-Ready Webmail:** A modern, installable Vue 3 + Vite + TypeScript webmail client.
- **Progressive Web App:** Supports browser installation on desktop and mobile with a standalone display mode.
- **Desktop/Mobile Notifications:** Background push notifications for new mail via Web Push (VAPID) and Service Workers.
- **Offline Support:** App shell caching and a graceful offline fallback page.
- **Modern UI:** 3-panel layout with folder navigation, message list, and rich message display using Shadcn/Vue and Tailwind CSS.
- **Multi-Domain Email Support:** Manage inbound and outbound email for an unlimited number of domains simultaneously.
- **Isolation:** Complete isolation of secrets, R2 buckets, and Cloudflare Worker endpoints per domain.
- **Domain Registry:** Dynamic synchronization of domain configurations from the Master to the Mail Manager.
- **Domain-Aware Webhooks:** Inbound webhook routing correctly identifies domains via custom headers and verifies signatures with domain-specific secrets.
- **Automated Infrastructure Provisioning:**
- **One-Click Setup:** Provision all required Cloudflare resources (Email Routing, Workers, R2, DNS) directly from the DockFlare UI.
- **DNS Repair Tool:** A new "Repair DNS" feature to re-apply or fix missing MX, SPF, DMARC, and DKIM records.
- **Worker Redeployment:** Easily push updates or configuration changes to Cloudflare Workers from the UI.
- **Advanced DNS & DKIM:**
- **Authoritative DKIM Handling:** Automatically fetches and applies DKIM TXT records generated by Cloudflare.
- **Zone-Aware Placement:** Smart placement of email-related DNS records across multiple Cloudflare zones.
- **Security & Performance:**
- **EdDSA JWT Authentication:** Secure communication between Webmail, Mail Manager, and Master using Ed25519 key pairs.
- **Outbound Rate Limiting:** Built-in per-sender rate limiting (50/hour, 200/day) to prevent accidental spamming.
- **FTS5 Search:** Full-text search capabilities for lightning-fast email discovery.
### Changed
- **Navigation:** Added "Email" as a primary navigation item in the Master UI.
- **Login Flow:** Added a "Login to Email" shortcut on the main login page when email services are configured.
- **Docker Compose:** Updated to include `dockflare-mail-manager` and `dockflare-webmail` services with a shared `email` profile.
## [v3.0.9] - 2026-03-21
### Added
- **Cloudflare Zero Trust — Secure Agent Communication:** DockFlare Master can now automatically provision a Cloudflare Service Token and a scoped Access Application for the agent API (`/api/v2/agents/`). Once configured, all agent traffic is authenticated at the Cloudflare edge before reaching the server, eliminating the need for a separate private network (Tailscale, VPN, etc.).
- One-click setup and removal from the Agents page — no Cloudflare dashboard visit required.
- Service token credentials are stored encrypted; the client ID is displayed in the UI for reference.
- A bypass policy is automatically created alongside the service token policy so that admin browser sessions are never blocked.
- Existing agents without service token credentials continue to work without any changes required (backward compatible).
- **One-Liner Agent Deployment:** Each agent API key now has a **Deploy** button on the Agents page that generates a fully pre-filled deploy command. A tabbed modal offers a *Quick Deploy* one-liner (`curl | bash`) and a *Compose Snippet* for transparent review — all credentials (Master URL, API key, CF Access client ID/secret) are embedded automatically.
- **Live Cloudflared Version & Origin IP:** The Agents table now displays the live cloudflared connector version and origin IP, fetched directly from the Cloudflare API and cached for 60 seconds. No changes to the DockFlare Agent are required.
- **DockFlare Public URL Setting:** Added a *DockFlare Public URL* field to General Settings. The value is stored in the encrypted config store and used when constructing the Cloudflare Access Application scope and deploy commands.
- **Origin IP Column:** Added an *Origin IP* column to the Agents management table showing the public IP of the cloudflared connector for each enrolled agent.
- **i18n — 23 New Translation Keys:** All new Cloudflare Zero Trust panel strings, deploy modal strings, and the DockFlare Public URL setting label are fully translated across all 10 supported languages (EN, DE, FR, ES, IT, PL, ID, ZH, JA, CH-Bärndütsch).
- **API Token Permission:** Added `Account: Access: Service Tokens: Edit` to the required Cloudflare API token permissions (documented in Prerequisites and README).
### Changed
- **Agents Table — Responsive Layout:** The agents table now scrolls horizontally on narrow viewports, consistent with the Active API Keys table. The actions menu has been rebuilt as a floating overlay to avoid overflow clipping at narrow widths.
- **Agents Table — Visual Polish:** Refreshed header style (uppercase, muted, semibold), consistent cell padding, and a muted `—` dash for missing values.
- **Cloudflared Version Display:** The Cloudflared Version column now shows live data (version + platform sub-line) instead of a hardcoded fallback value.
- **Multi-Server-Agent.md:** Updated the agent deployment guide — `cloudflared` image tag changed from pinned `2025.9.0` to `latest`; one-liner deploy is clearly marked as opt-in; Option A (one-liner) and Option B (manual compose) are presented as distinct paths; removed stale pre-publication note.
- **Mobile UI Optimization:** Converted fixed-width tables across the web UI to responsive card-style layouts on small screens using a CSS `data-label` pattern. Affected pages include the dashboard, settings, access policies, identity providers, and zone policies. Thanks to [@nguyenhuy158](https://github.com/nguyenhuy158) ([#337](https://github.com/ChrispyBacon-dev/DockFlare/pull/337)) — *2026-03-28*
### Fixed
- **Agent `thread_health_status` NameError:** Fixed a crash in the DockFlare Agent where `thread_health_status` and `last_successful_master_contact` were referenced before being declared at module level.
### Hotfix
- **Cloudflare Dashboard Deep Links:** Updated all Cloudflare dashboard links to reflect Cloudflare's new URL structure. The domain `one.dash.cloudflare.com` has been replaced with `dash.cloudflare.com` and paths now include the `/one/` prefix. Affected areas: Access Policies page (apps list, policy edit, IdP settings), Status Page (tunnel route and access app links), and all 10 language versions of the Identity Providers help guide.
---
## [v3.0.8] - 2026-03-15
### Added
- **Multi-Language Support (UI & Docs):** The entire DockFlare web UI and Help Center documentation are now fully localized into 9 languages (EN, DE, FR, ES, PL, ZH, IT, JA, ID, CH-Bärndütsch).
- All UI elements, including the dashboard, settings, and modals, are now translated for a complete native experience.
- All 33 Markdown help guides have been systematically translated and segregated into language-specific repositories.
- Implemented an intelligent fallback mechanism: if a localized string or page is unavailable, the system safely falls back to English to prevent 404 errors or missing text.
- **Language Selector UI:** Added a new global language selector (globe icon) to the top navigation bar, allowing users to seamlessly transition between languages on the fly, storing preferences via session states.
### Fixed
- **Performance / Waitress Connection Exhaustion:** Resolved a critical bug resulting in UI 30-second delays or stalling connections after clicking through ~5 pages.
