Secure Flowise with PostgreSQL and Cloudflare Access

## Overview This guide walks you through installing Flowise (an open-source visual LLM app builder) on your local Linux system using Docker and PostgreSQL. It also includes optional steps to secure public access using Cloudflare Tunnel and Cloudflare Access for Zero Trust authentication—should you later decide to host it on a public VM. ## Table of Contents 1. Prerequisites 2. Folder Structure 3. PostgreSQL Setup (Local Container) 4. Flowise Docker Compose Configuration 5. Running, Stopping, and Updating Flowise 6. (Optional) Install and Configure Cloudflare Tunnel 7. (Optional) Configure Cloudflare Access Authentication 8. Test and Secure Your Setup 9. (Optional) PostgreSQL Performance Tuning for Document Store 10. Final Security Summary 11. What's Next ## 1. Prerequisites Ensure you have the following: - A Linux system (desktop or server) — this guide assumes Garuda Linux as the local environment - Docker and Docker Compose installed - Basic terminal knowledge > If you later move this setup to a **public cloud VM**, you will also need: > - A Cloudflare account with a domain added > - Public IP access and SSH to the VM > - Additional configuration using Cloudflare Tunnel and Access (see optional sections below) --- ## 2. Folder Structure ```bash /home/sudo-samurai/Documents/projects/llm-tools/ └── flowise/ ├── docker-compose.yml ├── .env ├── flowise-data/ └── postgres-data/ ``` --- ## 3. PostgreSQL Setup (Local Container) ### Step 1: Create `.env` File Create a `.env` file inside `flowise-secure/`: ```ini POSTGRES_USER=flowiseuser POSTGRES_PASSWORD=flowisepass POSTGRES_DB=flowisedb DATABASE_URL=postgresql://flowiseuser:flowisepass@postgres:5432/flowisedb ``` ### Step 2: Docker Compose File Create `docker-compose.yml`: ```yaml services: postgres: image: postgres:15 container_name: flowise-postgres restart: always volumes: - ./postgres-data:/var/lib/postgresql/data environment: - POSTGRES_USER=${POSTGRES_USER} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_DB=${POSTGRES_DB} flowise: image: flowiseai/flowise:v1.4.3 container_name: flowise-app environment: - DATABASE_PATH=${DATABASE_URL} volumes: - ./flowise-data:/app/database depends_on: - postgres restart: unless-stopped ``` > Note: We do **not** expose port 3000 to the host to keep Flowise private. --- ## 4. Running, Stopping, and Updating Flowise ### Start Flowise: ```bash cd /home/sudo-samurai/Documents/projects/llm-tools/flowise docker-compose --env-file .env up -d ``` ### Stop Flowise: ```bash docker-compose down ``` ### Update Flowise: ```bash docker-compose pull flowise docker-compose up -d ``` > ⚠️ If you also want to update PostgreSQL, run `docker-compose pull` without specifying a service. --- ## 5. (Optional) Install and Configure Cloudflare Tunnel > 💡 This section is only needed if you're hosting Flowise on a **public VM or server** and want to secure access with Cloudflare Access. ### Step 1: Install cloudflared ```bash curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb sudo dpkg -i cloudflared.deb ``` ### Step 2: Authenticate Cloudflare Tunnel ```bash cloudflared login ``` - Choose your domain from the browser prompt ### Step 3: Create a Tunnel ```bash cloudflared tunnel create flowise-tunnel ``` ### Step 4: Create Tunnel Config File Create `~/.cloudflared/config.yml`: ```yaml tunnel: flowise-tunnel credentials-file: /home/youruser/.cloudflared/flowise-tunnel.json ingress: - hostname: flowise.yourdomain.com service: http://localhost:3000 - service: http_status:404 ``` ### Step 5: Run the Tunnel ```bash cloudflared tunnel run flowise-tunnel ``` To make it persistent: ```bash sudo cloudflared service install sudo systemctl enable cloudflared sudo systemctl start cloudflared ``` --- ## 6. (Optional) Configure Cloudflare Access Authentication ### Step 1: Open Cloudflare Zero Trust Dashboard Go to [https://dash.teams.cloudflare.com/](https://dash.teams.cloudflare.com/) ### Step 2: Add a Self-Hosted Application - **Name**: Flowise - **Domain**: `flowise.yourdomain.com` ### Step 3: Create an Access Policy - Allow by email domain (e.g. `*@yourcompany.com`) - Or allow specific emails (e.g. `[email protected]`) - Optionally use GitHub, Google, or Email OTP Save and deploy the application. --- ## 7. Test and Secure Your Setup ### Test Scenarios: - ✅ `http://localhost:3000` → accessible locally by Cloudflare Tunnel - ✅ `https://flowise.yourdomain.com` → prompts for login - ❌ `http://public_ip:3000` → NOT accessible (port is not bound) ### Optional: UFW Firewall ```bash sudo ufw allow OpenSSH sudo ufw deny 3000 sudo ufw enable ``` --- ## 8. (Optional) PostgreSQL Performance Tuning for Document Store If you plan to use Flowise’s Document Store (Record Manager) with the same PostgreSQL container, it's recommended to tune PostgreSQL for better performance. ### Step 1: Create a PostgreSQL Custom Config File Create a file named `postgresql.custom.conf` in your project root (`/home/sudo-samurai/Documents/projects/llm-tools/flowise`): ```conf shared_buffers = 512MB work_mem = 16MB effective_cache_size = 2GB maintenance_work_mem = 128MB max_connections = 100 wal_buffers = 16MB default_statistics_target = 100 ``` ### Step 2: Modify docker-compose.yml to Mount the Custom Config Update your `postgres` service in `docker-compose.yml`: ```yaml postgres: image: postgres:15 container_name: flowise-postgres restart: always volumes: - ./postgres-data:/var/lib/postgresql/data - ./postgresql.custom.conf:/etc/postgresql/postgresql.conf environment: - POSTGRES_USER=${POSTGRES_USER} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_DB=${POSTGRES_DB} command: ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"] ``` This setup applies the tuning settings every time PostgreSQL starts. --- ## 9. Final Security Summary | Element | Status | |--------------------|--------------------| | Flowise Auth | Handled by Cloudflare Access | | Public IP Exposure | None (port not bound) | | DB Location | Local PostgreSQL Container | | Secure Tunnel | Cloudflare Tunnel | | User Identity | Google/GitHub/Email OTP via Cloudflare | --- ## 10. What's Next? - Add multiple environments (staging/prod) - Add logging/monitoring with Prometheus or Grafana - Optionally add a frontend or wrapper to extend Flowise functionality --- You're now running a production-ready, zero-trust secured Flowise instance using Docker, PostgreSQL, and Cloudflare Access. 🚀