I saw that this is initially blocked by Cloudflare due to the policy, but also heard that there’s a way to solve this if you are on a paid plan (Pro, Business).
I just want to confirm that is that true.
Also, what is the flow to solve the issue after I get the paid plan? Is there a UI or menu for enabling the feature? Or should I contact support to do it specifically?
This is also an important point for me, cause I’m planning to configure various domains to point my CDN domain with CNAME. The source domain will be quite random, due to my service’s requirements. Those will be our client’s domains.
I already made a ticket too, but the bot guided me to create a community thread first with the ticket id 2395368.
The security concern that albert said above is because Cloudflare will internally follow CNAME to an IP even across domains but to prevent leaking the origin IP from other Cloudflare accounts this CNAME Cross-User Ban exists.
I hope that context makes sense for why the CNAME Cross-User Ban exists.
If you have the budget for Cloudflare Enterprise and/or SSL for SaaS then go for it as albert recommended but if not then the solution is simple, just think about the chain in which Cloudflare will follow the CNAME internally and break the process so that requests to customerCFaccount.com will not be able to follow internally to cdn.myCFaccount.com so you don’t get this CNAME Cross-User Ban error, instead the requests will go back through the front-door of Cloudflare.
It will work across domains in the same account and also work for domains in your customers Cloudflare account to a domain on your Cloudflare account.
Just a caution with doing this in that it may or may not work into the future. I reported this as a bug to the Cloudflare Public Bug Bounty program a month ago but they have yet to respond or even acknowledge the issue. It may not be a bug but rather an inability to implement their own pricing features in practice since what I described above allows you to get some Enterprise plan features on a Free plan account.
I’ve read this a few times, and it does not make sense. Are you saying that I can send requests to Cloudflare for www.mydomain.com, and have those requests sent to the Origin server configured on another account?
If you break the chain which Cloudflare follows CNAME to IP then it won’t be directly to the IP but instead proxied through Cloudflare from a domain on one account to a domain on another account to their origin IP. It doesn’t expose the IP, but it gets around the Error 1014CNAME Cross-User Ban policy. Doesn’t require Cloudflare Enterprise or SSL for SaaS, just a simple free account on both ends will work.