### Hotfix
- **Settings Form Submit Regression:** Restored WTForms-backed submit buttons for the translated **General Settings**, **Cloudflare Credentials**, and **Security Settings** actions so the backend reliably detects which Settings form was submitted. Fixes the `Disable Password Login` toggle not persisting after the multi-language UI update.
### Security
- **Dependency Security Refresh:** Updated frontend and Python dependencies to address known vulnerabilities identified by `npm audit` and `pip-audit`.
- **Frontend lockfile updates:** Refreshed transitive npm dependencies to patched versions, including `glob` `10.5.0` and `minimatch` `9.0.9`, resulting in a clean `npm audit`.
- **Python dependency updates:** Rebuilt `requirements.txt` from a new `requirements.in` source file and upgraded key packages to patched releases, including `Authlib` `1.6.9`, `cryptography` `46.0.5`, `Flask` `3.1.3`, `Markdown` `3.8.1`, `urllib3` `2.6.3`, and `Werkzeug` `3.1.6`.
- **Audit result:** Verified both dependency sets after the update with no known vulnerabilities remaining in the current lockfiles.
---
## [v3.0.7] - 2026-03-01
### Added
- **Manual Rule SNI Control:** Added a dedicated **Match SNI to Host** toggle for manual ingress rules (create/edit), persisted in DockFlare state and synchronized to Cloudflare tunnel `originRequest.matchSNIToHost`.
- **UI-Managed Ingress Field Preservation:** Added a new **General Settings** option, **Preserve Unmanaged Cloudflare Ingress Fields**, allowing DockFlare to retain Cloudflare-side route fields it does not explicitly manage during tunnel sync.
- **Tunnel Name Helper Text:** Added inline helper text on Setup and Settings pages clarifying that DockFlare automatically normalizes the entered tunnel name when deriving the local cloudflared container name.
- **Ingress Rule Grouping in Dashboard:** Added a new **Group by** control in `Managed Ingress Rules` with grouping by **Status**, **Tunnel**, or **Access Policy**, including per-group row counts for easier navigation on large rule sets.
### Fixed
- **Cloudflare Dashboard Deep Links:** Updated Zero Trust links to match Cloudflare's latest navigation paths:
- Tunnel route links now use `.../networks/connectors/cloudflare-tunnels/.../public-hostname/.../{index}`
- Access application links now use `.../access-controls/apps/self-hosted/.../edit?tab=basic-info`
- Access policy links now use `.../access-controls/policies/.../edit`
- **Tunnel Name Character Handling:** Fixed cloudflared agent startup failures caused by tunnel names containing Docker-invalid characters (for example spaces or parentheses) by sanitizing generated container names across setup, config load, and settings updates.
---
## [v3.0.6] - 2026-02-15
### Fixed
- **Docker Event Listener Efficiency:** Significantly reduced log spam and improved resource utilization by implementing filtered Docker event listeners. DockFlare now only processes container events (start/stop) for containers explicitly opted-in via `dockflare.enable` or the legacy `cloudflare.tunnel.enable` labels, preventing unnecessary inspection of unmanaged containers. Raised by issue #296
### Changed
- **Access Policy Label Rename:** Renamed the Access Policy label "None (Public - No App)" to "No Policy Assigned" in the Dashboard. This change accurately reflects that while no specific policy is assigned to the rule, the service might still be protected by a broader Zone Policy, removing the misleading "Public" designation.
---
## [v3.0.5] - 2025-10-14
### Added
- **HTTP/2 Origin Support:** Added support for enabling HTTP/2 protocol between `cloudflared` and origin services via the new `dockflare.http2_origin` label and UI controls. Required for gRPC services. Only applies to HTTP/HTTPS services.
- **Disable Chunked Encoding Support:** Added support for disabling chunked transfer encoding over HTTP/1.1 via the new `dockflare.disable_chunked_encoding` label and UI controls. Useful for WSGI servers (Flask, Django, FastAPI) and other origins that don't properly support chunked requests. Only applies to HTTP/HTTPS services.
---
## [v3.0.4] - 2025-10-11
### Added
- **CLI Duplicate Policy Cleanup Tool:** Introduced advanced CLI utility for detecting and removing duplicate reusable policies in Cloudflare accounts (see [CLI_USAGE.md](CLI_USAGE.md)).
- **Dry-run mode:** Preview changes before applying with `--dry-run` flag for safe operation
- **Smart consolidation:** Automatically keeps oldest policy and deletes newer duplicates
- **Application protection:** Updates Access Applications to reference kept policy before deletion to prevent downtime
- **State synchronization:** Automatically updates `state.json` with correct policy IDs after cleanup
- **Comprehensive reporting:** Detailed output showing policies scanned, duplicates found, and actions taken
- **Use case:** Resolves duplicate policies created during multi-instance development or state drift scenarios
- **Styled Web UI Modals:** Replaced all 53 native browser popup dialogs with custom DaisyUI-themed modals for a consistent user experience.
- **26 alert modals (dfAlert):** Success confirmations, error messages, and informational notifications
- **27 confirm modals (dfConfirm):** Destructive action confirmations (delete, revoke, revert operations)
- **Pages updated:** Agents (32 modals), Dashboard (3 modals), Access Policies (4 modals), Settings (6 modals), Identity Providers (10 modals)
- **Consistent styling:** All modals match application theme with smooth transitions, backdrop blur, and proper button styling
- **Access Policy Sort Option:** Added "Access Policy" sort option to Dashboard Filter & Sort controls, allowing users to group and view ingress rules by their assigned access policies for easier policy auditing and management.
- **Agents Page UI Enhancements:** Modernized API Keys management interface to match Access Policies page styling.
- **Column alignment:** Implemented fixed-width column layout with CSS custom properties for consistent vertical alignment across Active and Revoked API Keys tables
- **Dropdown action menus:** Replaced plain action buttons with 3-dot dropdown menus featuring contextual icons
- **Overflow protection:** Added overflow visibility CSS to prevent dropdown menus from being cut off by section boundaries
- **Consistent padding:** Applied uniform `px-4 py-3` padding throughout tables for visual consistency
### Changed
- **Default Policy Creation Logic:** Enhanced system policy initialization to prevent duplicate creation during multi-instance deployments.
- **Pre-creation checks:** DockFlare now verifies existence of `public-default-bypass` and `authenticated-default` policies before attempting creation
- **Prevents duplication:** Eliminates creation of multiple identical DockFlare default system policies when restarting or running multiple DockFlare instances
- **Improved reliability:** Reduces Cloudflare API calls and prevents policy sprawl during development and testing cycles
### Fixed
- **Agent Roll API Key Bug:** Resolved network/parsing error when rolling agent API keys from the Agents page.
- **Root cause:** Frontend called non-existent `/api/v2/agents/<id>/roll-key` endpoint (API v2 endpoint was missing)
- **Solution:** Created new API v2 endpoint matching frontend expectations with proper JSON response format
- **Enhanced UX:** Added custom modal with copy button for new API key (similar to generate key modal) instead of generic alert
- **Result:** Users can now securely roll agent keys and copy them directly for immediate use
- **Agent Redeploy Tunnel Bug:** Fixed critical bug preventing tunnel container redeployment from Agents page.
