[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72588":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":47,"readmeContent":48,"aiSummary":49,"trendingCount":16,"starSnapshotCount":16,"syncStatus":50,"lastSyncTime":51,"discoverSource":52},72588,"DockFlare","ChrispyBacon-dev\u002FDockFlare","ChrispyBacon-dev","DockFlare: Automate Cloudflare Tunnels with Docker Labels","https:\u002F\u002Fdockflare.app",null,"Python",2181,90,6,10,0,14,45,94,42,107.28,"Other",false,"stable",true,[27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46],"api-integration","automation","cloudflare","cloudflare-access","cloudflare-dns","cloudflare-tunnel","cloudflared","dns","docker","docker-labels","flask","homelab","ingress-controller","network-automation","networking","python","reverse-proxy","security","selfhosted","zero-trust","2026-06-12 04:01:06","\u003Cp align=\"center\">\n \u003Ca href=\"https:\u002F\u002Fdockflare.app\" title=\"Now you're thinking with tunnels\">\n \u003Cpicture>\n \u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\"images\u002Flogo-files\u002Flogo-dark.svg\">\n \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\"images\u002Flogo-files\u002Flogo-light.svg\">\n \u003Cimg src=\"images\u002Flogo-files\u002Flogo-light.svg\" width=\"500px\" alt=\"DockFlare Logo\" \u002F>\n \u003C\u002Fpicture>\n \u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">Automate Cloudflare Tunnels with Docker Labels\u003C\u002Fh1>\n\n\u003Cp align=\"center\">\n \u003Cem>Go from container to publicly-secured URL in seconds. No manual Cloudflare dashboard configuration required.\u003C\u002Fem>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FChrispyBacon-dev\u002FDockFlare\u002Fstargazers\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002FChrispyBacon-dev\u002FDockFlare?style=for-the-badge\" alt=\"Stars\">\n\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FChrispyBacon-dev\u002FDockFlare\u002Freleases\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FRelease-v3.1.2-blue.svg?style=for-the-badge\" alt=\"Release\">\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fhub.docker.com\u002Fr\u002Falplat\u002Fdockflare\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Falplat\u002Fdockflare?style=for-the-badge\" alt=\"Docker Pulls\">\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fwww.python.org\u002F\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FMade%20with-Python-1f425f.svg?style=for-the-badge\" alt=\"Python\">\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FChrispyBacon-dev\u002FDockFlare\u002Fblob\u002Fmain\u002FLICENSE.MD\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-GPL--3.0-blue.svg?style=for-the-badge\" alt=\"License\">\u003C\u002Fa>\n \u003Ca href=\"#\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FSwiss_Made-FFFFFF?style=for-the-badge&labelColor=FF0000&logo=data:image\u002Fsvg%2bxml;base64,PHN2ZyB2ZXJzaW9uPSIxIiB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDMyIDMyIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxyZWN0IHdpZHRoPSIzMiIgaGVpZHRoPSIzMiIgZmlsbD0idHJhbnNwYXJlbnQiLz4KICA8cGF0aCBkPSJtMTMgNmg2djdoN3Y2aC03djdoLTZ2LTdoLTd2LTZoN3oiIGZpbGw9IiNmZmYiLz4KPC9zdmc+\" alt=\"Swiss Made\">\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"https:\u002F\u002Fdockflare.app\">Website\u003C\u002Fa> ·\n \u003Ca href=\"https:\u002F\u002Fdockflare.app\u002Fdocs\">Documentation\u003C\u002Fa> ·\n \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FChrispyBacon-dev\u002FDockFlare\u002Fissues\">Report a Bug\u003C\u002Fa> ·\n \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsponsors\u002FChrispyBacon-dev\">Sponsor\u003C\u002Fa>\n\u003C\u002Fp>\n\n---\n\n## Introduction\n\nDockFlare is a self-hosted ingress and access-control plane for Cloudflare Tunnel environments. It continuously translates your desired state into Cloudflare configuration by combining Docker labels, manual rules from the web UI, and optional remote agents.