Cloudflare for SaaS – Main CNAME Target Fails While Staging One Works

ogrupomarvin · May 11, 2025, 3:08am

What is the name of the domain?

What is the issue you’re encountering

The main SaaS CNAME Target has a valid SSL, but real traffic gets blocked (possibly due to a cross-ban), while a CNAME from an alternate domain works normally.

What steps have you taken to resolve the issue?

I kept everything exactly the same, with the same setup and characteristics, but still, the main domain only works when clients point their CNAME directly to it. When they point to a subdomain, it triggers a cross-ban or similar error. Meanwhile, on my staging domain, pointing to the subdomain works perfectly.

What feature, service or problem is this related to?

I don’t know

What are the steps to reproduce the issue?

Hi everyone,

I’ve activated Cloudflare for SaaS on one of my domains (let’s call it saas-domain.com) and configured everything properly:

The Fallback Origin,

Custom Hostnames,

And the subdomain connect.saas-domain.com with proxy enabled, to be used as the official CNAME Target.

Later, I acquired a second domain (staging-domain.com) under the same Cloudflare account (intended for a staging/test environment).
There, I created a subdomain connect.staging-domain.com, also proxied, pointing to a different staging server.

Here’s the unexpected part:

When my clients point their custom domains via CNAME to connect.staging-domain.com (the staging one), SSL is issued correctly and traffic flows fine.
But when they use the correct CNAME (connect.saas-domain.com), SSL is also issued — yet traffic gets blocked by what seems to be a cross-ban or some type of security restriction, and the redirect never completes.

Questions:
Why is a subdomain from a different zone (within the same account, but not where SaaS was activated) allowed to work as a CNAME Target?

And more importantly: how can I get connect.saas-domain.com to work properly, allowing clients to point to it without triggering this security block?

Laudian · May 11, 2025, 6:21am

Where is your Fallback Origin hosted? Is it a cname to another CF account?

Can you share actual domains so I can see the error for myself?

ogrupomarvin · May 11, 2025, 12:21pm

My fallback origin is my server
Here are the real domains:

lightmoon.me (My fallback origin is my production server)

lightmoon.dev (My fallback origin is my staging server)

In each of them I have an A record pointing to its server called connect.
Example:
lightmoon.me: A connect 138.x.x.x
lightmoon.dev: A connect 153.x.x.x

The problem: Before I bought lightmoon.dev, connect.lightmoon.me worked normally. After I bought it, it stopped working, it only works if other domains point to lightmoon.me

Lightmoon.dev has the A record with connect, and if other domains point to: connect.lightmoon.dev, it works.

My big question, why does connect.lightmoon.dev work and connect.lightmoon.me doesn’t?

ogrupomarvin · May 11, 2025, 12:22pm

I replied in the message below. Can you help me please?

Laudian · May 11, 2025, 12:42pm

On which custom domain can I see the error? If you can’t share one, can you add test-me.laudian.de to the .me domain and test-dev.laudian.de to the .dev domain?

I still don’t know what the error is. Until then, I can’t really help you.

ogrupomarvin · May 11, 2025, 12:56pm

Here is a domain (I’m simulating a client of the application in production): “5 Hábitos Matinais que Estão Transformando Rotinas”/

The bva is pointed to “connect.lightmoon.me” (doesn’t work)

Here is from the test environment: “5 Hábitos Matinais que Estão Transformando Rotinas”/

stag pointed to “connect.lightmoon.dev” (works)

Laudian · May 11, 2025, 1:02pm

I get the same result for both sites, they redirect me to https://glicozin.site/white-twr. Is that what’s supposed to happen?

ogrupomarvin · May 11, 2025, 1:09pm

Yes, but here for me when accessing the site with an error it says:
ERROR for the site owner:
invalid for the site domain key

I accessed it from 2 different locations, when I didn’t get this error, it was a cross ban

Laudian · May 11, 2025, 1:10pm

Can you show a screenshot of the error you see?

ogrupomarvin · May 11, 2025, 1:19pm

I simulated with a VPN and here in Brazil it has this error and not in the US, what explains this?

Laudian · May 11, 2025, 1:22pm

That looks like it might be some security plugin on your Origin/Host. It’s definitely not a Cloudflare error.

ogrupomarvin · May 11, 2025, 1:25pm

What is very strange is that the staging server is a replica of my production server and it works normally.

ogrupomarvin · May 12, 2025, 2:06am

I noticed that any subdomain I add to lightmoon.me (A Record sending to the production server) is being sent as if it were in the lightmoon.dev zone. Do you know what I can do in this case?

I’ve already tested with a different domain and everything is fine. This only happens with lightmoon.me subdomains.

Topic		Replies	Views
Cloudflare for saas fallback domain not hitting General	1	659	September 14, 2023
Pointing an external CNAME subdomain to a cloudflare-hosted subdomain (error 1016 - origin dns error) DNS & Network	7	3468	August 25, 2019
Fix 1014 CNAME Cross-User Banned with Cloudflare for SaaS Workers	3	757	October 3, 2023
Simple Cloudflare for SaaS Setup DNS & Network	3	403	April 19, 2024
SSL for SaaS not working / incompatible with Cloudflare Tunnels Cloudflare Tunnel CloudflareTunnel	6	1598	January 27, 2023