- **Root cause:** Missing `queue_agent_command` function in `state_manager.py` causing immediate 500 error
- **Solution:** Implemented complete `queue_agent_command` function with thread-safe state locking and command queuing
- **Field name fix:** Corrected `assigned_tunnel_token` field reference (was incorrectly using `tunnel_token`) preventing tunnel configuration retrieval
- **User feedback:** Added informative success message explaining 30-second agent polling delay for command execution
- **Result:** Agents now successfully receive and execute tunnel restart commands via command queue
- **Agent Trigger Migration Error:** Improved error messaging when triggering migration fails due to missing container data.
- **Root cause:** Generic error message didn't explain why migration failed or how to resolve it
- **Solution:** Enhanced error response with actionable guidance directing users to ensure agent is running and wait for next heartbeat
- **Typical scenario:** Occurs when agent hasn't reported container data yet (30-second heartbeat interval)
- **Result:** Users now understand the issue and know to wait for agent heartbeat before retrying
- **Access Policy Edit Modal Country Display:** Fixed issue where selected countries were not displayed in the edit modal after creating or editing an access policy.
- **Root cause:** Country selections not properly restored when reopening the edit modal for existing policies
- **Solution:** Enhanced modal initialization to correctly populate and display previously selected countries
- **Result:** Users can now view and modify country restrictions without having to re-select all countries
- **Access Policy Validation:** Implemented comprehensive validation to prevent creating insecure authenticated access policies.
- **Identity Provider without Email Requirement:** Added frontend and backend validation requiring email addresses when Identity Providers are selected
- **Security modal prompt:** When geo-restrictions are configured without authentication (no email/IdP), system prompts user to switch to Public Access mode instead
- **Prevention of unsafe configurations:** System now prevents creation of policies where "any user with selected IdP" (e.g., any Google account) could access protected services
- **Clear error messaging:** Users receive actionable security warnings explaining why email addresses are required with IdP authentication
- **Result:** Eliminates accidental creation of overly permissive access policies that could expose services to unauthorized users
- **Agent No TLS Verify Bug:** Fixed bug where `dockflare.no_tls_verify=true` label was ignored when Agent containers started.
### Documentation
- **CLI Usage Guide:** Created comprehensive [CLI_USAGE.md](CLI_USAGE.md) documenting the duplicate policy cleanup utility with examples, safety features, and best practices for advanced users.
---
## [v3.0.3] - 2025-10-07
### Hotfix
- **Access Policy Path Regression:** Restored indexed label support for Cloudflare Access applications so path-specific rules (e.g., `dockflare.0.path=/auth/google/callback`) once again create distinct Access Apps linked to their reusable policies. Fixes broken policy sync introduced with the reusable policy migration in v3.0.3.
- **Access Policy Usage Display:** Corrected the “Used by these services” list so manual rules assigned to an Access Group appear alongside Docker/Agent-managed services, with paths shown when applicable.
- **Manual Policy Editing:** Fixed UI edits so manual rules (and Docker overrides) recreate missing Access Apps on Cloudflare, and allow switching back to “None” by deleting the app cleanly.
### Added
- **Identity Provider (IdP) Management:** Complete OAuth/OIDC identity provider management system with support for Google, Google Workspace, Azure AD, Okta, GitHub, and generic OpenID Connect providers.
- **IdP Configuration UI:** New dedicated section on Access Policies page for managing identity providers with sync, create, edit, test, and delete operations.
- **Friendly Name System:** User-defined friendly names (e.g., `google-main`, `github-dev`) that automatically resolve to Cloudflare UUIDs in labels and policies.
- **Cloudflare Sync:** One-click sync from Cloudflare Zero Trust to import existing IdPs with auto-generated friendly names.
- **Provider Testing:** Built-in test functionality to verify OAuth configuration before applying to production services.
- **System Protection:** System-managed IdPs (like `onetimepin`) are protected from accidental deletion.
- **Visual Icons:** Brand-accurate SVG logos for each provider type (Google, Azure, GitHub, Okta, Cloudflare, etc.).
- **Enhanced Access Group Integration:** Access Groups now support Identity Provider authentication alongside email-based auth.
- **Flexible Authentication:** Choose IdP-only, email-only, or combined (IdP + email) authentication modes.
- **TomSelect IdP Picker:** Multi-select dropdown with live loading of available identity providers.
- **Policy Builder Integration:** IdPs automatically converted to `login_method` rules in Cloudflare Access policies.
- **Comprehensive Documentation:** New [Identity Providers](Identity-Providers.md) help documentation with step-by-step setup guides for each provider type.
- **Dual-Mode Access Group Builder:** Introduced dedicated Public (`bypass`) and Authenticated (`allow`) tabs with tailored helper text and mode-specific validation.
- **System-Managed Default Bypass Policy:** Automatic creation of non-deletable `public-default-bypass` reusable policy used across all public/bypass access rules, eliminating duplicate bypass policies in Cloudflare.
- **Zone Default Policies Section:** New UI section on Access Policies page displaying all DNS zones with their wildcard protection status (`*.domain.com` policies).
- **Zone Policy Creation Modal:** One-click creation of zone-level wildcard policies with access group selection, providing security safety net for all subdomains.
- **Visual Protection Indicators:** Green "Protected" and yellow "Not Protected" badges show zone security status at a glance.
- **Contextual UI Elements:** Colour-coded alerts and consistent dropdown menus across Access Policies and dashboard for quicker policy reviews.
### Changed
- **Reusable Policy Architecture:** Each Access Group now syncs to a reusable Cloudflare Access Policy, enabling one-to-many reuse, bi-directional edits, and automatic migration of legacy inline policies (including `block``deny` conversion).
- **Simplified Manual Rule Creation:** Removed "Authenticate by Email" and "Default *.tld" quick-create options from manual rule modals to enforce proper access policy design workflow.
- **Bypass Rule Implementation:** All rules using "Bypass" option now reference the centralized `public-default-bypass` system policy instead of creating inline policies.
- **Policy Creation Workflow:** Complex authentication scenarios now require creating an Access Policy first, then applying it to services—enforcing "single source of truth" principle.
- **Unified UI Style:** Access Policies UI and dashboard now share the same three-dot action menus and Cloudflare dashboard shortcuts for uniform workflow.
- **Performance Optimization:** Zone Default Policies section now uses lazy-loading via AJAX endpoint (`/api/v2/zone-policies`), reducing Access Policies page load time from 8+ seconds to instant rendering.
### Security
- **Comprehensive Security Testing:** Conducted white-box penetration testing of all 99 application endpoints before v3.0.3 release.
- **100% Pass Rate:** All routes tested for authentication bypass, CSRF protection, injection attacks, and proper authorization
- **Authentication Bypass Fix:** Discovered and patched critical vulnerabilities on 8 IdP management endpoints
- **Request Loader Hardening:** Modified `request_loader` in `app/__init__.py` to exclude UI endpoints from auto-authentication
- **Endpoint Protection:** Added `@login_required` decorators to all IdP and zone policy endpoints
- **Security Documentation:** Created comprehensive security audit documentation (see `SECURITY AUDIT/` folder)
- **Zone-Level Protection:** Zone Default Policies feature enables protection of all subdomains (including undocumented ones) through `*.domain.com` wildcard policies, preventing accidental exposure.
