I just spent a couple of hours trying to set up a new Cloudflare Worker deployment available through an orange-cloud A record, which goes through the Worker which then requests another resource internally (so a subrequest) that’s exposed using a non-Cloudflare (gray cloud) CNAME record pointing to AWS ELB. The top-level request itself never directly connects to the origin, only through an internal worker subrequest fetch.
When set up, I ended up with cryptic 521 responses to any request made through the worker. When using the CNAME record that bypasses Cloudflare’s network completely, it worked without any problems.
After some desperate attempts to tweak settings left and right I changed the encryption mode in the SSL/TLS settings of the Cloudflare Dashboard from Off to Full since I only want to access TLS endpoints of my backend anyway. That solved the problem.
While the solution seems to do its job now, I don’t quite understand the connection between worker subrequests (which could be made to any endpoint), requested CNAMEs which aren’t going through Cloudflare and the TLS encryption mode.
It seems like the problem itself occurs between the worker subrequest to the HTTPS-only AWS ELB endpoint.