Availability varies by Auth0 plan

Your Auth0 plan or custom agreement affects the availability of this feature. To learn more, read Auth0’s Pricing Page.
To set up Cloudflare as a reverse proxy using the recommended approach, a Cloudflare Enterprise Plan with the following features is required:
FeatureDescription
Host Header OverrideRewrite Host headers using different Cloudflare rules. To learn more, read Rewrite Host headers on Cloudflare Docs.
True-Client-IP HeaderEnabling the True-Client-IP Header adds the True-Client-IP header to all requests to your origin server, which includes the end user’s IP address. To learn more, read Understanding the True-Client-IP Header on Cloudflare Docs.

Configure Cloudflare

As a prerequisite, the parent domain for your chosen custom domain must be added and activated within the Cloudflare dashboard. Also, confirm that your desired custom domain does not already exist within your Cloudflare zone. If it already exists, Cloudflare verification will fail.
To configure Cloudflare as a reverse proxy, you’ll need to create a CNAME record, a Page Rule, and a Transform Rule in Cloudflare.
  1. Configure and verify a Custom Domain with Self-Managed Certificates if you haven’t already. Make note of the Origin Domain Name and cname-api-key values since you’ll need these later.
  2. In the Cloudflare dashboard for the target zone, create a CNAME record with the following settings:
    SettingValue
    NameThe custom domain name.
    TargetThe Origin Domain Name value recorded earlier.
    Proxy StatusProxied
  3. Create a Page Rule scoped to all URLs under the chosen custom domain and with the following settings:
    SettingValue
    Host Header OverrideThe Origin Domain Name value recorded earlier.
    True-Client-IPEnable
  4. Create a Transform Rule:
    1. Switch to the Modify Request Header view.
    2. Select Create Rule and provide a name of your choice.
    3. Under When incoming requests match, select Custom filter expression and set an expression that scopes the Rule to requests associated with the chosen custom domain. For example, use an exact match on the Hostname field.
    4. Under Modify request header, select Set static, and then set the following fields:
      FieldValue
      Header namecname-api-key
      ValueThe cname-api-key value recorded earlier.
  5. Ensure that Always Use HTTPS is enabled and encryption mode is set, at least, to Full for your chosen custom domain.
While it is possible to use Cloudflare Workers instead of Page and Transform rules to set up a reverse proxy that meets the requirements for a self-managed certificate custom domain, we recommend using the rules-based approach because it eliminates the need for custom code.

Configure Auth0

Call the Auth0 Update custom domain configuration endpoint with the following payload in the body: 
{
  "custom_client_ip_header": "true-client-ip"
}

Learn more