- **Default Policy Protection:** System-managed `public-default-bypass` policy cannot be deleted through UI or backend, ensuring critical infrastructure remains intact.
- **IdP Email Requirement:** Identity Provider authentication now requires allowed email addresses to be specified, preventing unauthorized access. Without email restrictions, any user with the selected provider (e.g., any Google account) could access protected services.
- **Frontend Validation:** JavaScript validation prevents form submission when IdPs are selected without emails
- **Backend Validation:** Server-side validation enforces email requirement and returns clear error messages
- **UI Warnings:** Updated help text and labels to clarify security requirements
- **DISABLE_PASSWORD_LOGIN Warning:** Added comprehensive documentation about Docker network attack vector when password authentication is disabled, strongly recommending local credentials or OAuth instead
### Fixed
- **Edit Modal JavaScript Error:** Fixed "Cannot set properties of null" error when editing dashboard rules by adding null checks for deprecated form fields.
- **IdP Modal Close Bug:** Replaced non-existent `showToast()` function calls with standard `alert()` to properly close modals and refresh lists after IdP operations.
- **Public Access Groups:** Now correctly issue Cloudflare `bypass` decisions as intended instead of incorrectly falling back to `allow`.
- **Country Filtering:** Simplified country filtering to remove redundant double-blocking logic when combining geo rules with public mode.
- **Policy Synchronization:** Reusable policy synchronisation now preserves all decision types (`bypass`, `allow`, `deny`) when pushing or importing definitions.
- **Duplicate Policy Reduction:** Eliminates creation of multiple identical bypass policies—all public services now share one canonical policy.
- **Policy Consistency:** Ensures consistent public access behavior across all services using the centralized system policy.
- **Zone Policies Page Load:** Fixed 8+ second page load time by implementing asynchronous zone policy loading via AJAX.
- **Legacy Access Label Migration:** Implemented automatic migration system for legacy `dockflare.access.policy=bypass` and `dockflare.access.group=bypass` labels to use the centralized `public-default-bypass` system policy.
- **Docker Handler Migration:** Converts legacy bypass labels to `public-default-bypass` during container processing with proper string/list handling
- **Reconciler Migration:** Ensures consistency during reconciliation by applying same migration logic when re-reading container labels
- **Agent Migration:** DockFlare Agent-reported containers also receive migration for consistent behavior across deployment modes
- **Access Application Creation:** Containers with bypass labels now correctly create Access Applications with the system bypass reusable policy attached, enabling proper `*.tld` zone protection bypass
- **State Persistence:** Migrated values are correctly persisted to state, preventing reconciler from reverting to old label values
- **Real-Time Dashboard Updates:** Implemented Redis pub/sub broadcasting for instant dashboard updates when containers start or stop, eliminating the need for manual browser refresh.
- **Event Broadcasting:** Switched from queue-based (single consumer) to Redis pub/sub (broadcast to all clients) for state change notifications
- **Non-Blocking SSE:** SSE endpoint now uses `pubsub.get_message(timeout=30)` instead of blocking `pubsub.listen()` to prevent worker thread exhaustion
- **Automatic Refresh:** Dashboard automatically reloads when containers are created, started, or stopped without user interaction
- **Multi-Client Support:** All connected browser clients receive real-time updates simultaneously
- **System Policy Management:** Fixed critical bugs preventing system policies from being created and displayed correctly.
- **Identity Provider Key Mismatch:** Fixed IdP storage to use friendly names (e.g., `onetimepin`) instead of Cloudflare UUIDs, enabling proper lookup during policy creation
- **Authenticated-Default Policy Creation:** Resolved race condition where IdP lookup occurred outside state lock, causing policy creation to fail on fresh installations
- **Missing Policies Array:** Added migration to recreate empty or missing policies arrays in existing access groups
- **System Policy Visibility:** Removed `hide_from_ui` flag from system policies (`public-default-bypass`, `authenticated-default`) - now visible with orange "System" badge
- **System Policy Detection:** Import/sync correctly identifies system policies and marks them as non-deletable with proper display names instead of UUIDs
- **External Policy Management:** Implemented comprehensive system for managing Cloudflare Access Policies created outside DockFlare.
- **Sync Modal UI:** Replaced environment variable with user-friendly modal offering "DockFlare- prefix only" (default) or "Sync all policies" options
- **Visual Organization:** Policies now display color-coded badges: Blue (DockFlare-managed), Purple (External), Orange (System)
- **Policy Filtering:** Added dropdown filter to view specific policy types (All, DockFlare-Managed, External, System)
- **Protection Dialogs:** Warning confirmations when deleting/editing external policies to prevent unintended changes to non-DockFlare services
- **Policy Renaming Tip:** Documentation shows users how to rename external policies to `DockFlare-` prefix for better organization
- **Performance Optimization:** Implemented Redis caching to eliminate slow Cloudflare API calls causing 5-15 second page load delays.
- **Zone Policies Cache:** 5-minute TTL cache for `/api/v2/zone-policies` endpoint (used by Access Policies page)
- **TLD Policy Check Cache:** 5-minute TTL cache for `check_for_tld_access_policy()` (used by Dashboard)
- **Cache Invalidation:** Both caches automatically cleared when zone policies are created/modified
- **Worker Queue Fix:** Eliminated waitress "Task queue depth" warnings by preventing API call pileup
- **Sub-Second Load Times:** First load builds cache (~5s), subsequent loads <1 second from Redis
---
## [v3.0.2] - 2025-09-30
### Added
- **Enhanced API Key Management**
- **Revoked Key Visibility:** Revoked API keys are now displayed in a separate "Revoked Keys" section with full key visibility for verification and audit purposes.
- **Permanent Deletion:** Added "Delete Permanently" functionality for individual revoked keys and "Clear All" for bulk removal.
- **Auto-Cleanup System:** Implemented automatic cleanup of revoked keys after 30 days with manual trigger option.
- **Improved UX:** Revoked keys are visually distinguished (grayed out, full key shown) with countdown to auto-deletion.
- **Copy Functionality:** Users can copy full revoked API keys for record-keeping before permanent deletion.
### Fixed
- **API Key Revocation Display Bug:** Fixed issue where revoked API keys remained visible in the frontend as if they were active, even though backend authentication correctly rejected them.
---
## [v3.0.1] (Hotfixes) - 2025-09-27
### Added
- **Enhanced Country Selection UX**
- **Bulk Selection Controls:** Added "Select All," "Select None," and "Invert Selection" buttons for more efficient country management.
- **Quick Templates:** Implemented one-click presets such as "Block All Except US," "Block All Except EU," and "Block High Risk Countries."
- **Regional Selection:** Users can now select entire continents (e.g., Africa, Asia, Europe) with a single click.
- **Visual Feedback:** A dynamic counter now shows "X of 245 countries selected" to provide immediate feedback.
### Fixed
- **Tedious Manual Selection:** Resolved an issue where "Allow US Only" required manually selecting over 194 countries; it now requires only one click (resolves #240).
- **IP Whitelist Access Policies:** Corrected a bug where IP-based access policies were not functioning as intended. DockFlare now properly creates a `bypass` rule for whitelisted IPs.