\n\nIt was built to remove repetitive dashboard work from fast-changing self-hosted environments. Instead of manually updating DNS records, tunnel ingress rules, and Access applications, you define intent once and DockFlare reconciles it.\n\nThe result is a set-it-and-forget-it workflow with a fully localized native experience: less operational drift, more reliable service exposure, and one place to manage routing and access decisions.\n\n## Core Capabilities\n\n- **Automatic service discovery** from Docker labels.\n- **Sovereign Email Suite**: A fully self-hosted email system using Cloudflare Email Routing as a stateless delivery layer with local data sovereignty.\n- **Multi-Domain Email Support**: Manage inbound and outbound email for an unlimited number of domains simultaneously.\n- **PWA-Ready Webmail**: Modern, installable Vue 3 webmail client with offline support and desktop\u002Fmobile push notifications.\n- **Automated Infrastructure Provisioning**: One-click setup for Cloudflare Workers, R2 buckets, and Email Routing.\n- **Advanced DNS & DKIM Management**: Automatic zone-aware record placement with authoritative DKIM key handling.\n- **Native Multi-Language Support** (13 languages) for the Web UI and Help Center.\n- **Manual Ingress Rule Management** for non-Docker workloads.\n- **Cloudflare Tunnel Ingress Orchestration**, including advanced origin options.\n- **Access Group & Reusable Policy Management** with application assignment.\n- **Cloudflare Access Application Lifecycle Management**.\n- **Multi-Host Operation** through a master and lightweight agents.\n- **Secure Agent Communication** via Cloudflare Zero Trust service tokens.\n- **Backup & Restore** of encrypted configuration, runtime state, and email data.\n\n## Architecture Overview\n\nDetailed architecture guide: [https:\u002F\u002Fdockflare.app\u002Farchitecture](https:\u002F\u002Fdockflare.app\u002Farchitecture)\n\n| Component | Purpose |\n| --- | --- |\n| DockFlare Master | Web UI, encrypted config\u002Fstate, reconciliation, Cloudflare API orchestration |\n| DockFlare Mail Manager | Sovereign email backend, SQLite storage, R2 integration, and webhook handling |\n| DockFlare Webmail | PWA-ready mail client with push notification support |\n| Redis | Shared cache, coordination, and pub\u002Fsub signaling |\n| DockFlare Agent | Remote host watcher and command executor for distributed deployments |\n| cloudflared | Tunnel connector runtime managed per deployment mode |\n| Cloudflare API | Source of truth for Tunnel, DNS, Email, and Access resources |\n\n### Reconciliation Flow\n\n1. DockFlare collects desired state from labels, manual rules, and agent-reported containers.\n2. It computes deltas against persisted state and Cloudflare state.\n3. It applies updates for ingress, DNS, and Access resources.\n4. It updates local runtime state and keeps `cloudflared` aligned.\n\n## Getting Started\n\n### One-Liner Install\n\n```bash\nbash \u003C(curl -fsSL https:\u002F\u002Fdockflare.app\u002Finstall.sh)\n```\n\nThe script will guide you through:\n1. Choosing an install directory (default: `~\u002Fdockflare\u002F`).\n2. Choosing a local UI port (default: `5000`).\n3. Optionally configuring a Cloudflare Tunnel for DockFlare itself.\n4. Optionally enabling the Email profile (dockflare-mail-manager + dockflare-webmail).\n\nFor full setup documentation, use the project docs site:\n\n- [Quick Start Guide](https:\u002F\u002Fdockflare.app\u002Fdocs)\n- [Container Label Reference](https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fcontainer-labels)\n- [Advanced DNS and Zone Management](https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fmanaging-dns-zones)\n- [Multi-Server Agent Setup](https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fmulti-server-agent)\n\n### Prerequisites\n\n- Docker and Docker Compose.