TLDR: Why doesn’t SaaS domains use the proxied (orange cloud) domain and access the original directly instead?
SaaS Setup
We have a domain such as example.com.
-
Create an A record (
fallback.example.com) pointing to a cloud hosted backend with the proxy (orange cloud) enabled. -
Configure Cloudflare workers to intercept and enhance the
fallback.example.comtraffic. -
Configure a SaaS record (SSL/TLS > Custom Hostnames) where the fallback origin points to
fallback.example.com. -
Configure a SaaS record with a custom hostname for
app.customer123.com. -
For the
customer123.comdomain, setup a CNAME DNS record that points tofallback.example.com(DNS Only – grey cloud).
Access Issue
If you visit fallback.example.com, the response is valid and includes the modifications from the worker.
If you visit app.customers123.com (with DNS pointing to fallback.example.com) then you only get the response from the origin / backend (the worker doesn’t intercept it).
Another fun fact. If fallback.example.com has an A record that points to any internal IP address such as 192.0.2.1, the correct website is served via the worker when visiting fallback.example.com. However, if you visit app.customer123.com, that has a CNAME that points to fallback.example.com then you get a timeout and DNS error.
How can we use custom SaaS domains and still leverage the benefits of the orange proxied cloud?