Cloudflare for SaaS on Business Plan? Real Use Case with CNAME + Workers + SSL

Website, Application, Performance Security
1

What is the name of the domain?

lightmoon.me

What is the issue you’re encountering

Is Business Plan Enough for Cloudflare for SaaS? Real Use Case with Workers + Custom Hostnames

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

What are the steps to reproduce the issue?

Hey Cloudflare team & community :waving_hand:

I’m building a SaaS platform where my clients point their own domains — like lp.clientsite.com — to my infrastructure via CNAME to connect.lightmoon.me (my primary domain).

Here’s what I need technically:

Automatically issue SSL certificates for each client domain

Use Cloudflare proxy (orange cloud) to protect and filter traffic

Execute custom logic via Cloudflare Workers, using:

Host header

IP address

Geolocation

Query/hash parameters

Ideally use wildcard support like *.clientsite.com

Manage everything through Cloudflare API (custom hostname registration)

Can I do this with the Business plan? Or only with Enterprise?

2

As long as you only support subdomains, that should all be available on any plan.

Apex proxy would be Enterprise only.

1 Like
3

So I tried this:

My connect.lightmoon.me pointing to my worker (my worker redirecting to my main server), this is working

My client points the subdomain to my: connect.lightmoon.me
It gets: Access denied

How can I solve this?

4

Do you have a Worker Route for the client domain?

6

My application is a SAAS, where clients point their domains or subdomains to my domain via [CNAME] → “connect.lightmoon.me

In my worker I redirect to my server, the routes I added:
1 - connect.lightmoon.me/
2 - .connect.lightmoon.me/
3 - connect.lightmoon.me/*

In this case, is it necessary to make a business plan?
Is there any option I can do to not have Enterprise (as it does not apply in our initial phase)?

7

You either need to add the client domain as a custom domain to the Worker, or (better) create a Worker Route that matches all domains and then another route to exclude domains that you don#t want on the Worker.