\n- A Redis instance (the quick-start stack below includes one).\n- A Cloudflare account.\n- Cloudflare Account ID.\n- Cloudflare Zone ID for your primary domain.\n- Cloudflare API token with these permissions:\n * `Account:Cloudflare Tunnel:Write`\n * `Account:Account Settings:Read`\n * `Account:Access: Apps and Policies:Write`\n * `Account:Access: Organizations, Identity Providers, and Groups:Write`\n * `Account:Access: Service Tokens:Write`\n * `Zone:Zone:Read`\n * `Zone:DNS:Write`\n\n **For optional DockFlare Email features, add these additional permissions:**\n * `Workers Scripts:Write`\n * `Workers KV Storage:Write`\n * `Workers R2 Storage:Write`\n * `Email Routing Addresses:Write`\n * `Email Routing Rules:Write`\n\n\n![Cloudflare API Permissions](images\u002Fcf.png)\n\n\u003Cdetails>\n\u003Csummary>Quick Start Docker Compose\u003C\u002Fsummary>\n\nBefore first launch, create the shared network once:\n\n```bash\ndocker network create cloudflare-net\n```\n\n1. Create `docker-compose.yml`:\n\n```yaml\nservices:\n docker-socket-proxy:\n image: tecnativa\u002Fdocker-socket-proxy:v0.4.1\n container_name: docker-socket-proxy\n restart: unless-stopped\n logging:\n driver: \"none\"\n environment:\n - DOCKER_HOST=unix:\u002F\u002F\u002Fvar\u002Frun\u002Fdocker.sock\n - CONTAINERS=1\n - EVENTS=1\n - NETWORKS=1\n - IMAGES=1\n - POST=1\n - PING=1\n - INFO=1\n - EXEC=1\n volumes:\n - \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock\n networks:\n - dockflare-internal\n\n dockflare-init:\n image: alpine:3.20\n command: [\"sh\", \"-c\", \"chown -R ${DOCKFLARE_UID:-65532}:${DOCKFLARE_GID:-65532} \u002Fapp\u002Fdata\"]\n volumes:\n - dockflare_data:\u002Fapp\u002Fdata\n networks:\n - dockflare-internal\n restart: \"no\"\n\n dockflare:\n image: alplat\u002Fdockflare:stable\n container_name: dockflare\n restart: unless-stopped\n ports:\n - \"5000:5000\" # Optional: comment out once exposed via Cloudflare Tunnel with an Access Policy to restrict access to tunnel-only\n #labels: # -- Cloudflare Tunnel Configuration (via DockFlare) OPTIONAL --\n # Main DockFlare with access policy\n #- dockflare.enable=true\n #- dockflare.hostname=dockflare.TLD # replace with your domain\n #- dockflare.service=http:\u002F\u002Fdockflare:5000\n #- dockflare.access.group=YOUR-ACCESS-GROUP-ID # your custom access policy\n # -- OAuth Callback Path (Bypass Access Policy) OPTIONAL --\n # Required if using OAuth authentication with access policies on main interface\n #- dockflare.0.hostname=dockflare.example.tld\n #- dockflare.0.path=\u002Fauth\u002Fgoogle\u002Fcallback\n #- dockflare.0.service=http:\u002F\u002Fdockflare:5000\n #- dockflare.0.access.group=public-default-bypass\n\n # Add additional callback paths for other OAuth providers as needed\n # - dockflare.1.hostname=dockflare.example.com\n # - dockflare.1.path=\u002Fauth\u002Fgithub\u002Fcallback\n # - dockflare.1.service=http:\u002F\u002Fdockflare:5000\n # - dockflare.1.access.group=public-default-bypass\n volumes:\n - dockflare_data:\u002Fapp\u002Fdata\n environment:\n - REDIS_URL=redis:\u002F\u002Fredis:6379\u002F0\n - REDIS_DB_INDEX=0\n - DOCKER_HOST=tcp:\u002F\u002Fdocker-socket-proxy:2375\n depends_on:\n docker-socket-proxy:\n condition: service_started\n dockflare-init:\n condition: service_completed_successfully\n redis:\n condition: service_started\n networks:\n - cloudflare-net\n - dockflare-internal\n\n redis:\n image: redis:7-alpine\n container_name: dockflare-redis\n restart: unless-stopped\n command: [\"redis-server\", \"--save\", \"\", \"--appendonly\", \"no\"]\n logging:\n driver: \"none\"\n volumes:\n - dockflare_redis:\u002Fdata\n networks:\n - dockflare-internal\n\n dockflare-mail-manager:\n image: alplat\u002Fdockflare-mail-manager:stable\n container_name: dockflare-mail-manager\n restart: unless-stopped\n profiles: [\"email\"]\n environment:\n - DOCKFLARE_MASTER_URL=http:\u002F\u002Fdockflare:5000\n - MAIL_DATA_PATH=\u002Fdata\n