- **Access Policy Updates:** Addressed a failure where updating an Access Policy on an existing ingress rule would result in an "application already exists" error.
- **API Error Logging:** The severity of the log message for a `403 Forbidden` error during user email fetches has been reduced, as this is expected behavior with a scoped API token (related to issues #216, #217 raised by @durzo).
- **OAuth Provider Visibility:** Fixed the login screen to respect disabled providers immediately after changes through the API or UI, keeping password-disable overrides intact.
---
## [v3.0.1] - 2025-09-26
### Added
- **OAuth/OIDC Login Support:** Added support for external authentication providers like Google and Authentik via a new, generic OpenID Connect system.
- **OAuth Documentation:** Created a new help document for setting up OAuth providers.
### Changed
- **Redesigned Login Page:** The login page has been updated with a modern design, provider logos, and a unified flow for both password and OAuth logins.
- **Improved Usability:** The settings page now displays the required Callback URL for OAuth providers, and DockFlare can discover its public hostname from Docker labels.
-
### Security
- **Login Rate Limiting:** Implemented rate limiting on the password login form (6 attempts per minute) to protect against brute-force attacks.
---
## [v3.0.0] - 2025-09-25
### Fixed (Hotfixes)
#### **Agent Container Label Processing**
- **Fixed access policy parsing** for Agent containers - containers with `dockflare.access.policy=authenticate` now display correct policy instead of "None (Public)"
- **Added support for all documented labels** in Agent processing including `dockflare.no_tls_verify`, `dockflare.originsrvname`, `dockflare.httpHostHeader`
- **Implemented indexed labels support** for Agent containers (e.g., `dockflare.0.hostname`, `dockflare.1.service`) for multiple domain configurations
- **Enhanced backwards compatibility** - Agent containers now fully support legacy `cloudflare.tunnel.*` label formats
#### **Migration Logic Improvements**
- **Fixed tunnel migration analysis** - containers with legacy `cloudflare.tunnel.*` labels are now properly recognized during migration instead of showing as "orphaned"
- **Enhanced migration service compatibility** with backwards compatible label checking across all migration functions
- **Improved container matching logic** for more accurate auto-import and conflict detection
#### **Redis Database Configuration Enhancement**
- **Added `REDIS_DB_INDEX` environment variable** - allows specifying Redis database index (0-15) for better isolation when sharing Redis across multiple Docker containers
- **Enhanced Redis URL parsing** - dynamically constructs Redis connection URL with specified database index
- **Maintains full backward compatibility** - existing docker-compose files continue to work without changes, defaults to database 0
#### **Dependencies Security Update**
- **Updated Redis client** from 4.5.1 to 4.5.5 to address security vulnerabilities (CVE-2023-28859, CVE-2023-28858)
---
## [v3.0.0] - 2025-09-23
### Added
#### **Multi-Host Management with DockFlare Agent (Beta)**
- **Lightweight agent deployment** on remote Docker hosts with secure API key authentication
- **Secure registration and enrollment** process via master UI with encrypted agent key store
- **Command polling architecture** with configurable intervals and Redis-backed queues
- **Real-time heartbeat monitoring** with 30-second intervals and automatic timeout detection
- **Automatic tunnel configuration** and container discovery on remote hosts
- **Migration assistant** for importing existing tunnel rules and resolving conflicts
- **Agent repository**: [DockFlare-Agent-prd](https://github.com/ChrispyBacon-dev/DockFlare-Agent-prd)
#### **Centralized Agents Management UI**
- **Professional agent dashboard** with API key generation and management
- **Real-time LED status strips** for visual heartbeat monitoring (replaces text-based timestamps)
- 15-dot LED strips with 2-second resolution showing 30-second heartbeat window
- Color-coded states: Green (healthy), Yellow (warning), Red (critical), Grey (offline)
- Animated LED extinguishing as heartbeat window expires
- **Shortened Agent IDs** (8 characters + hover tooltip) for better readability
- **Dropdown action menus** for cleaner interface (enroll, rename, migrate, redeploy, remove)
- **Agent enrollment** with existing or new tunnel assignment
- **Bulk agent operations** and tunnel reassignment capabilities
- **Migration conflict resolution** interface for handling rule conflicts
#### **Redis-Powered Architecture**
- **Redis requirement** for caching, command queues, and event bus
- **Agent heartbeat storage** and real-time monitoring
- **Command/event distribution** system for multi-host coordination
- **Foundation for future horizontal scaling** and performance improvements
#### **Enhanced Security Framework**
- **Non-root container execution** (runs as user 65532:65532) with init container for permissions
- **Master API key reveal-on-demand** with CSRF protection and secure token handling
- **Encrypted agent key store** with secure credential management and rotation
- **Locked-down setup wizard** with restore-from-backup option
- **Docker socket proxy integration** (tecnativa/docker-socket-proxy) for reduced attack surface
#### **Comprehensive Backup & Restore System**
- **Complete instance backup** including encrypted credentials and agent keys
- **Timestamped backup archives** with full configuration preservation (.zip format)
- **UI-based restore functionality** for disaster recovery scenarios
- **Setup wizard integration** for fresh installations with backup import
#### **Remote Manual Rules Management**
- **Create manual ingress rules** from master UI for any enrolled agent
- **Apply rules to any enrolled tunnel** regardless of host location
- **Cross-host tunnel management** capabilities with centralized control
#### **Improved Tunnel Management**
- **"All Cloudflare Tunnels on Account" panel** with one-click delete functionality
- **Simplified stale tunnel cleanup** process across multiple hosts
- **Enhanced tunnel status monitoring** with real-time updates
#### **Automatic Zone Detection**
- **Intelligent Cloudflare zone detection** from hostname labels
- **Fallback to default zone** when detection fails
- **Improved service discovery** for label-driven configurations
#### **Documentation Overhaul**
- **New Quick Start Guide** for Docker Compose v3 setup with Redis
- **Comprehensive Multi-Server & Agent** deployment guide
- **Security Architecture** documentation with threat model
- **Backup & Restore** operational guide with best practices
- **Updated API documentation** for agent integration
### Changed
#### **Breaking Changes**
- **Redis is now required** - DockFlare will not start without `REDIS_URL` environment variable
- **New `docker-compose.yml` structure** with Redis, socket proxy, init container, and volume changes
- **Embedded cloudflared limited** to master host only (remote hosts use DockFlare Agent)
#### **UI/UX Improvements**
- **Professional LED heartbeat indicators** replacing static text timestamps
- **Enhanced agent table layout** with improved usability and responsive design
- **Modernized dropdown interfaces** throughout the application
- **Streamlined action menus** with icon-based navigation
#### **Architecture Changes**
- **Master API key security** with reveal-on-demand modal instead of embedded display
- **Setup wizard hardening** with route locking after initial configuration
- **Docker socket proxy** integration for enhanced security posture
### Security
- **Hardened API endpoints** requiring master key for admin routes and agent API keys for polling
- **CSRF-protected key reveal** so master key is not embedded in UI source code
- **Encrypted agent credentials** with secure key rotation capabilities
- **Non-root container execution** significantly reducing attack surface
- **Socket proxy isolation** preventing direct Docker socket access
### Fixed
- **Improved error handling** for agent communication failures and network issues
- **Enhanced tunnel status detection** and reporting across multiple hosts
- **Better handling of disconnected agents** with automatic cleanup procedures
- **Cloudflare API reliability** improvements for multi-host scenarios
### Known Issues
- **Cloudflared version detection** currently shows hardcoded version (2025.9.0) while automatic detection is being fixed
- **DockFlare Agent is in beta** - performance with high-volume event streams may require tuning of `POLL_INTERVAL` settings
- **Redis is critical component** - monitor health in single-node setups as agent communication depends on it
- **Agent repository automated builds** coming soon for simplified deployment
### Migration Notes
#### **Upgrade Process**
1. **Create full backup** via Settings Backup & Restore before upgrading
2. **Update docker-compose.yml** to v3 structure with Redis and socket proxy components
3. **Create external network**: `docker network create cloudflare-net`
4. **Pull new image** and restart: `docker compose up -d`
5. **Review Agents page** to begin multi-host enrollment process
6. **Deploy agents** on remote hosts using generated API keys from dashboard
7. **Use restore option** in setup wizard for fresh installations
#### **Technical Requirements**
- **Minimum Docker Compose version**: 3.8
- **Redis version**: 7-alpine (included in new compose stack)
- **Socket proxy**: tecnativa/docker-socket-proxy:v0.4.1
- **Container user**: 65532:65532 (non-root execution)
- **External network**: cloudflare-net (must be created manually)
#### **Agent Deployment**
- **Agent heartbeat interval**: 30 seconds (configurable via `HEARTBEAT_INTERVAL`)
- **LED status indicators**: 15-dot strips with 2-second resolution
- **Command polling**: configurable via `POLL_INTERVAL` (default: 5 seconds)
- **Automatic tunnel management**: full lifecycle from enrollment to cleanup
## [v2.1.7] - 2025-08-30
### New
- UI: Added a version check feature to the Settings page. This allows users to verify if their running DockFlare instance is up-to-date by comparing the local Docker image digest against the official repository or by checking the latest GitHub release tag.
