Changing CNAME from DNS-only to Proxied, causes several problems

On one of our domains we have cname records that point to DNS targets that were generated with Herokus ACM.
All the cnames are currently with Proxy Status: dns-only. This works ok, but I get complaints that http requests are not automatically redirected to https.
So I set the ‘Always Use HTTPS’ to true in Edge certificates section.
If I now set one such cname record to proxied, it no longers directs to the heroku app. It goes to a url that I found was defined in the Page Rules section,

I don’t understand why

If the page rule matches the host name, it is applied. That’s what page rules do. If you don’t need the page rule delete. If you need different behavior modify the existing page rule or delete it.

so if proxy status is dns-only, it doesn’t look at page rules?

Any Cloudflare security or performance feature requires a record be proxied. In DNS only mode Cloudflare simply responds to a DNS request and the request goes directly to the origin


[I ran into another issue while working on this task, I thought for clarity I would open a new topic for it, but I was kindly advised by the moderators to use this existing topic.I edited the subject, since it no longer covers the content. I will leave the changing of the category labels, if any, to the moderators]

While trying to perform the same action on a different cname record on a different domain, it resulted in a HTTP/1.1 409 Conflict (see curl output below).

So it’s not that it got redirected via Page Rules to a different url, it makes the domain unavailable, as if it is down.
I looked up the error here: 4xx Client Error · Cloudflare Support docs
“Typically happens on a PUT request …” I don’t think this applies, no put requests were made. It is simply changing the Proxy Status that results in this error.

I don’t know how to investigate this, so even just a hint in the right direction would be appreciated

curl -v -L

* Trying
* Connected to ( port 80 (#0)
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.79.1
> Accept: */*

* Mark bundle as not supporting multiuse
< HTTP/1.1 409 Conflict
< Date: Fri, 16 Jun 2023 14:40:08 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 16
< Connection: close
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: same-origin
< Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Server: cloudflare
< CF-RAY: 7d83ce627fe00e84-AMS
* Closing connection 0
error code: 1001

I have some more information on this problem.
Most of our cname records are subdomains for our clients and have the format and the http requests that access them are pointing directly to this subdomain. In these cases switching to ‘Proxied’ works fine.

Some of our clients however want to use their own domain name, and have a cname record on their side that points to our cname record. fi: (customer side) that points to (our side) and our cname points to heroku.
In these cases switching to Proxied causes this ‘409 conflict’ error.

Is there anything I can do in Cloudflare to resolve this, or should I ask our customer to configure an ‘always use https’ on their side?

After some more digging, it appears that this is the problem I am running into:

Would be nice if someone can confirm this