volumes:\n - mail_data:\u002Fdata\n depends_on:\n dockflare:\n condition: service_started\n networks:\n - cloudflare-net\n - dockflare-internal\n\n dockflare-webmail:\n image: alplat\u002Fdockflare-webmail:stable\n container_name: dockflare-webmail\n restart: unless-stopped\n profiles: [\"email\"]\n environment:\n - DOCKFLARE_MASTER_URL=https:\u002F\u002Fdockflare.TLD # replace with your domain\n labels:\n - dockflare.enable=true\n - dockflare.hostname=mail.dockflare.TLD # replace with your domain\n - dockflare.service=http:\u002F\u002Fdockflare-webmail:80\n depends_on:\n dockflare-mail-manager:\n condition: service_started\n networks:\n - cloudflare-net\n - dockflare-internal\n\nvolumes:\n dockflare_data:\n dockflare_redis:\n mail_data:\n\nnetworks:\n cloudflare-net:\n name: cloudflare-net\n external: true\n dockflare-internal:\n name: dockflare-internal\n```\n\n2. Start DockFlare:\n\n```bash\ndocker compose up -d\n```\n\nThe Email Suite is an optional, opt-in feature and will not start by default. To include email services, add the `email` profile:\n\n```bash\ndocker compose --profile email up -d\n```\n\nEmail setup and provisioning guide: [Email Overview](https:\u002F\u002Fgithub.com\u002FChrispyBacon-dev\u002FDockFlare\u002Fblob\u002Fstable\u002Fdockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002Fen\u002FEmail-Overview.md)\n\n3. Open `http:\u002F\u002Fyour-server-ip:5000` and complete the setup wizard.\n\nIf you are migrating from older environment-based setups, DockFlare can import existing values during onboarding.\n\n\u003C\u002Fdetails>\n\n## Configuration Modes\n\n### Docker Label Mode\n\nUse container labels to declare hostname, service target, and access behavior. DockFlare observes lifecycle events and reconciles records and ingress rules automatically.\n\nDetailed label reference: [https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fcontainer-labels](https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fcontainer-labels)\n\n### Manual Rule Mode\n\nCreate and edit routes directly in the UI for static hosts, VMs, appliances, or external services. Manual rules support HTTP\u002FHTTPS advanced origin options and are persisted in DockFlare state.\n\n### Hybrid Mode\n\nUse labels for most workloads while managing exceptions in UI. DockFlare merges both sources into one reconciliation model.\n\n### Agent Mode (Multi-Server)\n\nRun a central master with agents on remote Docker hosts. Agents stream host-local container events and execute commands while the master owns policy and Cloudflare configuration decisions.\n\nMulti-agent setup guide: [https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fmulti-server-agent](https:\u002F\u002Fdockflare.app\u002Fdocs\u002Fmulti-server-agent)\n\n## Access Control Model\n\nDockFlare uses Access Groups as the primary abstraction for reusable access intent.\n\n- One Access Group can be attached to multiple services.\n- Groups sync to reusable Cloudflare Access policies.\n- Services map to Access applications using consistent naming and update logic.\n- Public and authenticated patterns are supported through policy decisions.\n- Zone-level defaults can be used to protect wildcard domains and reduce accidental exposure.\n\nFor one-off services, individual `dockflare.access.*` labels are still supported.\n\n## Example Labels\n\n```yaml\nservices:\n picoshare:\n image: mtlynch\u002Fpicoshare\n labels:\n - \"dockflare.enable=true\"\n - \"dockflare.hostname=files.example.com\"\n - \"dockflare.service=http:\u002F\u002Fpicoshare:8080\"\n - \"dockflare.access.group=nas-family\"\n```\n\n```yaml\nservices:\n internal-tool:\n image: nginx:latest\n labels:\n - \"dockflare.enable=true\"\n - \"dockflare.hostname=tool.example.com\"\n - \"dockflare.service=http:\u002F\u002Finternal-tool:80\"\n - \"dockflare.access.policy=authenticate\"\n - \"dockflare.access.email=admin@example.com,@example.com\"\n```\n\n## Reliability and Drift Management\n\n- DockFlare reconciliation is designed to be idempotent.