### Changed
- UI: Reorganized the Settings page to include a left-side sticky navigation and section anchors for improved discoverability and faster navigation.
- UI: Added smooth scrolling and adjusted anchor offset so section headings are not hidden behind the sticky top header when navigating to anchors.
- UI: Left-nav links now resolve to the Settings route with fragment identifiers (e.g. /settings#general-settings) so anchors work from any page.
- UI: Added a small client-side script that highlights the active left-nav item while scrolling (IntersectionObserver with a fallback).
- Fix: Kept all existing form names, IDs and POST endpoints unchanged to avoid breaking backend functionality.
## [v2.1.6] - 2025-08-24
### Security
- **Dependency Vulnerability:** Patched an outdated `brace-expansion` npm package (related to CVE concerning inefficient regex) by updating it to version 2.0.2.
- **Path Injection:** Hardened the `/help/<path:page>` route against path traversal attacks by implementing stricter validation using `os.path.abspath`.
- **Open Redirect:** Secured the login redirect mechanism by validating the `next` parameter to prevent redirection to external, malicious sites.
- **Information Exposure:** Prevented the leakage of sensitive exception details and stack traces in API/JSON responses across multiple endpoints (`/cloudflare-ping`, `/debug`, `/api/v2/debug-info`).
- **Insecure CI/CD Workflow:** Restricted permissions in the GitHub Actions workflow to `contents: read` to adhere to the principle of least privilege.
## [v2.1.5] - 2025-08-24
### New
- **Help Documentation:** Added a comprehensive help section to the web UI, providing users with easy access to documentation and guides.
### Fixed
- **Country Dropdown Menu:** Fixed an issue where the country dropdown menu in the Access Group modal was limited to 50 entries.
- **UI Refinements:** Made various minor refinements to the web UI for improved usability and a more polished user experience.
## [v2.1.4] - 2025-08-23
### New
- **Geo-Fencing Support:** Access Groups now support country-based blocking, allowing you to easily block traffic from specific countries (thanks @psybernoid, #183).
- **Multiple Policies per Rule:** You can now apply multiple Access Groups to a single ingress rule, both via Docker labels (`dockflare.access.groups`) and the web UI, to combine and layer policies (thanks @psybernoid, #183).
### Changed
- **UI/UX Refinement:** The Access Groups manager has been moved from the Settings page to its own dedicated "Access Policies" page in the main navigation bar for improved visibility and workflow.
- **IP-Based Access Policies:** Access Groups now fully support creating policies based on allowed IP ranges (CIDR notation), in addition to emails.
## [v2.1.3] - 2025-08-15
### New
- **Update Cloudflare Credentials:** Added a new section in the Settings page that allows users to update their Cloudflare Account ID and API Token directly from the UI.
## [v2.1.2] - 2025-08-14
### Changed
- **Unified Ingress Rule Editing:** The "Manage Policy" dropdown has been completely replaced by a unified editing modal. All rules (manual or from labels) can now be fully edited using the same comprehensive form.
- The table column for editing has been renamed from "Manage Policy" to "Manage Rule".
- The editing modal has been renamed from "Edit Manual Ingress Rule" to "Edit Ingress Rule".
- The redundant "Edit" button in the "Actions" column for manual rules has been removed to streamline the UI.
- When a rule from a container label is edited via the UI, it is now correctly marked with a "UI Override" flag, and the "Revert to Labels" functionality is preserved.
### Removed
- Removed the `ui_update_access_policy` backend route and associated frontend logic, as it was made obsolete by the new unified editing modal.
### New
- Added Favicon: The web UI now has a favicon, making it easier to spot in your browser tabs.
## [2.1.1] - 2025-08-12
### Added
* **Revamped Setup Wizard:** The initial setup wizard has been re-sequenced for a more logical flow (User -> Cloudflare -> Tunnel -> Finalize).
* **Setup Step Indicator:** A visual progress indicator has been added to all setup pages.
* **Detailed Setup Explanations:** Added clear, descriptive text to each step and field in the setup process to improve user guidance.
* **Disable Password Login:** Added a new option on the Settings page under "Security" to disable password-based login. This allows for public access to the dashboard, intended for use with an external authentication provider like Cloudflare Access.
* **Cancel Migration Option:** Added a "Start Fresh" button to the `.env` migration screen, allowing you to cancel the migration and begin a manual setup.
### Fixed
* Corrected the initial redirect for the setup process, which was pointing to a non-existent route.
* Fixed a template error that caused a crash on the final step of the setup wizard.
* Corrected the setup flow logic. When a user proceeds with a migration, they are now correctly taken to the final step after user creation, bypassing unnecessary manual configuration.
* The "Disable Password Login" setting now persists correctly after restarting the DockFlare container.
* Resolved a redirect loop (`ERR_TOO_MANY_REDIRECTS`) that occurred when password login was disabled.
### Changed
* The `/ping` endpoint is now exempt from authentication to allow for Docker health checks.
* The `/ping` endpoint now dynamically reports the application version via the config.APP_VERSION variable.
* The "Change Password" form on the settings page is now hidden when password login is disabled.
* The user creation page now provides clearer instructions depending on whether the user is in a migration or a fresh setup flow.
* Updated the security warning text related to disabling password login for better clarity.
