diff --git a/docs/JENKINS.md b/docs/JENKINS.md
index 5d3a68d..01540a3 100644
--- a/docs/JENKINS.md
+++ b/docs/JENKINS.md
@@ -66,16 +66,17 @@ Set `DOCKER_GID` on the Jenkins Coolify service to the host docker group GID (`s
 
 Docker image layers are often **>100MB**. If `git.aexoradao.com` is behind **Cloudflare proxy** (orange cloud), uploads fail with `413`.
 
-**Fix (recommended for same-host Jenkins):** Jenkins container `extra_hosts`:
+**Why Jenkins `extra_hosts` alone is not enough:** with `/var/run/docker.sock` mounted, **`docker push` runs on the host dockerd**, which uses the **host's** DNS/`/etc/hosts`, not the Jenkins container's.
 
-```yaml
-extra_hosts:
-  - 'git.aexoradao.com:host-gateway'
+**Fix applied in CI:** `jenkins-registry-bypass.sh` adds on the **Coolify host**:
+
+```text
+127.0.0.1 git.aexoradao.com
 ```
 
-Pushes then go to **local Traefik** (Let's Encrypt on origin), not Cloudflare.
+(via a one-shot `docker run --network host` container). Pushes then go to **local Traefik**, not Cloudflare.
 
-**Alternative:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or use Docker Hub as `REGISTRY_IMAGE`.
+**Manual fallback:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or add the same line to the host `/etc/hosts` yourself.
 
 ### Registry push 401/403
 
diff --git a/scripts/ci/jenkins-push-image.sh b/scripts/ci/jenkins-push-image.sh
index 4ad0bff..966e32a 100755
--- a/scripts/ci/jenkins-push-image.sh
+++ b/scripts/ci/jenkins-push-image.sh
@@ -14,14 +14,15 @@ if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
   exit 1
 fi
 
-# Ephemeral docker config — do not persist registry password in workspace
+bash scripts/ci/jenkins-registry-bypass.sh
+
 PUSH_DOCKER_CONFIG="$(mktemp -d)"
 trap 'rm -rf "$PUSH_DOCKER_CONFIG"' EXIT
 export DOCKER_CONFIG="$PUSH_DOCKER_CONFIG"
 
 echo "$REGISTRY_PASSWORD" | $DOCKER login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin
 
-echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG} (large layers need Cloudflare bypass — Jenkins extra_hosts git.aexoradao.com:host-gateway)"
+echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG}"
 $DOCKER push "${REGISTRY_IMAGE}:${IMAGE_TAG}"
 $DOCKER push "${REGISTRY_IMAGE}:main"
 
diff --git a/scripts/ci/jenkins-registry-bypass.sh b/scripts/ci/jenkins-registry-bypass.sh
new file mode 100755
index 0000000..3867182
--- /dev/null
+++ b/scripts/ci/jenkins-registry-bypass.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Registry uploads use the HOST dockerd (docker.sock), not the Jenkins container network.
+# Map git.aexoradao.com -> 127.0.0.1 on the HOST so pushes hit local Traefik, not Cloudflare.
+set -euo pipefail
+
+REGISTRY_HOST="${REGISTRY_HOST:-git.aexoradao.com}"
+REGISTRY_BYPASS_IP="${REGISTRY_BYPASS_IP:-127.0.0.1}"
+
+# shellcheck source=/dev/null
+source .ci-bin/ci-env.sh
+
+echo "Ensuring host /etc/hosts maps ${REGISTRY_BYPASS_IP} -> ${REGISTRY_HOST}"
+$DOCKER run --rm --network host alpine:3.20 sh -c \
+  "grep -qE '[[:space:]]${REGISTRY_HOST}([[:space:]]|$)' /etc/hosts || echo '${REGISTRY_BYPASS_IP} ${REGISTRY_HOST}' >> /etc/hosts; grep '${REGISTRY_HOST}' /etc/hosts"