\n- Runtime and configuration state are persisted in encrypted files.\n- Manual rule options are preserved and re-applied across restarts.\n- Optional unmanaged-ingress-field preservation can keep Cloudflare-side values that DockFlare does not explicitly model.\n- Backup and restore enable rapid recovery of full control-plane state.\n\n## Security Model\n\n- Supports web authentication with local credentials and OAuth providers.\n- Uses scoped Cloudflare API tokens.\n- Encourages Docker socket proxy for least-privilege Docker API exposure.\n- Runs containers as non-root (`UID\u002FGID 65532`) in the reference setup.\n- Supports agent API key lifecycle controls and enrollment flow.\n- Optional Cloudflare Zero Trust service token authentication for all agent traffic, removing the need for a private network or VPN between master and agents.\n\n## Operations and Day-2 Tasks\n\nCommon workflows handled in UI:\n\n- Add, edit, and remove manual routes.\n- Assign or change Access Groups on services.\n- View service status and reconciliation state.\n- Rotate or revoke agent API keys.\n- Trigger agent tunnel actions.\n- Export and restore backups.\n\n## Troubleshooting Pointers\n\n- Verify Cloudflare token scopes first when API calls fail.\n- Confirm domain-to-zone mapping when records do not appear.\n- Validate service URL format (`http:\u002F\u002F` or `https:\u002F\u002F`) for manual rules.\n- Check agent heartbeat and enrollment status for remote hosts.\n- Confirm Docker socket proxy permissions if container discovery fails.\n\nAdditional troubleshooting references:\n\n- [Common Issues](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FCommon-Issues.md)\n- [Container Labels](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FContainer-Labels.md)\n- [Multi-Server Agent](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FMulti-Server-Agent.md)\n\n## Development\n\n- Build and run locally:\n\n```bash\ndocker compose build --no-cache\ndocker compose up -d\n```\n\n- Basic health checks:\n\n```bash\ncurl http:\u002F\u002Flocalhost:5000\u002Fping\ncurl http:\u002F\u002Flocalhost:5000\u002Fapi\u002Fv2\u002Foverview\n```\n\n## Documentation Map\n\n*(Available in 8 languages directly within the DockFlare UI or online)*\n\n- Product docs: [https:\u002F\u002Fdockflare.app\u002Fdocs](https:\u002F\u002Fdockflare.app\u002Fdocs)\n- Source docs in repository:\n - [Multi-Server Agent Guide](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FMulti-Server-Agent.md)\n - [Using the Web UI](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FUsing-the-Web-UI.md)\n - [Managing DNS Zones](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FManaging-DNS-Zones.md)\n - [Identity Providers](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FIdentity-Providers.md)\n\n## Changelog\n\nRelease notes are maintained in [CHANGELOG.md](CHANGELOG.md).\nailable in 8 languages directly within the DockFlare UI or online)*\n\n- Product docs: [https:\u002F\u002Fdockflare.app\u002Fdocs](https:\u002F\u002Fdockflare.app\u002Fdocs)\n- Source docs in repository:\n - [Multi-Server Agent Guide](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FMulti-Server-Agent.md)\n - [Using the Web UI](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FUsing-the-Web-UI.md)\n - [Managing DNS Zones](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FManaging-DNS-Zones.md)\n - [Identity Providers](dockflare\u002Fapp\u002Ftemplates\u002Fdocs\u002FIdentity-Providers.md)\n\n## Changelog\n\nRelease notes are maintained in [CHANGELOG.md](CHANGELOG.md).\n","DockFlare 是一个用于自动化 Cloudflare 隧道配置的工具,通过 Docker 标签实现。其核心功能包括自动服务发现、DNS 管理、隧道入口规则设置以及 Access 应用配置,无需手动操作 Cloudflare 控制台。该工具基于 Python 开发,利用 Flask 框架构建 Web 服务,并支持零信任网络架构。适用于需要频繁更新或扩展容器化应用且希望简化网络配置流程的场景,如家庭实验室、小型企业自托管环境等。",2,"2026-06-11 03:42:42","high_star"]