## [v2.1.0] - 2025-08-12
This release focuses on simplifying the initial setup, enhancing security with UI authentication, and improving overall usability.
### New
- **Pre-Flight Setup Wizard:** A new browser-based setup wizard for first-time installations replaces the need for `.env` files. This guides users through configuring Cloudflare credentials and tunnel settings step-by-step.
- **UI Authentication:** The DockFlare UI is now protected by a login page.
- **Password Management:** Users can now change their UI password from a new "Security" section on the Settings page. A secure, manual process for password resets has been implemented.
- **Post-Setup Configuration:** Core settings (Tunnel Name, Zone IDs, Rule Grace Period) can now be modified directly from the UI at any time.
- **Seamless Migration:** An automatic migration process is in place for existing users to import settings from their `.env` file and create a new UI password.
### Changed
- **Logout Button:** A logout button has been added to the main navigation bar.
- **UI/UX:** The theme selector is now an icon-only button for a cleaner interface.
### Security
- **Encrypted Configuration:** All sensitive credentials, including the Cloudflare API token and UI password, are now stored in a fully encrypted `dockflare_config.dat` file.
### Removed
- **`.env` File Support:** DockFlare no longer uses `.env` files for configuration after the initial migration. All settings are managed through the UI and the encrypted configuration file.
## [v2.0.4] - 2025-08-12
This is a dedicated security hardening release that reintroduces security enhancements from a previously rolled-back version (v2.0.5). A special thanks to GitHub user **@bcurran3** and Reddit user **t2_hur2hqu6k** for their valuable feedback and for helping make DockFlare more secure.
### Security
- **CSRF Protection:** All forms in the web UI are now protected with anti-CSRF tokens to prevent Cross-Site Request Forgery attacks.
- **Strengthened Content Security Policy (CSP):** The CSP has been made more restrictive to mitigate the risk of Cross-Site Scripting (XSS) and other injection attacks.
- **Pinned Dependencies:** All Python dependencies in `requirements.txt` are now pinned to specific versions to ensure build reliability and prevent potential supply-chain attacks.
## [v2.0.1] - 2025-08-05
This is a follow-up release to address several minor bugs found after the major v2.0 update. It also restores support for Bastion mode and introduces a new backup and restore feature.
### New
- **Backup & Restore via UI:** A new "Backup & Restore" card has been added to the Settings page.
- You can now download a timestamped `state.json` backup directly from the UI.
- You can upload a `state.json` backup file to completely restore your DockFlare configuration. After a restore, DockFlare automatically reloads the state and triggers a reconciliation to bring your Cloudflare setup in sync.
### Added
- **Bastion Mode for Browser SSH/VNC:** Re-introduced and fixed support for **Bastion Mode** (`bastion`) as a service type in the manual rule creation UI. This service type is used for Cloudflare's browser-rendered SSH and VNC. Unlike other service types, it does not require an internal service address to be specified in DockFlare; it enables a secure gateway at the public hostname, which you then connect to using the `cloudflared` client on your local machine.
### Fixed
- **UI:** Fixed an issue where the DNS record toggle button (`+`) for tunnels on the Settings page was not functional after the UI reorganization.
- **State Management:** Corrected a bug where the `access_group_id` for a rule was not being saved to or loaded from the `state.json` file. This caused the "Group:" display in the UI to be empty for Docker-managed rules after a restart.
- **UI:** The "UI Override" badge and "Revert" button will no longer be displayed for manual rules, as they have no Docker labels to override or revert to.
- **Validation:** Fixed a validation error that incorrectly rejected `bastion` as a valid service type, which prevented browser-based SSH/VNC rules from being created.
## [2.0.0] - 2025-08-01
### Added
- **Access Groups:** Introduced a major new feature for centralized policy management. You can now create reusable policy templates (Access Groups) in the UI and apply them to any container or manual rule with a single `dockflare.access.group` label.
- **New "Settings" Page:** Added a dedicated page in the UI to house configuration and infrastructure details, including the new Access Groups manager, the list of all Cloudflare Tunnels, and the agent status.
- **Official Project Website:** Launched the official website at [https://dockflare.app](https://dockflare.app), which now serves as the central hub for documentation, guides, and project information.
### Changed
- **UI Overhaul:** The user interface has been significantly reorganized for a better workflow.
- The main page is now a focused **Dashboard** displaying only Managed Ingress Rules and Real-time Logs.
- A new top navigation bar has been added for easy switching between the Dashboard and Settings.
- "Add" and "Edit Manual Rule" modals now integrate seamlessly with Access Groups, allowing you to assign a group from a dropdown menu.
- **Backend Policy Management:** The entire backend logic for handling labels and access policies has been refactored to support the new Access Groups system.
- **UI Polish:**
- The logo in the header has been moved to the left, mirroring the layout of the new project website.
- Modals with a large amount of content will now scroll correctly.
### Fixed
- **Centralized Versioning:** The project version number is now managed from a single source to prevent inconsistencies across the UI.
## [1.9.5] - 2025-07-27
### Fixed
- **Agent Container Startup Resilience:** Resolved a critical issue where the managed `cloudflared` agent container would fail to start if its associated Docker network was removed and recreated. The startup logic in `tunnel_manager.py` now intelligently detects this "stale network" error, automatically removes the broken agent container, and creates a new one, significantly improving reliability in dynamic Docker environments.
## [1.9.4] - 2025-07-19
### Fixed
- **Auto-Redirect for Identity Providers:** Resolved a regression from v1.9.0 where using the `access.auto_redirect_to_identity=true` label along with `access.allowed_idps` would result in a Cloudflare API error. The `access_manager.py` module has been corrected to include the required top-level `allowed_idps` field in the API payload, restoring the auto-redirect functionality for label-based rules.
## [1.9.3] - 2025-07-19
### Fixed
- **Critical UI Fix for Access Policies:** Resolved a critical bug causing an 'Internal Server Error' when creating or editing manual rules, or updating a Docker-managed rule's policy, to use the 'Authenticate by Email' method via the web UI. This was a regression caused by recent updates to the Cloudflare Access API handling in `access_manager.py` which were not reflected in the UI routes. The routes in `app/web/routes.py` have been updated to correctly construct the Access Policy payload, resolving the `TypeError` and API validation errors.
## [1.9.2] - 2025-06-25
### Added
- **HTTP Host Header Support:** Implemented support for the new `dockflare.httpHostHeader` Docker label, allowing users to override the `Host` header sent to their origin service. This feature is also fully supported for manual ingress rules via the web UI (Add/Edit modals and display in the Managed Rules table). Applies only to HTTP/HTTPS services.
### Fixed
- **Service Validation for Docker Names:** Corrected the `is_valid_service` regex to properly allow underscores (`_`) in service hostnames (e.g., `http://my_app:80`), accommodating common Docker service naming conventions.
### Changed
- **Optional Ports for HTTP/HTTPS Services:** Modified `is_valid_service` to make the port optional for `http://` and `https://` service targets (e.g., `http://my-service` is now valid). Default ports (80 for HTTP, 443 for HTTPS) will be implicitly used by Cloudflare Tunnel if no port is specified.
