Secure Flowise with PostgreSQL and Cloudflare Access

Overview

This guide walks you through installing Flowise (an open-source visual LLM app builder) on your local Linux system using Docker and PostgreSQL. It also includes optional steps to secure public access using Cloudflare Tunnel and Cloudflare Access for Zero Trust authentication—should you later decide to host it on a public VM.

Table of Contents

1. Prerequisites
2. Folder Structure
3. PostgreSQL Setup (Local Container)
4. Flowise Docker Compose Configuration
5. Running, Stopping, and Updating Flowise
6. (Optional) Install and Configure Cloudflare Tunnel
7. (Optional) Configure Cloudflare Access Authentication
8. Test and Secure Your Setup
9. (Optional) PostgreSQL Performance Tuning for Document Store
10. Final Security Summary
11. What’s Next

1. Prerequisites

Ensure you have the following:

• A Linux system (desktop or server) — this guide assumes Garuda Linux as the local environment
• Docker and Docker Compose installed
• Basic terminal knowledge

If you later move this setup to a public cloud VM, you will also need:

• A Cloudflare account with a domain added
• Public IP access and SSH to the VM
• Additional configuration using Cloudflare Tunnel and Access (see optional sections below)

2. Folder Structure

/home/sudo-samurai/Documents/projects/llm-tools/
└── flowise/
    ├── docker-compose.yml
    ├── .env
    ├── flowise-data/
    └── postgres-data/

3. PostgreSQL Setup (Local Container)

Step 1: Create .env File

Create a .env file inside flowise-secure/:

POSTGRES_USER=flowiseuser
POSTGRES_PASSWORD=flowisepass
POSTGRES_DB=flowisedb
DATABASE_URL=postgresql://flowiseuser:flowisepass@postgres:5432/flowisedb

Step 2: Docker Compose File

Create docker-compose.yml:

services:
  postgres:
    image: postgres:15
    container_name: flowise-postgres
    restart: always
    volumes:
      - ./postgres-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=${POSTGRES_DB}

  flowise:
    image: flowiseai/flowise:v1.4.3
    container_name: flowise-app
    environment:
      - DATABASE_PATH=${DATABASE_URL}
    volumes:
      - ./flowise-data:/app/database
    depends_on:
      - postgres
    restart: unless-stopped

Note: We do not expose port 3000 to the host to keep Flowise private.

4. Running, Stopping, and Updating Flowise

Start Flowise:

cd /home/sudo-samurai/Documents/projects/llm-tools/flowise
docker-compose --env-file .env up -d

Stop Flowise:

docker-compose down

Update Flowise:

docker-compose pull flowise
docker-compose up -d

⚠️ If you also want to update PostgreSQL, run docker-compose pull without specifying a service.

5. (Optional) Install and Configure Cloudflare Tunnel

💡 This section is only needed if you’re hosting Flowise on a public VM or server and want to secure access with Cloudflare Access.

Step 1: Install cloudflared

curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb

Step 2: Authenticate Cloudflare Tunnel

cloudflared login

• Choose your domain from the browser prompt

Step 3: Create a Tunnel

cloudflared tunnel create flowise-tunnel

Step 4: Create Tunnel Config File

Create ~/.cloudflared/config.yml:

tunnel: flowise-tunnel
credentials-file: /home/youruser/.cloudflared/flowise-tunnel.json

ingress:
  - hostname: flowise.yourdomain.com
    service: http://localhost:3000
  - service: http_status:404

Step 5: Run the Tunnel

cloudflared tunnel run flowise-tunnel

To make it persistent:

sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

6. (Optional) Configure Cloudflare Access Authentication

Step 1: Open Cloudflare Zero Trust Dashboard

Go to https://dash.teams.cloudflare.com/

Step 2: Add a Self-Hosted Application

• Name: Flowise
• Domain: flowise.yourdomain.com

Step 3: Create an Access Policy

• Allow by email domain (e.g. *@yourcompany.com)
• Or allow specific emails (e.g. [email protected])
• Optionally use GitHub, Google, or Email OTP

Save and deploy the application.

7. Test and Secure Your Setup

Test Scenarios:

• ✅ http://localhost:3000 → accessible locally by Cloudflare Tunnel
• ✅ https://flowise.yourdomain.com → prompts for login
• ❌ http://public_ip:3000 → NOT accessible (port is not bound)

Optional: UFW Firewall

sudo ufw allow OpenSSH
sudo ufw deny 3000
sudo ufw enable

8. (Optional) PostgreSQL Performance Tuning for Document Store

If you plan to use Flowise’s Document Store (Record Manager) with the same PostgreSQL container, it’s recommended to tune PostgreSQL for better performance.

Step 1: Create a PostgreSQL Custom Config File

Create a file named postgresql.custom.conf in your project root (/home/sudo-samurai/Documents/projects/llm-tools/flowise):

shared_buffers = 512MB
work_mem = 16MB
effective_cache_size = 2GB
maintenance_work_mem = 128MB
max_connections = 100
wal_buffers = 16MB
default_statistics_target = 100

Step 2: Modify docker-compose.yml to Mount the Custom Config

Update your postgres service in docker-compose.yml:

  postgres:
    image: postgres:15
    container_name: flowise-postgres
    restart: always
    volumes:
      - ./postgres-data:/var/lib/postgresql/data
      - ./postgresql.custom.conf:/etc/postgresql/postgresql.conf
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=${POSTGRES_DB}
    command: ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

This setup applies the tuning settings every time PostgreSQL starts.

9. Final Security Summary

10. What’s Next?

• Add multiple environments (staging/prod)
• Add logging/monitoring with Prometheus or Grafana
• Optionally add a frontend or wrapper to extend Flowise functionality

You’re now running a production-ready, zero-trust secured Flowise instance using Docker, PostgreSQL, and Cloudflare Access. 🚀