Cloudflare

Two Cloudflare products are in use: Tunnel (traffic routing) and Access (identity/auth perimeter).

Cloudflare Tunnel

The cloudflared container runs a persistent QUIC tunnel to the Cloudflare edge. It routes traffic from web.level147.net to http://level147-net:3000 via Docker’s proxy-net network.

The tunnel config maps the public hostname web.level147.net → origin service http://level147-net:3000.

Dashboard widget: reads metrics from CLOUDFLARED_METRICS_URL (set in .env).

Cloudflare Access

Cloudflare Access acts as the network perimeter — all requests to web.level147.net must pass identity verification before reaching the app. Authentik OIDC is the identity provider.

App scope

The Zero Trust application must target web.level147.net specifically — not *.level147.net or level147.net. Setting it to the root domain causes 522 errors at the tunnel ingress.

Docs site access

docs.level147.net is deployed to Cloudflare Pages and also protected by a separate Cloudflare Access application. The pages.dev preview domain is disabled to prevent Access bypass.

See Docs Site for the full deployment setup.

Auth flow

Because Cloudflare Access enforces identity at the perimeter, the Next.js app does not add additional per-route session checks on API routes. NextAuth v5 provides the application session and user identity (session.user) inside the app.

Troubleshooting 522

Symptom	Cause	Fix
522 on web.level147.net	Access app scoped to wrong domain	Check Zero Trust → Applications → hostname
Container healthy but 522	Tunnel ingress pointing to wrong origin	Check tunnel public hostname service URL = http://level147-net:3000
Tunnel disconnected	cloudflared QUIC timeout	docker restart cloudflared

Full incident diagnosis steps: Incident Response.