## [1.9.1] - 2025-06-23
### Added
- **Prometheus Metrics Endpoint:** Added support for enabling the Prometheus metrics endpoint on the managed `cloudflared` agent via the new `CLOUDFLARED_METRICS_PORT` environment variable. The agent container will be automatically reconciled if this setting is added, changed, or removed.
## [1.9.0] - 2025-06-23
### Fixed
- **Automatic Rule Cleanup for Multi-Path Services:** Resolved a critical bug where the background cleanup task failed to process and delete expired rules for multi-path services.
- **`allowed_idps` Label Functionality:** Resolved a bug that caused Cloudflare API errors when using the `access.allowed_idps` label. DockFlare now correctly constructs Access Policy rules using the modern `login_method` keyword.
- **UI Policy Management for Multi-Path Rules:** Corrected an issue where managing Access Policies from the web UI would fail for rules that included a path.
- **Manual Rule Creation:** Fixed a bug preventing manually created rules from being correctly added to the Cloudflare Tunnel configuration.
- **UI Efficiency:** Policy updates from the UI now prevent unnecessary API calls if the configuration hasn't changed.
### Changed
- **Rewritten Rule Cleanup Logic:** The background cleanup task has been completely rewritten to be resource-aware. It now intelligently checks if a shared resource (like a DNS record or Access Application) is still in use by other active rules before deleting it. This ensures correct and stable behavior when managing complex, multi-path services.
- **Improved Cleanup Responsiveness:** The default value for `CLEANUP_INTERVAL_SECONDS` has been reduced from 300 to **60 seconds**, making the automatic deletion of expired rules more responsive and intuitive.
## [1.8.9] - 2025-06-22
### Added
- **Agent Container Reconciliation:** DockFlare now intelligently checks the managed `cloudflared-agent` container on startup. If it detects a configuration mismatch (e.g., wrong network or image version) compared to the `.env` file, it will automatically recreate the agent with the correct settings.
### Changed
- **Startup Logic:** Refactored the main application startup sequence to unconditionally trigger the new agent reconciliation logic, ensuring configuration changes from the `.env` file are always applied.
### Fixed
- **UI Policy Management for Multi-Path Rules:** Corrected an issue where managing Access Policies from the web UI would fail for rules that included a path. The UI now correctly parses the hostname and path, allowing for reliable policy updates.
- **Manual Rule Creation:** Fixed a bug where manually created rules from the UI were not being correctly added to the Cloudflare Tunnel's ingress configuration.
- **UI Efficiency:** Policy updates from the UI now check if the requested configuration already matches the live Cloudflare configuration, preventing unnecessary API calls.
## [1.8.7] - 2025-06-10
### Fixed
- **Critical Agent Startup Fix:** Resolved a bug where the managed `cloudflared` agent failed to start due to a `Provided Tunnel token is not valid` error. The token parsing logic is now more robust, handling both new JSON and legacy raw text responses from the Cloudflare API.
## [1.8.6] - 2025-06-07
### Added
- **Edit Manual Rule Functionality:** A new "Edit" button and modal now allow for direct editing of existing manual ingress rules via the web UI.
- **Intelligent Resource Management:** The backend logic for editing rules now cleanly removes old, unused Cloudflare resources (DNS records, Access Applications) and creates/updates new ones as needed.
### Changed
- **UI Code Reusability:** Refactored UI JavaScript to create a shared helper function for path input logic, reducing code duplication between the "Add" and "Edit" modals.
## [1.8.5] - 2025-05-29
### Added
- **Origin Server Name (SNI) Support:** Added support for specifying `originServerName` for an ingress rule via the `...originsrvname` Docker label and a new field in the Manual Rule UI, allowing for more granular control over TLS connections to origin services.
## [1.8.4] - 2025-05-28
### Added
- **Path-Based Routing:** Introduced the ability to define specific URL paths for ingress rules via Docker labels (`...path=/...`) and the Manual Rule UI.
- **Extended Service Type Support:** Added robust support for `tcp`, `ssh`, `rdp`, and `http_status` service types in addition to HTTP/S.
- **Direct Access Policy on Manual Rules:** The "Add Manual Rule" UI now allows for direct assignment of an Access Policy upon creation.
### Changed
- **UI/UX:** The "Add Manual Rule" modal was restructured for improved clarity, and links in the main table now correctly include the path.
- **Validation:** Implemented stricter validation for service URL formats to ensure proper configuration.
## [1.8.0] - 2025-05-27
### Changed
- **Major Codebase Refactor:** The application was restructured into a modular, package-based architecture (`app/core/`, `app/web/`) to improve maintainability and separation of concerns.
- **Externalized JavaScript:** All inline JavaScript was moved from HTML templates to a dedicated `app/static/js/main.js` file.
- **Enhanced Logging:** Added more detailed logging, including object ID tracking during critical state operations, to aid in debugging.
### Fixed
- **Threading and State Issues:** Resolved several bugs discovered during the refactor, including potential circular imports, state-saving race conditions (by implementing `threading.RLock`), and various `NameError`, `TypeError`, and `AttributeError` exceptions.
## [1.7.1] - 2025-05-22
### Fixed
- **Multi-Zone DNS Scanning:** Corrected an issue where the "All Cloudflare Tunnels on Account" view only scanned for DNS records in the primary `CF_ZONE_ID`, and now correctly respects the `TUNNEL_DNS_SCAN_ZONE_NAMES` setting.
## [1.7.0] - 2025-05-17
### Added
- **Manual Ingress Rule Management:** Introduced the ability to add, manage, and delete ingress rules for non-Docker services directly from the web UI.
### Changed
- **Authoritative Ingress Management:** The tunnel update logic now takes an authoritative stance, ensuring the Cloudflare configuration perfectly matches DockFlare's managed state by removing stale, non-DockFlare rules.
- **UI/UX:** Improved readability of status badges and localized the "Expires At" timestamp to the user's browser timezone.
### Fixed
- **Ingress Rule Deletion:** Resolved a critical bug where deleting a rule would not correctly remove the corresponding ingress rule from the Cloudflare Tunnel configuration.
## [1.6.0] - 2025-05-15
### Added
- **UI-Driven Access Policy Management:** Users can now override label-defined Access Policies directly from the web interface.
- **Persistent UI Overrides:** UI-driven policy changes are saved to `state.json` and persist across restarts.
- **"Revert to Labels" Functionality:** A new button allows users to easily revert a service's policy back to be controlled by its Docker labels.
### Changed
- **Major UI Refresh:** The entire web UI was overhauled using the DaisyUI component library for a cleaner, modern, and themeable interface.
- **Theme Selector:** Added a UI theme selector with numerous built-in themes.
## [1.4.0] - 2025-05-10
### Added
- **Account-Wide Tunnel Listing:** A new table on the status page displays all Cloudflare Tunnels on the configured account, providing a centralized overview for multi-host deployments.
- **Integrated DNS Record Viewer:** Added the ability to dynamically fetch and display all CNAME DNS records pointing to any tunnel on the account, directly from the UI.
## [1.0.0] - 2025-04-12
### Added
- **Initial Release:** Core functionality of DockFlare, providing dynamic Cloudflare Tunnel configuration based on Docker container labels.
Reference in a new issue View git blame Copy permalink